Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site to Site vpn connected but no access of internal remote servers

Hi  Experts,

,

Please Help me out?

I am facing a problem from last ten days.

I hav ASA 5510 at HO and ASA 5505 at branch office.

Created site to site vpn and it shows connected but when i try to access LAN  (10.0.0.24) from Branch office ,i am not able to ping it or access it.

I attached the head office and branch office configuration file.

Plz help me soon.

Thanks in advance

Rakesh J.

8 REPLIES
Cisco Employee

Re: Site to Site vpn connected but no access of internal remote

Hi Rakesh,

I noticed this line in the config of the Head office.

route Internal_LAN 192.168.141.0 255.255.255.0 121.241.46.2 1

The remote network is being routed out back to the LAN interface though you have specified the gateway correct. Kindly change it topoint out the internet facing interface (WWWLL) and let me know if it works. I suppose the command should be

route WWWLL 192.168.141.0 255.255.255.0 121.241.46.2 1

Hope this helps!

Regards,

Prapanch

New Member

Re: Site to Site vpn connected but no access of internal remote

Hi Prapanch Sir,

First of all thanks again.....

I deleted the  following route,

route Internal_LAN 192.168.141.0 255.255.255.0 121.241.46.2 1.

and add the mentioned route,

route WWWLL 192.168.141.0 255.255.255.0 121.241.46.2 1.

But still it is not working.

Plz help me out.

Thanks .

Regards,

Rakesh

New Member

Re: Site to Site vpn connected but no access of internal remote

Hi Sir,

I am arttaching site to site sessions from branch office it shows Bytes Tx not Bytes Rx

Thanks.

Regards,

Rakesh

Cisco Employee

Re: Site to Site vpn connected but no access of internal remote

Hi Rakesh,

How is the VPN now? If resolved, please mark this as asnwered.

Regards,

Prapanch

Cisco Employee

Re: Site to Site vpn connected but no access of internal remote

Hi,

I think the route statement should be

route WWWLL 192.168.141.0 255.255.255.0 121.241.46.1 1

I thikn the gateway is 121.241.46.1 and not 121.241.46.2.

Change it this way and let me know if it helps!!

regards,

prapanch

New Member

Re: Site to Site vpn connected but no access of internal remote

Hi Prapanch Sir

,

Sorry sir for late reply from me.

I added the route

route WWWLL 192.168.141.0 255.255.255.0 121.241.46.2 1

but still from both the end we are not able to access internal lan.

Plz help me out.

Regards,

Rakesh.

Cisco Employee

Re: Site to Site vpn connected but no access of internal remote

Hi,

Please post the output of "show cry ips sa" from both the ASAs. Also, please try applying captures on either ASAs LAN facing interface to check how packets are flowing and post the captures here.

https://supportforums.cisco.com/docs/DOC-1222

Regards,

Prapanch

New Member

Re: Site to Site vpn connected but no access of internal remote

Hi Sir,

I send you the show cry ips sa from both the ASA.

Branchoffice output:

Result of the command: "show cry ips sa"

interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 123.236.29.59

      access-list outside_1_cryptomap permit ip 192.168.141.0 255.255.255.0 10.0.0.0 255.0.0.0
      local ident (addr/mask/prot/port): (192.168.141.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
      current_peer: 121.241.46.2

      #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 123.236.29.59, remote crypto endpt.: 121.241.46.2

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: D7E698E1

    inbound esp sas:
      spi: 0x4D9EAAC6 (1302244038)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 4096, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4374000/28780)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xD7E698E1 (3622213857)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 4096, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373999/28780)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

****************************************************************************************************************************************************

Head office Output:

Result of the command: "show cry ips sa"

interface: WWWLL
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 121.241.46.2

      local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.130.0/255.255.255.0/0/0)
      current_peer: Ukl_Baroda, username: baroda
      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 13532, #pkts encrypt: 13532, #pkts digest: 13532
      #pkts decaps: 8552, #pkts decrypt: 8552, #pkts verify: 8552
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 13532, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 121.241.46.2/4500, remote crypto endpt.: Ukl_Baroda/4500
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 640CE724

    inbound esp sas:
      spi: 0x3DF434CA (1039414474)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 27774976, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 27187
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x640CE724 (1678567204)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 27774976, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 27187
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 121.241.46.2

      local ident (addr/mask/prot/port): (121.241.46.2/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)
      current_peer: Ukl_Delhi, username: delhi
      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 121.241.46.2/4500, remote crypto endpt.: Ukl_Delhi/4500
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 559CCF24

    inbound esp sas:
      spi: 0xA90C2848 (2836146248)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 28258304, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28800
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x559CCF24 (1436340004)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 28258304, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28800
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 121.241.46.2

      local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)
      current_peer: Ukl_Chennai, username: auto
      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 121.241.46.2/4500, remote crypto endpt.: Ukl_Chennai/4500
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: EFEF8E8F

    inbound esp sas:
      spi: 0xCF0D97AC (3473774508)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 28254208, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28780
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xEFEF8E8F (4025454223)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 28254208, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28780
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 121.241.46.2

      local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.141.0/255.255.255.0/0/0)
      current_peer: uklthane

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 121.241.46.2, remote crypto endpt.: uklthane

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 4D9EAAC6

    inbound esp sas:
      spi: 0xD7E698E1 (3622213857)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 28233728, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (3915000/28631)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x4D9EAAC6 (1302244038)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 28233728, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (3915000/28631)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 121.241.46.2

      local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (Ukl_Calcutta/255.255.255.255/0/0)
      current_peer: Ukl_Calcutta, username: calcutta
      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 121.241.46.2, remote crypto endpt.: Ukl_Calcutta

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 17E2890D

    inbound esp sas:
      spi: 0x92F4B06A (2465509482)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 28086272, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28140
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x17E2890D (400722189)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 28086272, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28140
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 121.241.46.2

      local ident (addr/mask/prot/port): (121.241.46.2/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (Ukl_Calcutta/255.255.255.255/0/0)
      current_peer: Ukl_Calcutta, username: calcutta
      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 121.241.46.2, remote crypto endpt.: Ukl_Calcutta

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: B145BB9F

    inbound esp sas:
      spi: 0xEE7EE538 (4001293624)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 28086272, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28136
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xB145BB9F (2974137247)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 28086272, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28136
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

533
Views
0
Helpful
8
Replies