10-16-2008 05:17 AM - edited 02-21-2020 03:59 PM
Greetings. We have a working site 2 site vpn running on 2 asa5510 . Both sites can be accessed from hosts of internel networks , however we are unable to access any services (like tftp server , or CA)? or even ping hosts in the remote site network from our local asa5510. It seems that ASA is trying to send packets straight through the default gw , bypasing the vpn tunnel. Any help would be very appreciate.
P.S We have checked the acls on both devices , so most likely this is not the problem.
Solved! Go to Solution.
10-16-2008 06:26 AM
Hi,
Since you have not included public ip of the outside interface in the Crypto ACL thats why it is not going into the tunnel.
Add to Crypto ACL a statement where you define outside interface's public ip as source and mirror image that statement in the remote device.
HTH
Saju
Pls rate helpful posts
10-16-2008 05:33 AM
Post configs from both ends , check if the Ipsec traffic is bypassing the NAT engine.
HTH
Saju
10-16-2008 05:44 AM
It will take some time to clear configs .
The thing is that we actually can ping remote network from any local host or server (included in crypto map ofc). Basicly the only problem we encountered is when the asa itself is trying to contact remote hosts .Also ASA can ping remote hosts if we direct it through inside interface. So i guess its some sort of routing problem . I will try to post configs as soon as possible.
10-16-2008 06:26 AM
Hi,
Since you have not included public ip of the outside interface in the Crypto ACL thats why it is not going into the tunnel.
Add to Crypto ACL a statement where you define outside interface's public ip as source and mirror image that statement in the remote device.
HTH
Saju
Pls rate helpful posts
10-16-2008 09:37 PM
Thank you very much. This solved the problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide