06-11-2014 01:18 PM - edited 02-21-2020 05:12 AM
Hi I have an Cisco Asa 5520 and i want to make vpn site to site using another interface with a lan to lan carrier, the problem is when i try to pass traffic have the follow syslog error:
Solved! Go to Solution.
06-11-2014 03:48 PM
Is the VPN establishing OK? ("show crypto isakmp sa" should show a MM_Active tunnel to the peer address)
We normally exempt site-site VPN traffic from NAT. That could be your problem. If you can share your configuration we can have a look at it.
p.s. you should recategorize the question to the Security / VPN forum.
06-11-2014 03:48 PM
Is the VPN establishing OK? ("show crypto isakmp sa" should show a MM_Active tunnel to the peer address)
We normally exempt site-site VPN traffic from NAT. That could be your problem. If you can share your configuration we can have a look at it.
p.s. you should recategorize the question to the Security / VPN forum.
06-11-2014 07:10 PM
Thanks changed to Security Vpn Forum, i will try with extempt the vpn traffic now...
06-11-2014 07:15 PM
Thank you and the other question is what is the correct security level for the interfaces on this scenario with lan to lan carrier?
06-12-2014 06:33 AM
You're welcome. The security levels can range from 0 (lowest security - typically thought of as outside) to 100 (highest security or inside).
Your screenshot indicates your have a nat statement that references pool 1 but there's no matching global. You would typically have a line being "global 1 ..."
If you can share the configuration, we could answer better.
06-12-2014 09:09 AM
Thank you i uploaded part of the fw config!!
https://supportforums.cisco.com/discussion/12230351/asa-5520-nat-problem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide