09-22-2014 03:22 PM
I followed this document to setup a VPN tunnel with NAT
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html
It works for hosts behind each firewall but I cannot communicate with the remote ASA inside interface (tested with ping and telnet).
What do I need to make the ASA inside interface accessible from the remote VPN LAN?
09-23-2014 07:35 AM
Hi,
Try adding "management-access inside" on the ASA to access inside.
-Altaf
09-23-2014 07:43 AM
Already had that in my config.
Also have "inspect icmp" in my global_policy class inspection_default section.
09-23-2014 07:47 AM
Hi,
in the NAT-Exempt in nat, can you try adding route-lookup keyword and check?
-Altaf
09-23-2014 08:04 AM
I don't have NAT exempt,
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 172.16.2.0 access-list policy-nat
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
timeout xlate 3:00:00
11-14-2014 04:21 PM
Hi,
On this case, you will still need to add the NAT exempt, as follow:
access-list nonat permit ip <Inside_subnets> <remote_subnets>
nat (inside) 0 access-list nonat
Then also make sure that you have the SSH and telnet configuration allowing the access:
Just for a quick test:
- telnet 0.0.0.0 0.0.0.0 inside
- ssh 0.0.0.0 0.0.0.0 inside
- aaa authentication ssh console LOCAL
- aaa authentication telnet console LOCAL
If you don't have an RSA key:
- crypto key generate rsa modulus 2048
Then if that works, go ahead add the pertinent subnets that should access SSH or Telnet.
Please don't forget to rate, and mark as correct the helpful Post!
David Castro,
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: