we are testing site-to-site vpn from asa and router. our end can ping the other host from inside the asa, but from our host we are not.
when the ping is started from host behind asa, the state is nothing in crypto isakmp sa.
thanks in advance for suggestions.
ok, then if we have nat exempt correct, and we can ping remote network from inside interface of ASA (correct me if i understood wrong here), you need to check if the packets from the host is reaching the ASA when you ping (routing issue).
If routing is correct, then check the access-lists on the inside interface of ASA to see if we are blocking vpn traffic.
If access-lists are ok, then i suggest you run a packet tracer on the ASA as mentioned below, and share the output here:
packet-tracer input inside icmp 10.0.0.10 8 0 192.168.0.10 detailed ---------------->packet from inside to outside of ASA, make sure yuo do not use inside interface ip address of ASA for packet-tracer, it fails. You can use any random ip address
packet-tracer input outside icmp 192.168.0.10 8 0 10.0.0.10 detailed ------------------>packet from outside to inside.