04-17-2019 10:19 PM
Hi,
I have a site-toèsite vpn between an asa 5520 and a cisco router, it's working fine.
now, i get a new asa 5525-X to replace the old 5520,
My issue is the vpn didn't working on the new asa 5525-X, the config with 5525 is little different with IKEv1 and IKEv2 etc.
for the moment, i back to 5520 and it's working now, the issue is the config on my new 5525
attached is the three configs (both asa and router)
Thanks in advance
04-17-2019 10:20 PM
04-17-2019 11:33 PM
It seems nat broke your VPN. Try to move
nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static
NETWORK_OBJ_10.4.13.0_26 NETWORK_OBJ_10.4.13.0_26
to the begining and add no-proxy-arp route-lookup
ie
conf t
no nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static
NETWORK_OBJ_10.4.13.0_26 NETWORK_OBJ_10.4.13.0_26
nat (inside,outside) 1 source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static
NETWORK_OBJ_10.4.13.0_26 NETWORK_OBJ_10.4.13.0_26 no-proxy-arp route-lookup
04-18-2019 02:18 AM
Hi AZaburdyayev
this
nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static
NETWORK_OBJ_10.4.13.0_26 NETWORK_OBJ_10.4.13.0_26
is for my Anyconnect vpn, not for site-to-site and this anyconnect is working fine..
let's me first delete the anyconnect vpn nat and try
Regards
04-18-2019 02:42 AM - edited 04-18-2019 02:50 AM
hmm, I missed this maybe. You should exempt your internal network from nat.
so this is rule we are interested in
nat (inside,outside) source static vlan_serveur vlan_serveur destination static pog_network pog_network no-proxy-arp route-lookup
you should move it for the 1st position.
04-18-2019 03:06 AM
Dear
according to the config, this nat is in 1st position
nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface
nat (inside,outside) source static vlan_serveur vlan_serveur destination static pog_network pog_network no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static NETWORK_OBJ_10.4.13.0_26 NETWORK_OBJ_10.4.13.0_26
04-18-2019 03:31 AM
OBJ_GENERAL_ALL includes vlan_serveur , so 1st rule nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface would nat your packet BEFORE it goes to tunnel.
nat (inside,outside) source static vlan_serveur vlan_serveur destination static pog_network pog_network no-proxy-arp route-lookup
should be before
nat (inside,outside) source dynamic OBJ_GENERAL_ALL interface
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: