Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Remote-access help into a 5505

Hi all. Needing some help with a remote-access into a 5505. I can vpn in just fine, I just cant seem to pass any traffic. When I do a "sho cryp ipsec sa", I see traffic being decrypted, but I do not see any traffic being encrypted back to me. I attached my config, could I get some help from you guys to see where I have gone wrong? I appreciate as always.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Remote-access help into a 5505

The reason why it is happening is because the ASA also has one L2L tunnel and you are using same NAT 0 access-list for L2L tunnel as Crypto ACL also.

nat (inside) 0 access-list tocw

crypto map outside_map 10 match address tocw

so the traffic you are sending from vpn client is actually returning back to L2L tunnel .

Do the following:

Create separate access-list for L2L tunnel specifying traffic only specific to L2L tunnel.

you have to check remote side but i think your crypto acl for l2l tunnel would be

access-list VPNACL extended permit ip 192.168.201.0 255.255.255.0 192.168.73.0 255.255.255.0

no crypto map outside_map 10 match address tocw

crypto map outside_map 10 match address VPNACL

Your L2L tunnel will come down when you will make changes so make necessary arrangements.

Check and post results

HTH

Saju

Pls rate helpful posts

2 REPLIES
Silver

Re: Remote-access help into a 5505

The reason why it is happening is because the ASA also has one L2L tunnel and you are using same NAT 0 access-list for L2L tunnel as Crypto ACL also.

nat (inside) 0 access-list tocw

crypto map outside_map 10 match address tocw

so the traffic you are sending from vpn client is actually returning back to L2L tunnel .

Do the following:

Create separate access-list for L2L tunnel specifying traffic only specific to L2L tunnel.

you have to check remote side but i think your crypto acl for l2l tunnel would be

access-list VPNACL extended permit ip 192.168.201.0 255.255.255.0 192.168.73.0 255.255.255.0

no crypto map outside_map 10 match address tocw

crypto map outside_map 10 match address VPNACL

Your L2L tunnel will come down when you will make changes so make necessary arrangements.

Check and post results

HTH

Saju

Pls rate helpful posts

New Member

Re: Remote-access help into a 5505

I cant believe I didnt think of that. Thanks Saju. I appreciate it.

91
Views
0
Helpful
2
Replies
CreatePlease to create content