05-13-2020 07:47 PM
Hello,
Diagram and configs are attached
I have two pcs on each end left to right: 10.1.1.2 and 10.2.2.2 and they cannot ping each other but the tunnels seem established, I think I am missing a NAT? Help!
Thank you.
05-13-2020 09:06 PM
Your crypto map is not applied to any interfaces. This is your issue.
qm_idle is what you want phase 1 to be in, you can look at phase 2 once the tunnel is established with 'show crypto ipsec sa'
See more troubleshooting here: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html
05-13-2020 09:30 PM
On both ASAs i have the statement:
crypto map outside_map interface outside
Does it have to be actually on the interface (gi1/1, gi1/2, etc) itself?
Thank you.
05-14-2020 01:11 AM - edited 05-14-2020 01:12 AM
if you are natting the traffic than you need a nat exempting rule for you vpn. share full configuration of the ASAs.
crypto ikev1 enable outside
!
object network Local-Lan subnet 10.1.1.0 255.255.255.0 ! object network Remote-Lan subnet 10.2.2.0 255.255.255.0 ! nat (inside,outside) source static Local-Lan Local-Lan destin static Remote-Lan Remote-Lan no-proxy-arp route-lookup !
also share the debugs
debug crypto condition peer x.x.x.x debug crypto ikev1 debug crypto ipsec 127
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide