VPN Tunnel Up but no access to resources

Unanswered Question
Apr 20th, 2010
User Badges:

Hi


I have Site A and Site B connected with a Site to Site VPN.


Now the tunnel seems to be up but nothing is going between the two sites.


From site B I need to access resources on the 10.255.0.0 network. I have probably made a NAT change that is causing problems but I cant seem to spot it.


Users in Site B have full internet access so the line isn't an issue.


Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Tue, 04/20/2010 - 03:22
User Badges:
  • Cisco Employee,

On site B, you have 2 crypto map entries with exactly the same crypto ACL:


access-list outside_1_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 10.255.0.0 255.255.0.0
access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.255.0.0 255.255.0.0


Crypto map sequence 1 and sequence 2 are matching the same traffic, however, it's going to different peers. This is not supported.

drikilbride Thu, 04/22/2010 - 02:35
User Badges:

Hi


Just coming back to you on this.


From the ASDM CLI I put in no access-list outside_1_ ....... and it said the command was completed successfully.


Although I still have the same problem.


When I look at the VPN Statistics on Site B I can see the TX value is 0 but the Rx value is increasing. So I am getting traffic from Site A, I just cant send traffic to it.


Site A corresponds to this, TX value is increasing but RX value is staying at 0.


Also when I ask the ASDM to display the running config in a new window I still see access-list outside_1_ there which I have just removed.


Thanks again for your help.

Jennifer Halim Thu, 04/22/2010 - 04:30
User Badges:
  • Cisco Employee,

Please remove "outside_map 1" crypto map all together:


no crypto map outside_map 1 match address outside_1_cryptomap_1
no crypto map outside_map 1 set pfs group1
no crypto map outside_map 1 set peer XXXXXXXX
no crypto map outside_map 1 set transform-set ESP-3DES-SHA


Then clear the tunnels: "clear cry ipsec sa" and "clear cry isa sa"

Jennifer Halim Fri, 04/23/2010 - 04:15
User Badges:
  • Cisco Employee,

Can you ping 192.168.1.1 from site A LAN?


Is site B LAN default gateway the ASA inside interface (192.168.1.1)? and also site B host, is there any personal firewall enabled (as sometimes it wouldn't allow inbound connection if it's on).

Actions

This Discussion

Related Content