05-17-2009 11:19 PM
Hi techs, am trying to pinpoint what could be the issue between my Cisco ASA 5510 and a remote Cisco rtr L2L vpn. The tunnel is successfully established but when i ping the remote lan from my lan no packets are going through. The reverse is also true. Ive tried packet tracer troubleshooting on the asdm and i have noted the nat-exemption rule is not being used yet i have configured it, instead its going straight to nat rule 1 which is a PAT. Some1 please give an insight into this probo. Funny enough i have 6 other tunnels which are working perfectly.
05-19-2009 06:08 AM
We're gonna need to see your config for this particular VPN, specifically the 'crypto map' and 'NAT exemption'.
05-19-2009 06:52 AM
access-list inside_nat0_outbound extended permit ip 192.168.60.0 255.255.255.0 192.168.102.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
access-list outside_cryptomap extended permit ip 192.168.60.0 255.255.255.0 192.168.102.0 255.255.255.0
crypto map outside_map0 3 match address outside_cryptomap
crypto map outside_map0 3 set pfs group2
crypto map outside_map0 3 set connection-type bi-directional
crypto map outside_map0 3 set peer X.X.X.X
crypto map outside_map0 3 set transform-set ESP-3DES-MD5
crypto map outside_map0 3 set security-association lifetime seconds 28800
crypto map outside_map0 3 set security-association lifetime kilobytes 4608000
crypto map outside_map0 3 set inheritance rule
crypto map outside_map0 3 set phase1-mode main
crypto map outside_map0 3 set reverse-route
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key 1234
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 10 retry 2
05-19-2009 06:59 AM
Another strange pointer is that when i do a ping from the firewall, sourcing it from the firewalls inside interface ip (192.168.60.1), the ping is successful and also when the guys from remote end ping that ip they get replies. Its only when we ping anything behind that interface tho in the same subnet. In the lan the dg points to the firewalls ip (192.168.60.1) so its nothing to do with routing.
05-21-2009 03:28 PM
Do you have nat-control enable?.
Regards,
Carlos Roque
05-23-2009 06:14 AM
yes nat-control is enabled.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide