Solved: lan2lan vpn not working

ghostettler · ‎09-02-2014

Hi Community,

I am struggling for more then 10 days now to make traffic go inside a tunnel established between an RV042 and an ASA 5505.

I am sure I am missing something very easy, but still cannot figure out what it is. I suspect my nat rules are bad.

The tunnel comes up nicely and stays up. I am happy with this. I can ping and even https connect between the two appliances, but nothing goes further to any of the LANs. I have 192.168.10.0/24 on the ASA side and 192.168.20.0/24 on the RV042 side.

Please find attached the ASA config.

Any help greatly appreciated, I am getting seriously frustrated. I wish I could end up with a clear vision of what I am doing wrong. Learning from my mistakes, see...

Gregoire

rizwanr74 · ‎09-02-2014

Hi ghostettler,

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Your no-nat is incorrect, it is missing remote-lan segment, so remove the following line.

no nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.10.0 obj-192.168.10.0 no-proxy-arp route-lookup

You don't need a default-group policy for lan to lan tunnel, so remove it.

tunnel-group xxx.xxx.xxx.41 general-attributes
no default-group-policy GroupPolicy_xxx.xxx.xxx.41

Please copy this no-nat.

nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static lausanne-network lausanne-network no-proxy-arp route-lookup

Force the ASA to push the traffic towards the outside interface, so that crypto-engine will catch it.

route outside 192.168.20.0 255.255.255.0 xxx.xxx.xxx.193

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Let me know if this helps.

thanks

Rizwan Rafeek.

View solution in original post

rizwanr74 · ‎09-02-2014

Hi ghostettler,

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Your no-nat is incorrect, it is missing remote-lan segment, so remove the following line.

no nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.10.0 obj-192.168.10.0 no-proxy-arp route-lookup

You don't need a default-group policy for lan to lan tunnel, so remove it.

tunnel-group xxx.xxx.xxx.41 general-attributes
no default-group-policy GroupPolicy_xxx.xxx.xxx.41

Please copy this no-nat.

nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static lausanne-network lausanne-network no-proxy-arp route-lookup

Force the ASA to push the traffic towards the outside interface, so that crypto-engine will catch it.

route outside 192.168.20.0 255.255.255.0 xxx.xxx.xxx.193

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Let me know if this helps.

thanks

Rizwan Rafeek.

ghostettler · ‎09-25-2014

Hi Rizwan,

Many thanks, yes it works as expected now.

But, i do not like voodoo natting made by the "Wizard". It is obvious that natting to itself is wrong. Your NAT is fine: natting .10.0 to .20.0 makes sense. Silly me I did not see that before...

I wonder why the so-called Wizard does not create the outside route. Obviously without it, the poor ASA does not know where to go with 192.168.20.0/24 pakets.

Once again, many thanks, as I spent too much time on this without looking in the right direction. Next time I will _not_ use the brain-damaged Cisco wizardry.

Cheers,

Gregoire Hostettler