Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2L VPN issue on Cisco ASA 8.4

We are configuring an ASA 5505 version 8.4 to connect to another site via L2L IPSec VPN.  The subnet at the ASA site is 192.168.1.0 and the remote side is 192.168.100.0/24.  However the 192.168.100.0/24 side already has another VPN with a site using 192.168.1.0 so we were going to NAT out our local subnet to 192.168.25.0/24, so the interesting traffic would look like this

192.168.25.0/24 <-> 192.168.100.0/24.

The VPN establishes but the traffic does not appear to be working.. My NAT statement is as follows

nat (inside,outside) source static obj-192.168.1.0 obj-192.168.25.0 destination static obj-192.168.100.0 obj-192.168.100.0

Does this look right?

7 REPLIES

Re: L2L VPN issue on Cisco ASA 8.4

obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

obj-192.168.25.0

subnet 192.168.25.0 255.255.255.0

  

obj-192.168.100.0

subnet 192.168.100.0 255.255.255.0

nat (inside,outside) source static obj-192.168.1.0 obj-192.168.25.0 destination static obj-192.168.100.0 obj-192.168.100.0

"Does this look right?"

Yes, it looks fine to me.

Please bear in mind, your crypto acl must include your natted subnet as your local subnet.

thanks

New Member

Re: L2L VPN issue on Cisco ASA 8.4

In the whitepaper I read it said it should look like

nat (inside,outside) source static obj-192.168.1.0 obj-192.168.25.0 destination static obj-192.168.100.0 obj-192.168.1.0

but I wondered if the end was a typo?

also I seem some packets pass but all of a sudden it stops.. does sysopt connection-permit VPN still allows traffic to bypass ACLs?

Re: L2L VPN issue on Cisco ASA 8.4

"but I wondered if the end was a typo?"

I have seen in two separate cisco documentations, it should be as you have done, so you are on the path.

"sysopt connection-permit VPN"

I have done this kind of setup working without opening "sysopt connection-permit VPN"

But it does not hurt to try.

thanks

Rizwan Rafeek

New Member

Re: L2L VPN issue on Cisco ASA 8.4

traffic seems to sporadically pass then stop.  Could other NAT rules be affecting this?

Re: L2L VPN issue on Cisco ASA 8.4

How much memory installed on your ASA?

Re: L2L VPN issue on Cisco ASA 8.4

FYI...

Please make sure when you create crypto acl and nat exempt includes the traslated subnet "192.168.25.0" against remote subnet.

thanks

Re: L2L VPN issue on Cisco ASA 8.4

I made little changes.

obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

obj-192.168.25.0

subnet 192.168.25.0 255.255.255.0

  

obj-192.168.100.0

subnet 192.168.100.0 255.255.255.0

nat (inside,outside) source static obj-192.168.1.0 obj-192.168.25.0 destination static obj-192.168.100.0 obj-192.168.1.0

Can you please try this and please let me know.

thanks

479
Views
0
Helpful
7
Replies