cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
792
Views
0
Helpful
1
Replies

Routing issue for remote vpn user and spoke

piatthi1983
Level 1
Level 1

Hi all,

i have configure VPN (see attached file)

before upgrading ASA from 8.3 to 8.4,  SPOKES was able to communicate between them and  also remote VPN users was able to access spoke site.

after upgrade  ASA HUB, neither spoke-to-spoke  nor remoteuser---to---spoke cannot communicate

here is NAT exemption configuration on ASA HUB.  only this ASA have been upgrade. nothing have been done on other site

object network 172.17.8.0

subnet 172.17.8.0 255.255.255.0

object network 10.100.96.0

subnet 10.100.96.0 255.255.240.0

object network VPN-SUBNET

subnet 172.20.1.0 255.255.255.0

nat (outside,outside) source static 172.17.8.0 172.17.8.0 destination static 10.100.96.0 10.100.96.0
nat (outside,outside) source static 10.100.96.0 10.100.96.0 destination static 172.17.8.0 172.17.8.0

nat (outside,outside) source static VPN-SUBNET VPN-SUBNET destination static 10.100.96.0 10.100.96.0

nat (outside,outside) source static VPN-SUBNET VPN-SUBNET destination static 172.17.8.0 172.17.8.0

same-security traffic permit intra-interface

same-security traffic permit inter-interface

Please do you know what can be the problem ?

thanks so much for your help

1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

Since you are not NATing any of those traffic and it's a u-turn traffic, pls remove those 4 NAT statements. They are not required at all.

Pls "clear xlate" after removing it and let us know how it goes.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: