Hi, Try adding "management

netdood · ‎09-22-2014

I followed this document to setup a VPN tunnel with NAT

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html

It works for hosts behind each firewall but I cannot communicate with the remote ASA inside interface (tested with ping and telnet).

What do I need to make the ASA inside interface accessible from the remote VPN LAN?

ajiddima · ‎09-23-2014

Hi,

Try adding "management-access inside" on the ASA to access inside.

-Altaf

netdood · ‎09-23-2014

Already had that in my config.

Also have "inspect icmp" in my global_policy class inspection_default section.

ajiddima · ‎09-23-2014

Hi,

in the NAT-Exempt in nat, can you try adding route-lookup keyword and check?

-Altaf

netdood · ‎09-23-2014

I don't have NAT exempt,

no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 172.16.2.0 access-list policy-nat
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
timeout xlate 3:00:00

David Johan Castro Fernandez · ‎11-14-2014

Hi,

On this case, you will still need to add the NAT exempt, as follow:

access-list nonat permit ip <Inside_subnets> <remote_subnets>

nat (inside) 0 access-list nonat

Then also make sure that you have the SSH and telnet configuration allowing the access:

Just for a quick test:

- telnet 0.0.0.0 0.0.0.0 inside
- ssh 0.0.0.0 0.0.0.0 inside

- aaa authentication ssh console LOCAL

- aaa authentication telnet console LOCAL

If you don't have an RSA key:

- crypto key generate rsa modulus 2048

Then if that works, go ahead add the pertinent subnets that should access SSH or Telnet.

Please don't forget to rate, and mark as correct the helpful Post!

David Castro,

Regards,

ASA VPN Tunnel with NAT - Works but ASA inside interface has no communication