09-02-2014 07:28 AM - edited 03-04-2019 11:40 PM
Hi Community,
I am struggling for more then 10 days now to make traffic go inside a tunnel established between an RV042 and an ASA 5505.
I am sure I am missing something very easy, but still cannot figure out what it is. I suspect my nat rules are bad.
The tunnel comes up nicely and stays up. I am happy with this. I can ping and even https connect between the two appliances, but nothing goes further to any of the LANs. I have 192.168.10.0/24 on the ASA side and 192.168.20.0/24 on the RV042 side.
Please find attached the ASA config.
Any help greatly appreciated, I am getting seriously frustrated. I wish I could end up with a clear vision of what I am doing wrong. Learning from my mistakes, see...
Gregoire
Solved! Go to Solution.
09-02-2014 02:54 PM
Hi ghostettler,
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your no-nat is incorrect, it is missing remote-lan segment, so remove the following line.
no nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.10.0 obj-192.168.10.0 no-proxy-arp route-lookup
You don't need a default-group policy for lan to lan tunnel, so remove it.
tunnel-group xxx.xxx.xxx.41 general-attributes
no default-group-policy GroupPolicy_xxx.xxx.xxx.41
Please copy this no-nat.
nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static lausanne-network lausanne-network no-proxy-arp route-lookup
Force the ASA to push the traffic towards the outside interface, so that crypto-engine will catch it.
route outside 192.168.20.0 255.255.255.0 xxx.xxx.xxx.193
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Let me know if this helps.
thanks
Rizwan Rafeek.
09-02-2014 02:54 PM
Hi ghostettler,
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your no-nat is incorrect, it is missing remote-lan segment, so remove the following line.
no nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.10.0 obj-192.168.10.0 no-proxy-arp route-lookup
You don't need a default-group policy for lan to lan tunnel, so remove it.
tunnel-group xxx.xxx.xxx.41 general-attributes
no default-group-policy GroupPolicy_xxx.xxx.xxx.41
Please copy this no-nat.
nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static lausanne-network lausanne-network no-proxy-arp route-lookup
Force the ASA to push the traffic towards the outside interface, so that crypto-engine will catch it.
route outside 192.168.20.0 255.255.255.0 xxx.xxx.xxx.193
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Let me know if this helps.
thanks
Rizwan Rafeek.
09-25-2014 12:03 AM
Hi Rizwan,
Many thanks, yes it works as expected now.
But, i do not like voodoo natting made by the "Wizard". It is obvious that natting to itself is wrong. Your NAT is fine: natting .10.0 to .20.0 makes sense. Silly me I did not see that before...
I wonder why the so-called Wizard does not create the outside route. Obviously without it, the poor ASA does not know where to go with 192.168.20.0/24 pakets.
Once again, many thanks, as I spent too much time on this without looking in the right direction. Next time I will _not_ use the brain-damaged Cisco wizardry.
Cheers,
Gregoire Hostettler
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: