Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
484
Views
0
Helpful
4
Replies

site 2 site vpn problem

Go to solution
mtebaccount
Level 1
Level 1

‎10-16-2008 05:17 AM - edited ‎02-21-2020 03:59 PM

Greetings. We have a working site 2 site vpn running on 2 asa5510 . Both sites can be accessed from hosts of internel networks , however we are unable to access any services (like tftp server , or CA)? or even ping hosts in the remote site network from our local asa5510. It seems that ASA is trying to send packets straight through the default gw , bypasing the vpn tunnel. Any help would be very appreciate.

P.S We have checked the acls on both devices , so most likely this is not the problem.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
singhsaju
Level 4
Level 4
In response to mtebaccount

‎10-16-2008 06:26 AM

Hi,

Since you have not included public ip of the outside interface in the Crypto ACL thats why it is not going into the tunnel.

Add to Crypto ACL a statement where you define outside interface's public ip as source and mirror image that statement in the remote device.

HTH

Saju

Pls rate helpful posts

View solution in original post

0 Helpful
4 Replies 4

Go to solution
singhsaju
Level 4
Level 4

‎10-16-2008 05:33 AM

Post configs from both ends , check if the Ipsec traffic is bypassing the NAT engine.

HTH

Saju

0 Helpful

Go to solution
mtebaccount
Level 1
Level 1
In response to singhsaju

‎10-16-2008 05:44 AM

It will take some time to clear configs .

The thing is that we actually can ping remote network from any local host or server (included in crypto map ofc). Basicly the only problem we encountered is when the asa itself is trying to contact remote hosts .Also ASA can ping remote hosts if we direct it through inside interface. So i guess its some sort of routing problem . I will try to post configs as soon as possible.

0 Helpful

Go to solution
singhsaju
Level 4
Level 4
In response to mtebaccount

‎10-16-2008 06:26 AM

Hi,

Since you have not included public ip of the outside interface in the Crypto ACL thats why it is not going into the tunnel.

Add to Crypto ACL a statement where you define outside interface's public ip as source and mirror image that statement in the remote device.

HTH

Saju

Pls rate helpful posts

0 Helpful

Go to solution
mtebaccount
Level 1
Level 1
In response to singhsaju

‎10-16-2008 09:37 PM

Thank you very much. This solved the problem.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents