Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

lan2lan vpn not working

Hi Community,

I am struggling for more then 10 days now to make traffic go inside a tunnel established between an RV042 and an ASA 5505.

I am sure I am missing something very easy, but still cannot figure out what it is. I suspect my nat rules are bad.

The tunnel comes up nicely and stays up. I am happy with this. I can ping and even https connect between the two appliances, but nothing goes further to any of the LANs. I have 192.168.10.0/24 on the ASA side and 192.168.20.0/24 on the RV042 side.

Please find attached the ASA config.

Any help greatly appreciated, I am getting seriously frustrated. I wish I could end up with a clear vision of what I am doing wrong. Learning from my mistakes, see...

 

Gregoire

1 ACCEPTED SOLUTION

Accepted Solutions

Hi ghostettler, - - - - - - -

Hi ghostettler,

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Your no-nat is incorrect, it is missing remote-lan segment, so remove the following line.

 

no nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.10.0 obj-192.168.10.0 no-proxy-arp route-lookup

 

You don't need a default-group policy for lan to lan tunnel, so remove it.

tunnel-group xxx.xxx.xxx.41 general-attributes
 no default-group-policy GroupPolicy_xxx.xxx.xxx.41

 

Please copy this no-nat.

nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static lausanne-network lausanne-network no-proxy-arp route-lookup

 

Force the ASA to push the traffic towards the outside interface, so that crypto-engine will catch it.


route outside 192.168.20.0 255.255.255.0 xxx.xxx.xxx.193

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Let me know if this helps.

 

thanks

Rizwan Rafeek.

2 REPLIES

Hi ghostettler, - - - - - - -

Hi ghostettler,

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Your no-nat is incorrect, it is missing remote-lan segment, so remove the following line.

 

no nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.10.0 obj-192.168.10.0 no-proxy-arp route-lookup

 

You don't need a default-group policy for lan to lan tunnel, so remove it.

tunnel-group xxx.xxx.xxx.41 general-attributes
 no default-group-policy GroupPolicy_xxx.xxx.xxx.41

 

Please copy this no-nat.

nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static lausanne-network lausanne-network no-proxy-arp route-lookup

 

Force the ASA to push the traffic towards the outside interface, so that crypto-engine will catch it.


route outside 192.168.20.0 255.255.255.0 xxx.xxx.xxx.193

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Let me know if this helps.

 

thanks

Rizwan Rafeek.

New Member

Hi Rizwan, Many thanks, yes

Hi Rizwan,

 

Many thanks, yes it works as expected now.

But, i do not like voodoo natting made by the "Wizard". It is obvious that natting to itself is wrong. Your NAT is fine: natting .10.0 to .20.0 makes sense. Silly me I did not see that before...

I wonder why the so-called Wizard does not create the outside route. Obviously without it, the poor ASA does not know where to go with 192.168.20.0/24 pakets.

Once again, many thanks, as I spent too much time on this without looking in the right direction. Next time I will _not_ use the brain-damaged Cisco wizardry.

Cheers,

Gregoire Hostettler

 

92
Views
0
Helpful
2
Replies
CreatePlease login to create content