02-06-2014 09:13 PM
Hi Guys,
I have 2 asa's 5505, both running 8.4(4), with ASDM 6.4(9).
I've rebuild the config probalby 6 times now, with no clues what I'm doing wrong.
My main concer is, why asa aren't even initiating VPN negiotiation, no traffic at all.
I can ping both devices on their outside interfaces ok.
IKEv1 is enabled on outside interfaces.
I've checked connection profile, tunnel group, crypto maps, IKE policies, etc.
Still nothing withing the logs, that would indicate any negotiation attempts.
Please help!
Solved! Go to Solution.
02-07-2014 12:46 AM
Hi,
Well it depends on your setup really. Mostly in the amount of networks that are at each site that use the L2L VPN.
But generally you could configure it with
object-group network LOCAL
network-object
object-group network REMOTE
network-object
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE
Naturally the "object-group" names can be different and your interfaces might not be named "inside" and "outside"
- Jouni
02-06-2014 11:54 PM
Hi,
We would need to see configurations of both units to check for any problems with the configurations.
If your L2L VPN connections is configured correctly but there is no negotiation at all between the units then it would usually mean that there might be problems with the NAT configurations so that the traffic initiated from the LAN wont match the L2L VPN configurations and therefore wont initiate the negotiation.
- Jouni
02-07-2014 12:40 AM
Hi Jouni,
How do I exempt lan traffic from NAT on this Cisco ASA version via crypto map?
Martin
02-07-2014 12:46 AM
Hi,
Well it depends on your setup really. Mostly in the amount of networks that are at each site that use the L2L VPN.
But generally you could configure it with
object-group network LOCAL
network-object
object-group network REMOTE
network-object
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE
Naturally the "object-group" names can be different and your interfaces might not be named "inside" and "outside"
- Jouni
02-09-2014 08:30 PM
Hi Jouni,
Thank you for your help, it gave enought info to troubleshoot the vpn.
I 've factory defaulted the device which I susspected to be the problem, and rebuild the config, adn VPN came up, still have to sort ACL issue, but I'm getting somewhere.
I'll let you know soon.
Thanks again
Martin
02-10-2014 09:55 PM
Hi Jouni,
I got the tunnel up, but traffic is not passing through, when i run packet tracer, it all seems fine, whe i try to ping from inside interface of one asa to other i get:
Routing failed to locate next hop for icmp from NP Identity Ifc:192.168.0.250/0 to inside:192.168.8.10/0 |
Do I have to allow ICMP through for that?
Is that problem with a defualt route?
02-10-2014 11:32 PM
Hi,
If you want to ping an internal ASA interface through the L2L VPN then you need the command "management-access
You will also possibly need to have a look at the NAT0 configuration if it doesnt work after this.
By default you should no need access rules for traffic incoming from VPN
- Jouni
02-11-2014 03:20 PM
Hi Jouni,
That's great it worked.
Thank you very much fro your help.
Kind rehards
Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide