site to site ping issue

Unanswered Question
Oct 8th, 2007

Hi all I had a problem with my site to site tunnel between 2 asa's whereas I could not ping, I have resolved this, the issue was that the encrypted networks were different on one side, they were all there but 1 side had another network statement in, would this matter? do they have to match exactly the same? also with vpn tunnel, was I right in adding a nat exempt rule in for those networks through the tunnel ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 10/11/2007 - 05:08

Carl,

If you could post how you had the config when it wasn't working and the config now that it is working, it may be easier to help. Yes, you were correct in adding nat exemption for the interesting traffic on the tunnel. Also, the crypto acls should mirror each other exactly. Ex.

Site A

access-list crypto permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list nonat

Site B

access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

Actions

This Discussion