Partial site-to-site connectivity

Answered Question
Jul 25th, 2007

I have configured a Ipsec l2l tunnel between two ASA 5505 devices. The VPN-Led is alight on both ASA's. I am able to ping from the inside of the one ASA to the inside of the other ASA, and vice versa. But I am not able to ping from the inside of any ASA to a device on the remote end ? What might be wrong ?

Kjetil

I have this problem too.
0 votes
Correct Answer by mattiaseriksson about 9 years 4 months ago

Do the clients on each side know how to get to the remote network? Do they have the ASA as default gateway?

The config looks ok, the NAT config is not complete, so NAT is probably not working but since nat-control is disabled it shouldn't be a problem for the vpn-tunnel.

But if you don't want to configure NAT at all you can remove the "nat (VOIP) 0" statement.

Do a "clear xlate" after any change to the NAT config.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (3 ratings)
Loading.
Jon Marshall Thu, 07/26/2007 - 00:06

Hi Kjetil

If your VPN is coming up and you are sure it has been established then could you check your crypto access-lists to make sure that you have included the remote network in the list.

Jon

mattiaseriksson Thu, 07/26/2007 - 00:38

It can also be a NAT issue or an internal routing problem.

If you attach the configs it will be easier to give you an answer.

Correct Answer
mattiaseriksson Thu, 07/26/2007 - 04:05

Do the clients on each side know how to get to the remote network? Do they have the ASA as default gateway?

The config looks ok, the NAT config is not complete, so NAT is probably not working but since nat-control is disabled it shouldn't be a problem for the vpn-tunnel.

But if you don't want to configure NAT at all you can remove the "nat (VOIP) 0" statement.

Do a "clear xlate" after any change to the NAT config.

Actions

This Discussion