Solved: Re: cisco vpn not

Thombie · ‎01-24-2025

Hi all

its been a while since have done any VPN work and I need help with this issue.

I have a ASA-5525 and 4 x5506s that I need to bring up tunnels.

I am not seeing any Phase one or phase 2 activity on any of the firewalls. degugging has been switched on.

HQ Firewall 10.132.52.1/24

ASA 1 10.132.40.1./24

ASA 2 10.132.41.0/24

ASA 3 10.132.42.0/24

ASA 4 10.132.43.0/24

Would someone mind looking at my conig for HQ and one of my asa

Thanks

Aref Alsouqi · ‎01-25-2025

I skimmed quickly through the files you shared, you seem not to have the right NAT exemption rules in place, and also on the HQ firewall you don't seem to have the crypto access lists defined. For the NAT exemptions you would need to define it on each firewall similar to this:

On HQ:

object network Local_Subnet
subnet 10.132.52.0 255.255.255.0

object network AC_Subnet
subnet 10.132.42.0 255.255.255.0

nat (inside,outside) 1 source static Local_Subnet Local_Subnet destination static AC_Subnet AC_Subnet no-proxy-arp route-lookup

This will need to be configured for all the tunnels.

On AC:

object network Local_Subnet
subnet 10.132.42.0 255.255.255.0

object network HQ_Subnet
subnet 10.132.52.0 255.255.255.0

nat (inside,outside) 1 source static Local_Subnet Local_Subnet destination static HQ_Subnet HQ_Subnet no-proxy-arp route-lookup

Regarding the crypto ACL on HQ firewall, it would need to be similar to what you have done on AC firewall:

access-list AC_VPN extended permit ip 10.132.52.0 255.255.255.0 10.132.42.0 255.255.255.0

You can use the objects if you want like:

access-list AC_VPN extended permit ip object Local_Subnet object AC_Subnet

And then you need to apply it to the AC crypto map similar to what you have done on AC firewall:

crypto map Internet-outside_map < the ID > match address AC_VPN

View solution in original post

Kasun Bandara · ‎01-24-2025

@Thombie hi small tip. check if your devices have connectivity each other for the VPN configured interfaces and check if device configured with default route to communicate with other firewalls.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Thombie · ‎01-25-2025

Thanks I did that and managed to get the tunnel up but now we not passing any Interesiung traffc

MHM Cisco World · ‎01-25-2025

Can you share HQ ASA config here (dont use text file' only copy paste)

MHM

Thombie · ‎01-25-2025

get this error when I try to past in to chat

The message body contains text that is not permitted in this community. Use the Community Feedback link in the page footer to request assistance.

MHM Cisco World · ‎01-25-2025

Dont worry
I open it with my other laptop
NOW you want make branch to branch connect directly or via HQ?

MHM

Thombie · ‎01-25-2025

correct

MHM Cisco World · ‎01-25-2025

Via HQ ?

MHM

Thombie · ‎01-25-2025

correct - The Branch have local breakout for Internet but 10.132.0.0 traffic over the tunnel to HQ

MHM Cisco World · ‎01-25-2025

I will send you PM

MHM

MHM Cisco World · ‎01-27-2025

I forget to answer you anyway

Br1 Br2 HQ

Br1 ACL

access-list Br1 extended permit object <Br1 LAN > object-group <Br2 LAN and HQ LAN >

Br1NAT

nat (inside,outside) 1 source static object <Br1 Lan> destination static object-group <Br2 LAN and HQ LAN>

Same for Br2

For HQ ACL

access-list HQ-Br1 extended permit object-group <HQ LAN and Br2 LAN > object <Br1 LAN>

access-list HQ-Br2 extended permit object-group <HQ LAN and Br1 LAN > object <Br2 LAN>

HQ NAT

nat (inside,outside) 1 source static object-group <Br1 Lan and Br2 LAN and HQ lan> destination static object-group <Br2 LAN and HQ LAN and Br1 LAN >

What other offer is only make branch vpn to HQ and there is no branch to branch via HQ

Note:- you need to config static route in HQ and Branch for LAN

MHM

Aref Alsouqi · ‎01-25-2025