No, you don't, the more so because you have internet in the path. Mark, problem is steel there...somewhere between ASA1 and Gi0/0.603, and likely its on ASA2.
-- Best regards, Andrey On Wed, May 18, 2011 at 1:10 AM, Mark Senteza <[email protected]>wrote: > I've stripped the "tunnel protection ipsec profile" config from my tunnel > interfaces. Still no joy. > > The ASA on the DMVPN Hub side is running version 8.2, and the inbound ACL > shows no hit counts for any crypto traffic. The test pings come through > fine, so I know that the NATs for the DMPVN endpoints are set up fine. I'll > have to confirm with the remote ASA admins that there's no other ACLs along > the path that is dropping traffic, because I'd have expected at least ESP or > GRE to show hit counts. > > access-list OUTSIDE line 66 extended permit object-group CRYPTO host > 222.222.222.222 host 111.111.111.111 0xe62abcbe > access-list OUTSIDE line 66 extended permit esp host 222.222.222.222 host > 111.111.111.111 (hitcnt=0) 0x628ac306 > access-list OUTSIDE line 66 extended permit gre host 222.222.222.222 host > 111.111.111.111 (hitcnt=0) 0x1e349ff8 > access-list OUTSIDE line 66 extended permit udp host 222.222.222.222 host > 111.111.111.111 eq isakmp (hitcnt=0) 0x0a22d45b > access-list OUTSIDE line 66 extended permit udp host 222.222.222.222 host > 111.111.111.111 eq 4500 (hitcnt=0) 0x8b3259e1 > access-list OUTSIDE line 67 extended permit icmp host 222.222.222.222 > host 111.111.111.111 echo (hitcnt=5) > > Do I need to have the private IPs for the DMPVN endpoints exempted from > NAT. For instance > > access-list NAT-EXEMPT ext permit ip host 10.10.1.1 host 10.20.1.1 > > nat (inside) 0 access-list NAT-EXEMPT > > > On Tue, May 17, 2011 at 11:38 AM, Andrey <[email protected]> wrote: > >> apparently you do not want to turn off the encryptoin :) >> so, a couple of thoughts: >> >> MM1 messages is not reaching the hub, or reply from hub is not reaching >> the spoke, so problems somewhere in the path; >> what os version on your ASAs? not 8.3? >> I guess your problem is nat or acls on your ASAs >> >> -- >> Best regards, >> Andrey >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
