Site-to-site VPN does not work if using completely different subnets

alex_mills · ‎05-13-2015

We have two ASA 5505 devices, each with security plus license. In one case site-to-site VPN does not work, in another it works. The question is why and how to make it work in the first case?

Case 1:

Site A - public IP 111.111.111.111, inside range 10.9.1.0/24

Site B - public IP 222.222.222.222, inside range 192.168.15.0/24

I did everything ASA ASDM Site-to-site VPN manual said, Wizard was used on top of a factory reset, no CLI commands at all. I did factory resets and tried again and again, and every time I was coming to pkts encaps: 0 on one site, pkts decaps: 0 on the other.

Case 2:

Everything the same, only 10.9.1.0 was replaced with 192.168.25.0.

Site A - public IP 111.111.111.111, inside range 192.168.25.0/24

Site B - public IP 222.222.222.222, inside range 192.168.15.0/24

It started working right after the wizard finished.

Why could this be and what should I do to make Case 1 work?

Thanks!!!

Karsten Iwen · ‎05-13-2015

Could be a wrong or missing NAT-exemption, but that's impossible to prove without seeing the config.