01-29-2014 01:37 PM
I will try to make sense as I am. I do not have access to all my resources at this location.
Attached is the updated network diagram opposed what was previous created. i have the same setup on the other side of the VPN except my
ASA is 10.10.20.2
2921 is 10.10.20.1
Local network 172.20.16.0
Other Side
ASA is 10.10.10.2
2921 is 10.10.20.1
Local network 10.20.60.0
I can get to all nodes excpet the ASA on the opposite sides.
Ill try to elaborate more
Solved! Go to Solution.
01-30-2014 07:37 AM
Roger
I think the issue is with your crypto map access lists ie. before the ASAs had inside interfaces on the client network but now they are using different IPs and you haven't included those IPs in the acl applied to your crypto map for the VPN.
Check both ASAs.
Jon
01-29-2014 01:38 PM
************* IGNORE THE NOTES ON THE IMAGE **********
01-30-2014 06:31 AM
I have no tools in my location so I had to use the next best thing.
01-30-2014 06:58 AM
Roger
So you ssh to from 10.20.60.x to inside interface of the remote ASA ie. 10.10.20.2 ?
Are you sure the traffic is not going through the VPN tunnel ?
Jon
01-30-2014 07:09 AM
Yes... and cannot get to it...
Should it not go through the tunnel? How can confirm that it is or isnt.. I did do a tracert route and at one time..
it showed me the first hop was my 17.20.16.11
then it showed me a 66.185.x.x which is a router on the internet trying to get to the other side.
01-30-2014 07:12 AM
also before I changed the other side to match the new router setup. I couldve reached the ASA when the inside interface was 172.20.16.11, now its 10.10.20.2
** note that this is after the frst was side was changed and worked... accessing the asa used to work. Now when second side changed no workie. **
01-30-2014 07:21 AM
Just to clarify, when you did the original change that we had all those posts about it still worked okay ?
And then you did another site and now it's isn't working ?
If so what did you change on the ASA in the second site and what about the routing internally ?
Jon
01-30-2014 07:29 AM
The change went exactly as the other site.. but with different ip ofcourse.. The routing to the data , and other subnets are working fine.
The only issue is getting accross the vpn to manage the asa's. Either with ssh or ASDM...
So how I see it maybe;
my inside interface of the asa 10.10.10.1 ===== vpn ====== 10.10.20.2 .. probably doesnt know how to get to it?
01-30-2014 07:37 AM
Roger
I think the issue is with your crypto map access lists ie. before the ASAs had inside interfaces on the client network but now they are using different IPs and you haven't included those IPs in the acl applied to your crypto map for the VPN.
Check both ASAs.
Jon
02-07-2014 09:33 AM
It was....
Thanks again...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: