Showing results for 
Search instead for 
Did you mean: 

Community Helping Community


VPN Lan To Lan ASA IOS 8.3

Here my VPN Lan To Lan configuration :

object VPNL2L-src
  nat(INSIDE,OUTSIDE) static
object network VPNL2L-SRC-NAT
object network VPNnonat-SRC
object network VPNL2L-DST
nat (INSIDE,OUTSIDE) source static VPNnonat.-SRC VPNnonat-SRC destination static VPNL2L-DST VPNL2L-DST
nat (INSIDE,OUTSIDE) source static VPNL2L-src VPNL2L-SRC-NAT destination static VPNL2L-DST VPNL2L-DST

The flow show me that the packets go out from my OUTSIDE, but when the packets come in my OUTSIDE there is no flow in VPN traffic.



Hello Walter,  - Was this

Hello Walter, 


- Was this flow checked with a packet-tracer? could you share the output with us?

- What's the problem with the tunnel?


When i try to ping the

When i try to ping the destination from my inside host (NAT-SRC to i can see on my ASA this output :

peer address:
    Crypto map tag: outside_map, seq num: 145, local addr:

      access-list VPNL2LCrypto extended permit ip
      local ident (addr/mask/prot/port): (
      remote ident (addr/mask/prot/port): (

      #pkts encaps: 380, #pkts encrypt: 380, #pkts digest: 380
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
      #pkts invalid pad (rcv): 0,
      #pkts invalid ip version (rcv): 0,
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.:, remote crypto endpt.:
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 59D2316F
      current inbound spi : 9DC7F1C5


As you can see there are the numbers in the pkts encaps, but there aren't any numbers in pkts decaps. Obviously when the other side try to ping my inside host the other side with the same command see the same output. From this issue i can suppose that in my ASA the packets from other side to my INSIDE there aren't encrypted.


Hello Walter,  Is the remote

Hello Walter, 


Is the remote end encrypting traffic?

Is this encrypted traffic from the remote end reaching the ASA? 

   *outside captures can help you answer this question

Is the ASA droping traffic from

   *ASP captures can help you answer this question


Thanks, i modified my

Thanks, i modified my configuration so :

no nat (INSIDE,OUTSIDE) source static VPNnonat.-SRC VPNnonat-SRC destination static VPNL2L-DST VPNL2L-DST

After with capture ASP type asp-drop, i see the flow from to I studied the configuration of my ASA and i write the configuration about traffic uncrypted Ip address of inside lan to outside for Internet with the source nat and the vpn is ok. From

nat (INSIDE,OUTSIDE) source dynamic INSIDE-LAN-src INSIDE-LAN-src IP- destination static Any-dst Any-dst


object-group network INSIDE-INTERNET-OUTSIDE
nat (INSIDE,OUTSIDE) source dynamic IP-

Now the vpn is OK. Thanks

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here