Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Asa 5510 Remote access VPN issue

Hi all!!!

I need organize 2 type of access between 2 asa 5510 - site 2 site and Remote access. VPN Peers are same for both situation.

One of peers has IP address 1.1.1.1 and another has 2.2.2.2 ( sw version 9.1(3) )

peer 1.1.1.1 has 192.168.1.0/24 network and peer 2.2.2.2 has 172.16.1.0/24 (interface inside) and 172.16.2.0/24 (interface DMZ).

Need following configuretion:

192.168.1.0/24  must have access to 172.16.1.0/24 via Site 2 Site VPN

also 192.168.0.24 need access to 172.16.2.0/24 via RA vpn.

When I configure ONLY ONE TYPE VPN Tunnel, it works, but I need BOTH TYPE VPN at same time.

In Log windew I see following errors:

%ASA-6-713905: Group = UserGroup, Username = User, IP = A.A.A.A,    Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot    match peerless map when peer found in previous map entry.

%ASA-3-713061:    Group = UserGroup, Username = User, IP = A.A.A.A, Rejecting IPSec    tunnel: no matching crypto map entry for remote proxy   172.16.2.0/255.255.255.0//0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on    interface outside

2.2.2.2 Asa upgrade done short time ago, there was sw 8.2(x) verson before, and both VPN was worked correctly, after upgrade I have reseived erros above.

How can I solve this issue? (SSL VPN not a solution, IPSEC is required).

Thanks in advance.

2 REPLIES
New Member

Asa 5510 Remote access VPN issue

No ideas ?

New Member

Re: Asa 5510 Remote access VPN issue

Solved.

Static Nat is solution.

I have created rule as follows:

nat (inside,outside) source static 192.168.1.0_24  2.2.2.2 destination static 172.16.1.0_24 172.16.1.0_24 no-proxy-arp

355
Views
0
Helpful
2
Replies