We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 637 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


374 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. Hi Rene, Does the OUTSIDE firewall interfaces has to be on the same subnet as shown in your example? Also, do i need an access-group for the access-list?


  2. Hi Mark,

    It sounds like your ASA isn’t configured correctly for NAT. It should be configured to translate all traffic from the subnet that exits the outside interface UNLESS the destination is (the other end of the VPN).

    You can use this example for PAT:

    Cisco ASA PAT configuration

    The only thing left to do is to create an exception for your VPN traffic, like this:

    object network LOCAL_SUBNET
     object network REMOTE_SUBNET
    nat (LOCAL_SUBNET,OUTSIDE) source stati
    ... Continue reading in our forum

  3. Hello Rene,

    What do the following two commands mean for IKE phase-1 and IKE Phase-2 :

    IKE phase-1:

    ASA1(config-ikev1-policy)# lifetime 4800

    IKE Phase-2:

    ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3000

    I think IKE phase-1 will be deleted after 4800(If no traffic on tunnel) and IKE phase-2 will be delete after 3000(If no traffic on tunnel ).If continue traffic flows on the tunnel then what will happen, IKE phase-1 & IKE phase-2 will be re-negotiate after expiration or not??Please explain.

    Many Thanks


  4. Hi Rene,

    I modified the network in your example with a few more nodes on each site. The network diagram is attached.

    The IPSec tunnel is up. Ping from end node 1 to end node 2 is working.
    Ping and wget from End Node 1 to Web Server 1 is working and from End Node 2 to Web Server 2 is also working.

    However, the ping/wget from End node in one site to the web server on the other site is not working in either direction. When checked with ASA logs, the tunnel is set up and the ping is getting delivered to the web server, but the web server is not responding to the pi

    ... Continue reading in our forum

  5. Hi Abdimalik,

    The tunnel-group type is “L2L”, not 121 :slight_smile: That should work.


67 more replies! Ask a question or join the discussion by visiting our Community Forum