Another VPN Tunnel Question

the_Grinch · November 2014

Hey all! Having one heck of a time getting this tunnel up and running. I'm positive that I have the settings right, but maybe I am missing a step. I have all the configurations for what's setup on the other side and I am mirroring them. I can ping the ASA on the other ends IP address (outside ip that is), but when I attempt to ping the internal addresses I get no reply. A packet trace shows (I believe) that nothing gets past the inside interface so I know the tunnel is not coming up. I've done a lot of research and I'm wondering if I need to turn on protocol inspection for icmp to get the tunnel up and running? The only other issue I see is I have an access list allowing ICMP, but the other side only has one allowing IP. Any help would be awesome!

Zartanasaurus · November 2014

Are you seeing anything in the log files when the source VPN IP attempts to get to the destination VPN IP? You should at least see error messages when trying to negotiate the tunnel to see where it's failing. If you can give me a sanitized show run crypto as well as show run for the relevant ACLs/object groups in the crypto map, I could probably figure it out. show run tunnel-group <peer IP> might help also.

When using the packet-tracer command, the tunnel has to already be up, otherwise the logic won't process the packet going over the VPN as part of the output.

ETA: Are you exempting NAT across the tunnel? That could cause a conflict if one side is getting an IP it doesn't expect. If you aren't exempting NAT, the source IP should be the NAT IP.

the_Grinch · November 2014

Thanks for the reply! I did fix it yesterday and it seems my NAT rules were conflicting. Removed one and the tunnel came right up.

Another VPN Tunnel Question

Comments