site 2 site vpn problem

Answered Question
Oct 16th, 2008

Greetings. We have a working site 2 site vpn running on 2 asa5510 . Both sites can be accessed from hosts of internel networks , however we are unable to access any services (like tftp server , or CA)? or even ping hosts in the remote site network from our local asa5510. It seems that ASA is trying to send packets straight through the default gw , bypasing the vpn tunnel. Any help would be very appreciate.

P.S We have checked the acls on both devices , so most likely this is not the problem.

I have this problem too.
0 votes
Correct Answer by singhsaju about 8 years 1 month ago

Hi,

Since you have not included public ip of the outside interface in the Crypto ACL thats why it is not going into the tunnel.

Add to Crypto ACL a statement where you define outside interface's public ip as source and mirror image that statement in the remote device.

HTH

Saju

Pls rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
singhsaju Thu, 10/16/2008 - 05:33

Post configs from both ends , check if the Ipsec traffic is bypassing the NAT engine.

HTH

Saju

mtebaccount Thu, 10/16/2008 - 05:44

It will take some time to clear configs .

The thing is that we actually can ping remote network from any local host or server (included in crypto map ofc). Basicly the only problem we encountered is when the asa itself is trying to contact remote hosts .Also ASA can ping remote hosts if we direct it through inside interface. So i guess its some sort of routing problem . I will try to post configs as soon as possible.

Correct Answer
singhsaju Thu, 10/16/2008 - 06:26

Hi,

Since you have not included public ip of the outside interface in the Crypto ACL thats why it is not going into the tunnel.

Add to Crypto ACL a statement where you define outside interface's public ip as source and mirror image that statement in the remote device.

HTH

Saju

Pls rate helpful posts

Actions

This Discussion