Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
173
Views
0
Helpful
1
Replies

VPN its not working

dotansplus
Level 1
Level 1

‎12-02-2014 03:08 PM

I have configure a site-to-site vpn, I have this:

 

host---asax---router---asa---host

 

1.- the asax have to make a nat for the host in this case:

host 30.30.30.31, asa eth0/0 30.30.30.30, asa Ether 0/1 200.15.21.1 the router gi0/0 200.15.21.1 and the asa 200.16.21.2

the nat for the host:

static (INSIDE,OUTSIDE) 200.15.21.31 30.30.30.31 netmask 255.255.255.255 

 the ACL

access-list BMCS-BTS extended permit ip any any 

 

the static route:

route OUTSIDE 0.0.0.0 0.0.0.0 200.15.21.1

 

from asax I can do ping to the asa, but when I make a ping from the host 30.30.30.31, I can't even reach the 200.15.21.1 from the same asax and the acl and the nat doesnt have any hint or match, what I am missing?

 

Thanks in advance

Thanks

Labels:
0 Helpful
1 Reply 1

Jorge Garcia
Cisco Employee
Cisco Employee

‎12-02-2014 04:19 PM

Hi,

Thanks for contacting the Cisco Support Community, let me give a couple of recommendations:

[1] I assumed that the ACL BMCS-BTS is the one you applied in the crypto map, is that correct? If it is true, I strongly recommend to you to not use this type of ACL, instead be more specific, for example:

access-list BMCS-BTS permit ip host 30.30.30.31 x.x.x.x y.y.y.y (this represent the remote subnet/host)

[2] When creating your ACL for the crypto map, make sure that you declared in it the mapped address since the VPN is the last step the ASA check for an incoming packet

[3] If you have configured an access-group in the outside interface, make sure that the traffic for ICMP to this host (30.30.30.31) is explicitly permitted. In this way we will make sure the return traffic is permitted

 

Also, I was wondering if you can take the following commands from both ASAs so I can take a look if everything else is missing:

- show run all

- show tech

- show crypto isakmp sa

- show crypto ipsec sa peer x.x.x.x (Remote ASA outside IP address)

 

Finally, I would like a packet tracer to see if the traffic from host 30.30.30.31 is matching another NAT statement, the command is:

 

packet-tracer input inside icmp 30.30.30.31 8 0 x.x.x.x detailed

(The X's represent the remote subnet/host)

 

Thanks in advanced for the information,

Have a great day!

Best regards,

 

Osvaldo Garcia

 

0 Helpful
Customers Also Viewed These Support Documents