Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA VPN Tunnel with NAT - Works but ASA inside interface has no communication

I followed this document to setup a VPN tunnel with NAT

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html

 

It works for hosts behind each firewall but I cannot communicate with the remote ASA inside interface (tested with ping and telnet).

 

What do I need to make the ASA inside interface accessible from the remote VPN LAN?

5 REPLIES
New Member

Hi, Try adding "management

Hi,

 

Try adding "management-access inside" on the ASA to access inside.

 

-Altaf

New Member

Already had that in my config

Already had that in my config.

Also have "inspect icmp" in my  global_policy class inspection_default section.

New Member

Hi,in the NAT-Exempt in nat,

Hi,

in the NAT-Exempt in nat, can you try adding route-lookup keyword and check?

 

-Altaf

New Member

I don't have NAT exempt, no

I don't have NAT exempt,

 

no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 172.16.2.0  access-list policy-nat
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
timeout xlate 3:00:00

 

Hi, On this case, you will

Hi,

 

On this case, you will still need to add the NAT exempt, as follow:

 

access-list nonat permit ip <Inside_subnets> <remote_subnets>

nat (inside) 0 access-list nonat

 

Then also make sure that you have the SSH and telnet configuration allowing the access:

 

Just for a quick test:

- telnet 0.0.0.0 0.0.0.0 inside
- ssh 0.0.0.0 0.0.0.0 inside

- aaa authentication ssh console LOCAL

 

- aaa authentication telnet console LOCAL

 

 

If you don't have an RSA key:

- crypto key generate rsa modulus 2048

 

 

Then if that works, go ahead add the pertinent subnets that should access SSH or Telnet.

 

Please don't forget to rate, and mark as correct the helpful Post!

 

David Castro,

 

Regards,

545
Views
0
Helpful
5
Replies