Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1885
Views
0
Helpful
7
Replies

L2L VPN issue on Cisco ASA 8.4

networker99
Level 1
Level 1

‎03-26-2012 07:11 AM

We are configuring an ASA 5505 version 8.4 to connect to another site via L2L IPSec VPN.  The subnet at the ASA site is 192.168.1.0 and the remote side is 192.168.100.0/24.  However the 192.168.100.0/24 side already has another VPN with a site using 192.168.1.0 so we were going to NAT out our local subnet to 192.168.25.0/24, so the interesting traffic would look like this

192.168.25.0/24 <-> 192.168.100.0/24.

The VPN establishes but the traffic does not appear to be working.. My NAT statement is as follows

nat (inside,outside) source static obj-192.168.1.0 obj-192.168.25.0 destination static obj-192.168.100.0 obj-192.168.100.0

Does this look right?

Labels:
0 Helpful
7 Replies 7

rizwanr74
Level 7
Level 7

‎03-26-2012 07:33 AM

obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

obj-192.168.25.0

subnet 192.168.25.0 255.255.255.0

  

obj-192.168.100.0

subnet 192.168.100.0 255.255.255.0

nat (inside,outside) source static obj-192.168.1.0 obj-192.168.25.0 destination static obj-192.168.100.0 obj-192.168.100.0

"Does this look right?"

Yes, it looks fine to me.

Please bear in mind, your crypto acl must include your natted subnet as your local subnet.

thanks

0 Helpful

networker99
Level 1
Level 1
In response to rizwanr74

‎03-26-2012 07:44 AM

In the whitepaper I read it said it should look like

nat (inside,outside) source static obj-192.168.1.0 obj-192.168.25.0 destination static obj-192.168.100.0 obj-192.168.1.0

but I wondered if the end was a typo?

also I seem some packets pass but all of a sudden it stops.. does sysopt connection-permit VPN still allows traffic to bypass ACLs?

0 Helpful

rizwanr74
Level 7
Level 7
In response to networker99

‎03-26-2012 08:03 AM

"but I wondered if the end was a typo?"

I have seen in two separate cisco documentations, it should be as you have done, so you are on the path.

"sysopt connection-permit VPN"

I have done this kind of setup working without opening "sysopt connection-permit VPN"

But it does not hurt to try.

thanks

Rizwan Rafeek

0 Helpful

networker99
Level 1
Level 1
In response to rizwanr74

‎03-26-2012 08:17 AM

traffic seems to sporadically pass then stop.  Could other NAT rules be affecting this?

0 Helpful

rizwanr74
Level 7
Level 7
In response to networker99

‎03-26-2012 12:07 PM

How much memory installed on your ASA?

0 Helpful

rizwanr74
Level 7
Level 7
In response to networker99

‎03-26-2012 12:31 PM

FYI...

Please make sure when you create crypto acl and nat exempt includes the traslated subnet "192.168.25.0" against remote subnet.

thanks

0 Helpful

rizwanr74
Level 7
Level 7
In response to networker99

‎03-26-2012 07:20 PM

I made little changes.

obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

obj-192.168.25.0

subnet 192.168.25.0 255.255.255.0

  

obj-192.168.100.0

subnet 192.168.100.0 255.255.255.0

nat (inside,outside) source static obj-192.168.1.0 obj-192.168.25.0 destination static obj-192.168.100.0 obj-192.168.1.0

Can you please try this and please let me know.

thanks

0 Helpful
Customers Also Viewed These Support Documents