×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Site to Site VPN internal host issue

Answered Question

I have a quick question regarding something I might be missing.  We have a site to site VPN set up with an ASA 5510 on our end and a partner Cisco Router.


The VPN is live and our partner can ping across to my external interface and I can ping down the tunnel to their gateway but we can't ping any machines beyond of endpoints of the VPN tunnel.


We need communication between our 2 local lans, specifically between 2 machines for transactions on port 104.


Even without the access list to allow the 2 internal machines on each network to communicate, we can't ping or communicate with any machines beyond the endpoints.


Any help or suggestions is greatly appreciated.  I want to establish communication between the 2 internal networks befor elocking down specific communications with access lists.


Thanks again.               

Correct Answer by Julio Carvajal about 4 years 11 months ago

That is correct,


If you do not have any other question please mark the question as answered.


Remember to rate all of the post that help, for us that is more importan than a thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Julio Carvajal Fri, 08/31/2012 - 14:02
User Badges:
  • Purple, 4500 points or more

hello,


Do you see the tunnel up with the following comamnds:


-show crypto isakmp sa

-show crypto ipsec sa


If you want you can place the configuration of both devices on this topic so I can review it for you.

What are the 2 PC's that should communicate with each other.


Regards,


Julio

Julio Carvajal Fri, 08/31/2012 - 15:19
User Badges:
  • Purple, 4500 points or more

Hello,


So what is the other side of the tunnel local range?


Can you let me know that as I can see something weird on the config?


Regards,

Julio Carvajal Fri, 08/31/2012 - 15:38
User Badges:
  • Purple, 4500 points or more

Hello,


That's it..


Check the Nat configuration


object network NETWORK_OBJ_172.16.30.0_27

subnet 172.16.30.0 255.255.255.224



nat (inside,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static NETWORK_OBJ_172.16.30.0_27 NETWORK_OBJ_172.16.30.0_27

nat (inside,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24


You did it for the 172.16.30 instead of 172.16.40


Regards,


Remember to rate all of the post that help, for us that is more importan than a thanks


Julio

Julio Carvajal Fri, 08/31/2012 - 15:45
User Badges:
  • Purple, 4500 points or more

Hello,


Of course you need


Remember to rate all of the post that help, for us that is more importan than a thanks

Correct Answer
Julio Carvajal Fri, 08/31/2012 - 15:54
User Badges:
  • Purple, 4500 points or more

That is correct,


If you do not have any other question please mark the question as answered.


Remember to rate all of the post that help, for us that is more importan than a thanks

Actions

This Discussion