We have set up a L2L VPN between a cisco 877 and an ASA 5505.
On the 877 side we have :
dialer 0 : connect to internet and has a dynamic IP given by ISP
Loopback1 : has a static IP from the assigned Public IP range .
Vlan 1: has a static private IP for the LAN
FE3 : Interface conencted to lan
We have the following problem.
We have applied the crypto map to the Loopback interface and with this configuration we can reach the router's internal interface ( VLAN 1 IP ) from the ASA internal network , but other than that we cannot reach any host on the inside lan of the router.
If we apply the crypto map to the FE3 interface we can ping also the internal lan but we lose half the ping and the roundtrip is high ( 500-800 ms instead of 70-80 when applied only to Loopback 1 )
So I need help on this . What should be the correct configuration to have it all working fine ?
thanks in advance
Solved! Go to Solution.
Do you have "ip nat outside" on your loopback interface when the crypto map is applied, and configured ACL (NAT exemption) to deny traffic between internal subnet towards the ASA remote LAN?
yes I have IP NAT OUTSIDE on the lo interface .
Regarding ACL I have an ACL on the crypto map to identify the interesting traffic , do you mean that or another ACL directly applied to the lo interface ?
can you provide an example ?
No, I mean the ACL that you assign to your NAT statement. Does it have a deny statement between your internal network towards the ASA remote LAN?
I'm checking , meanwhile I noticed that there's also an IP NAT outside on the dialer 0
interface . Should I remove it or it won't affect the problem ?
no one should browse internet from this connection , it should only be used
as VPN to the main office .
As per the ACL
we have this ACL
access-list 130 deny ip 192.168.110.0 0.0.0.255 10.80.5.0 0.0.0.255
access-list 130 deny ip 192.168.110.0 0.0.0.255 192.168.80.0 0.0.0.255
access-list 130 permit ip 192.168.110.0 0.0.0.255 any
and this NAT
ip nat inside source list 130 interface loopback 1overload
OK, so i assume 10.80.5.0/24 and 192.168.80.0/24 are your remote subnets. And 192.168.110.0/24 is your internal subnet.
Since you mentioned that this router is not used for Internet, then I assume that you have another device/router that serves the internet, hence, I believe your internal hosts' default gateway is not this vpn router.
You would need to route traffic towards 10.80.5.0/24 and 192.168.80.0/24 to this router internal interface (vlan 1 ip address).