I done some searching to find where my mistake is, but I have come up empty so I was hoping someone might be able to shed some light on the situation. I recently just upgraded an ASA from 8.2 up to 8.4 (8.4(4)1 to be specific). We have two site-to-site VPNs coming into the ASA and one of the VPNs came up and the other did not. It looks like it is not even getting to the isakmp exchange. However I noticed that one ASA is setup with the crypto map that points to a ACL using and object-group and the one that is working uses a crypto map that points to an object network. Should the auto convertion process of upgrading the code converted the object-group to an object network or is this still a valid way to define interesting traffic on the ASA?
Also for my NAT statement to exempt traffic I have seen many people using the identity nat without the no-proxy-arp and route-lookup additions and some with. Which is the correct way in 8.4? Any information would be very much appreciated!
Thanks for the response I rechecked the crypto map acls and discovered they were not the same on both end of the VPN tunnel. There was also a routing problem so traffic wasn't necessarily routing properly to the VPN tunnel. Thanks for your suggestion it helped!
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...