Link to home
Start Free TrialLog in
Avatar of operationsbze

asked on

Cisco L2L VPN

Good day All,
I have a slight problem that  I am trying to resolve, I have and ASA which is being used to provide VPN.  The existing config has Remote access tunnels authenticated via digital certificate and an Lan to Lan tunnel which are being terminated on the internal interface of the ASA.  I now need to create and DMZ interface that will also be the terminating interface for another L2L tunnel.  My problem is that the tunnel is established for the DMZ and i can see data being transmitted and recieved when i look at the VPN tunnels under monitor, however i can't ping devices accross the tunnel between the DMZ and the remote site.  Please find attached config on device and drawing with logical setup.
Avatar of operationsbze


lots of views but no responses
Avatar of rauenpc
access-list Outside_nat0_outbound extended permit ip object-group Maskall-RTAC

The above shouldn't be needed, and could possibly be causing your problem if this affects the rpf check. You should only need the nat 0 on the "inside" interface which for this scenario is Systemplanning.

Also, you have nat-t disabled on that crypto map. Although this isn't necessarily a problem, just make sure that's what you really want.

This is tough to troubleshoot because you can only use packet-tracer one direction. Would you be able to post the packet-tracer output for traffic going from Systemplanning to RTAC?
Thanks for the response Rauenpc, I've tried the tunnel without that ACL entry and it didn't make a difference, but will remove it just to be on the safe side.  I had to disable NAT-T because the tunnel refused to come up if i enabled that functionality.  I am trying to connect a Cisco ASA and an Oncell 3150 but doesn't seem to be going my way at the moment .
Avatar of operationsbze

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
because no other user provided a solution that worked and as such i had to do the research on my own to find the problem.