Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problem with Dynamic VPN

Hi all.

I want to create Dynamic VPN to connect Head Office and Branch Office.

After configuring, I can ping between two site. But it has problem when I try to access web, copy file, remote desktop, . . .

I can only ping and can't do anything.

This is my configuration, please help me to check it

Thanks so muc

3 REPLIES

Re: Problem with Dynamic VPN

Hi Vinh,

You are missing a static route on branch ASA, so please add it as shown below.

on branch ASA

route Outside 192.168.25.0 255.255.255.0 172.16.3.1

On HO ASA you are missing no-nat between two remote LANs, so please add no-nat as shown below.

HO ASA

nat (DMZ,Outside) source static DMZ DMZ destination static Vlan225 Vlan225 no-proxy-arp route-lookup

last but not least, please add a static route on HO ASA as well.

route Outside 192.168.225.0 255.255.255.0 xxx.xxx.xxx

xxx.xxx.xxx = your gateway address of your Outside interface.

Let me know, please if this helps.

thanks

Rizwan Rafeek.

New Member

Re: Problem with Dynamic VPN

Hi Rizwan.

Branch ASA is running ver 8.0 (2), not 8.4

I don't use static route as you wrote because I have default route on 2 ASA.

We run route mode in ASA HO.

DMZ ---- ASA HO ------ Draytek 3300----------Internet-------------Vigor 2920------------ASA Branch -----------------------192.168.225.0

Thanks.

Re: Problem with Dynamic VPN

Hi Vinh,

"I don't use static route as you wrote because I have default route on 2 ASA."

Your default-route on ASA is internet bound traffic however for the vpn bound traffic you must have a static route push the vpn bound traffic toward to outside's gateway, otherwise ASA will push towards the inside interface.

"Branch ASA is running ver 8.0 (2), not 8.4"

the missing no-nat is on HO ASA.

nat (DMZ,Outside) source static DMZ DMZ destination static Vlan225 Vlan225 no-proxy-arp route-lookup

route Outside 192.168.225.0 255.255.255.0 xxx.xxx.xxx

xxx.xxx.xxx = your gateway address of your Outside interface.

and

You still need a static route on branch ASA as shown below.

route Outside 192.168.25.0 255.255.255.0 172.16.3.1

Thanks

Rizwan Rafeek.



225
Views
0
Helpful
3
Replies