We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 647 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

498 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. Hi Mark,

    It sounds like your ASA isn’t configured correctly for NAT. It should be configured to translate all traffic from the subnet that exits the outside interface UNLESS the destination is (the other end of the VPN).

    You can use this example for PAT:

    Cisco ASA PAT configuration

    The only thing left to do is to create an exception for your VPN traffic, like this:

    object network LOCAL_SUBNET
     object network REMOTE_SUBNET
    nat (LOCAL_SUBNET,OUTSIDE) source stati
    ... Continue reading in our forum

  2. Hi Zaman,

    Aggressive mode can be configured in the crypto map:

    ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 phase1-mode aggressive

    And transport mode in the transform set:

    ASA1(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET mode ?         
    configure mode commands/options:
      transport  mode transport

    The first lifetime (ikev1 policy) is for phase 1 and the lifetime in the crypto map is for phase 2.


  3. Hello Rene,

    What do the following two commands mean for IKE phase-1 and IKE Phase-2 :

    IKE phase-1:

    ASA1(config-ikev1-policy)# lifetime 4800

    IKE Phase-2:

    ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3000

    I think IKE phase-1 will be deleted after 4800(If no traffic on tunnel) and IKE phase-2 will be delete after 3000(If no traffic on tunnel ).If continue traffic flows on the tunnel then what will happen, IKE phase-1 & IKE phase-2 will be re-negotiate after expiration or not??Please explain.

    Many Thanks


  4. Hi Rene,

    I modified the network in your example with a few more nodes on each site. The network diagram is attached.

    The IPSec tunnel is up. Ping from end node 1 to end node 2 is working.
    Ping and wget from End Node 1 to Web Server 1 is working and from End Node 2 to Web Server 2 is also working.

    However, the ping/wget from End node in one site to the web server on the other site is not working in either direction. When checked with ASA logs, the tunnel is set up and the ping is getting delivered to the web server, but the web server is not responding to the pi

    ... Continue reading in our forum

73 more replies! Ask a question or join the discussion by visiting our Community Forum