Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
536
Views
0
Helpful
5
Replies

Two VPN tunnels but only one starts

Go to solution
7b.schappel
Level 1
Level 1

‎03-09-2008 02:51 PM - edited ‎02-21-2020 03:36 PM

I have an ASA5505 that I need to connect to two remote networks. I worked though getting the first tunnel to my HQ working. I need to now add a remote office. My HQ and the remote office both use SonicWALL PRO2040 devices, same firmware and OS.

I used the working tunnel config to create the second tunnel. The first tunnel starts and works perfectly. When I try to send traffic to the remote office the second tunnel never even starts.

I look in the logs at both ends (I gain access to the remote location via a software client) and there are no exchanges between my ASA and the PRO2040.

What more might I need to do to get the ASA to start the tunnel?

I'm running 8.0 on my ASA. All the SW's are 4.0.0.2 Enhanced.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
brettmilborrow
Level 1
Level 1
In response to 7b.schappel

‎03-10-2008 09:06 AM

Hi,

ok, so connections to the remote networks need to have a nat 0 applied to them. In your config your nat 0 looks like this:

nat (inside) 0 access-list outside_cryptomap

in order to get your new VPN to work, you will need to apply this to the new traffic, however you will need to create a new acl for the NAT 0 statement. The commands you will need to complete this are as follows:

access-list nonat extended permit ip inside-network 255.255.255.0 my-hq 255.255.248.0

access-list nonat extended permit ip inside-network 255.255.255.0 office2 255.255.255.0

no nat (inside) 0 access-list outside_cryptomap

nat (inside) 0 access-list nonat

clear xlate

Everything else loks ok, so that should do it :)

View solution in original post

0 Helpful
5 Replies 5

Go to solution
brettmilborrow
Level 1
Level 1

‎03-10-2008 01:55 AM

Can you post a sanitized copy of the config?

0 Helpful

Go to solution
7b.schappel
Level 1
Level 1
In response to brettmilborrow

‎03-10-2008 07:35 AM

Config is attached.

Preview file
8 KB
0 Helpful

Go to solution
7b.schappel
Level 1
Level 1
In response to 7b.schappel

‎03-10-2008 08:57 AM

I should mention that the VPN to XX.XX.XX.XX is the one that works.

0 Helpful

Go to solution
brettmilborrow
Level 1
Level 1
In response to 7b.schappel

‎03-10-2008 09:06 AM

Hi,

ok, so connections to the remote networks need to have a nat 0 applied to them. In your config your nat 0 looks like this:

nat (inside) 0 access-list outside_cryptomap

in order to get your new VPN to work, you will need to apply this to the new traffic, however you will need to create a new acl for the NAT 0 statement. The commands you will need to complete this are as follows:

access-list nonat extended permit ip inside-network 255.255.255.0 my-hq 255.255.248.0

access-list nonat extended permit ip inside-network 255.255.255.0 office2 255.255.255.0

no nat (inside) 0 access-list outside_cryptomap

nat (inside) 0 access-list nonat

clear xlate

Everything else loks ok, so that should do it :)

0 Helpful

Go to solution
7b.schappel
Level 1
Level 1
In response to brettmilborrow

‎03-10-2008 10:46 AM

That took care of the problem. Thanks so much.

0 Helpful
Customers Also Viewed These Support Documents