I verified that allof these configurations are in place at both ends of the tunnel.  This is the reason I reached out to this community.  I don't understand what's missing.  Thank you!

Hello,

Can you please post corresponding configurations from both devices?

Regards,

NT

Certainly and I appreciate your time!  But, I will have to clean them both up considerably to maintain confidentiality.  I'll try to work on them today.  Thank you!

Here are tha pared down configurations.  I made every effort to retain all settings pertinent to our tunnel and ssh/http access.  Thanks so much for your kind consideration!

Hello,

The commands:

"http 10.10.30.0 255.255.255.0 inside" command is missing in the Remote

firewall configuration.

I also did not find any crypto man match rule in the local firewall (you

might have removed it for sanitizing the config).

Can you please check these two things?

Regards,

NT

Hello,

Also, on the remote firewall, the nonat rule seems to be incorrect:

access-list nonat extended permit ip 10.2.1.0 255.255.255.0 10.10.31.0

255.255.255.0

access-list nonat extended permit ip 10.2.1.0 255.255.255.0 10.10.40.96

255.255.255.224

The rule for 10.2.1.0/24 to 10.10.30.0/24 is missing.

Regards,

NT

You're right!  Overzealous editing of the config files.  I believe the corrected configs have provided the data you mentioned.  Thanx!

Hello,

Have you tried to SSH/HTTPS from the remote network to your local ASA? On

the remote ASA, I still did not find the http configurations for your local

network:

http server enable

http 10.2.1.0 255.255.255.0 IN_Corp

http 192.168.1.0 255.255.255.0 management

http 192.168.3.0 255.255.255.0 management

ssh 0.0.0.0 0.0.0.0 Out_IAXS

ssh 10.2.1.0 255.255.255.0 IN_Corp

Can you please try adding:

http 0.0.0.0 0.0.0.0 IN_Corp

ssh 0.0.0.0 0.0.0.0 IN_Corp

on the remote ASA and see if that helps.

Regards,

NT

I have confirmed the http commands on the local ASA.  I must have accidentally erased them.  I have also ensured that the recommended ssh commands have been added to the remote ASA.  That's what I find so frustrating.  I still can't ssh from either end nor http from the local network.  I don't have a way to http from the remote end.  It appears that everything is correct for ssh/http access from both sides, but it still won't work.  I've worked with Cisco IOS and CatOS for nearly 20 years, but these ASAs are a bit trickier.  Unfortumately, I never had one, or a PIX to work with before as all we ever used were Nokias and Junipers.  Best regards, Wolf

Hello,

Let us try configuring packet capture and see if we can figure out

something:

On the local firewall:

access-list cap permit tcp 10.2.1.0 255.255.255.0 interface inside eq ssh

access-list cap permit tcp interface inside eq ssh 10.2.1.0 255.255.255.0

capture capin access-list cap interface inside

On the remote firewall:

access-list cap permit tcp 10.10.30.0 255.255.255.0 interface inside eq ssh

access-list cap permit tcp interface inside eq ssh 10.10.30.0 255.255.255.0

capture capin access-list cap interface inside

Also, let us try the packet-tracer:

on the local firewall:

packet-tracer input inside tcp 10.10.30.101 1024 10.2.1.211 22 detailed

On the remote firewall:

packet-tracer input inside tcp 10.2.1.101 1024 10.10.30.1 22 detailed

Also, can you please post the output of "show version" from both devices?

Regards,

NT

I shall do that, but, unfortunately, it will have to be put off until Monday.  I must tend to the network at the moment.  In the mean time, here are the show version outputs of both.  Thank you!

Regards,

Wolf

Hi Guys,

     Not sure but may be following statement will hint something.

@Local ASA#

"asdm location 10.2.1.0 255.255.255.0 Out_SPWL"