Showing results for 
Search instead for 
Did you mean: 

VPN Tunneling question


I am trying to set up a site to site vpn tunneling all traffic through the vpn tunnel to the main site.  I have looked at the forum posts many times but apparently too dense to see what is needed.  The tunnel comes up and i can pass traffic across the tunnel for the private lan...but internet traffic does not traverse the tunnel.  I cant help but think it is a nat issue but do not understand why.

Any help will be appreciated.

here is the relevant configs;

remote site: 871 router

crypto isakmp policy 15

encr aes 256

authentication pre-share

group 2

crypto isakmp key ********* address 207.xx.xx.xx

crypto ipsec transform-set esp-aes esp-aes 256 esp-sha-hmac

crypto map vpn 10 ipsec-isakmp

set peer 207.xx.xx.xx

set transform-set esp-aes

match address VPNTRAFFIC1

ip nat inside source list NONAT interface FastEthernet4 overload

ip access-list extended NONAT
  deny   ip any
ip access-list extended VPNTRAFFIC1
permit ip  *if i change this to permit ip any then no traffic passes through the tunnel.
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1460
speed 100
no cdp enable
crypto map vpn
HQ site: ASA 5510

sysopt permit ipsec command enabled
crypto isakmp policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ipsec transform-set esp-aes-sha esp-aes-256 esp-sha-hmac
crypto map outside_map 30 match address outside_30_cryptomap
crypto map outside_map 30 set peer
crypto map outside_map 30 set transform-set esp-aes-sha
crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key *
nat (inside) 0 access-list inside_nat0_outbound
access-list inside_nat0_outbound extended permit ip any
access-list outside_30_cryptomap extended permit ip any

Cisco Employee

The reason why internet traffic is not working is because you have configured NONAT for traffic from subnet towards everything. To browse the internet, traffic needs to be PATed.

Here is what needs to be configured for the NONAT access-list:

ip access-list extended NONAT
  deny   ip
  permit ip any

Please kindly remove the existing NONAT ACL, and replace it with the above.

Further to that, crypto ACL needs to be as follows:
On router: permit ip
On ASA: access-list outside_30_cryptomap extended permit ip

Hope that helps.

thanks for the follow up....that configuration doesnt force all traffic through the tunnel.  The lan on the router side

goes to the internet from their isp connection rather than through the tunnel to the HQ and out that internet


Any additional thoughts?

Content for Community-Ad