operationsbze
asked on
Cisco L2L VPN
Good day All,
I have a slight problem that I am trying to resolve, I have and ASA which is being used to provide VPN. The existing config has Remote access tunnels authenticated via digital certificate and an Lan to Lan tunnel which are being terminated on the internal interface of the ASA. I now need to create and DMZ interface that will also be the terminating interface for another L2L tunnel. My problem is that the tunnel is established for the DMZ and i can see data being transmitted and recieved when i look at the VPN tunnels under monitor, however i can't ping devices accross the tunnel between the DMZ and the remote site. Please find attached config on device and drawing with logical setup.
VPN-.pdf
Banshee-config-for-cisco.rtf
I have a slight problem that I am trying to resolve, I have and ASA which is being used to provide VPN. The existing config has Remote access tunnels authenticated via digital certificate and an Lan to Lan tunnel which are being terminated on the internal interface of the ASA. I now need to create and DMZ interface that will also be the terminating interface for another L2L tunnel. My problem is that the tunnel is established for the DMZ and i can see data being transmitted and recieved when i look at the VPN tunnels under monitor, however i can't ping devices accross the tunnel between the DMZ and the remote site. Please find attached config on device and drawing with logical setup.
VPN-.pdf
Banshee-config-for-cisco.rtf
access-list Outside_nat0_outbound extended permit ip 172.28.1.0 255.255.255.0 object-group Maskall-RTAC
The above shouldn't be needed, and could possibly be causing your problem if this affects the rpf check. You should only need the nat 0 on the "inside" interface which for this scenario is Systemplanning.
Also, you have nat-t disabled on that crypto map. Although this isn't necessarily a problem, just make sure that's what you really want.
This is tough to troubleshoot because you can only use packet-tracer one direction. Would you be able to post the packet-tracer output for traffic going from Systemplanning to RTAC?
The above shouldn't be needed, and could possibly be causing your problem if this affects the rpf check. You should only need the nat 0 on the "inside" interface which for this scenario is Systemplanning.
Also, you have nat-t disabled on that crypto map. Although this isn't necessarily a problem, just make sure that's what you really want.
This is tough to troubleshoot because you can only use packet-tracer one direction. Would you be able to post the packet-tracer output for traffic going from Systemplanning to RTAC?
ASKER
Thanks for the response Rauenpc, I've tried the tunnel without that ACL entry and it didn't make a difference, but will remove it just to be on the safe side. I had to disable NAT-T because the tunnel refused to come up if i enabled that functionality. I am trying to connect a Cisco ASA and an Oncell 3150 but doesn't seem to be going my way at the moment .
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
because no other user provided a solution that worked and as such i had to do the research on my own to find the problem.
ASKER