04-20-2010 03:13 AM
Hi
I have Site A and Site B connected with a Site to Site VPN.
Now the tunnel seems to be up but nothing is going between the two sites.
From site B I need to access resources on the 10.255.0.0 network. I have probably made a NAT change that is causing problems but I cant seem to spot it.
Users in Site B have full internet access so the line isn't an issue.
Thanks in advance
04-20-2010 03:22 AM
On site B, you have 2 crypto map entries with exactly the same crypto ACL:
access-list outside_1_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 10.255.0.0 255.255.0.0
access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.255.0.0 255.255.0.0
Crypto map sequence 1 and sequence 2 are matching the same traffic, however, it's going to different peers. This is not supported.
04-22-2010 02:35 AM
Hi
Just coming back to you on this.
From the ASDM CLI I put in no access-list outside_1_ ....... and it said the command was completed successfully.
Although I still have the same problem.
When I look at the VPN Statistics on Site B I can see the TX value is 0 but the Rx value is increasing. So I am getting traffic from Site A, I just cant send traffic to it.
Site A corresponds to this, TX value is increasing but RX value is staying at 0.
Also when I ask the ASDM to display the running config in a new window I still see access-list outside_1_ there which I have just removed.
Thanks again for your help.
04-22-2010 04:30 AM
Please remove "outside_map 1" crypto map all together:
no crypto map outside_map 1 match address outside_1_cryptomap_1
no crypto map outside_map 1 set pfs group1
no crypto map outside_map 1 set peer XXXXXXXX
no crypto map outside_map 1 set transform-set ESP-3DES-SHA
Then clear the tunnels: "clear cry ipsec sa" and "clear cry isa sa"
04-22-2010 07:33 AM
04-23-2010 04:15 AM
Can you ping 192.168.1.1 from site A LAN?
Is site B LAN default gateway the ASA inside interface (192.168.1.1)? and also site B host, is there any personal firewall enabled (as sometimes it wouldn't allow inbound connection if it's on).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: