08-23-2010 02:59 PM
We have two ASA's. We just setup site-to-site VPN. For some reasons, we are not able to access the internal resources at the Main office from the Remote office. Do you have any suggestions? Thanks.
Solved! Go to Solution.
08-24-2010 07:39 AM
as wu suggested, please first confirm that the tunnel is up properly
"sh cry isa sa" -> will tell u if phase 1 is up
"sh cry ips sa" ->will tell if phase 2 is up
now once they r up, when u ping from site a to site b
you should see encaps in site a and decaps in site b for traffic from a to b and vice versa for the return traffic
now we need to see where it is failing
it could be tht the packet is coming till the asa but not getting encrypted or that the packet is not coming to the asa itself
u can run packet tracer to see if it is getting encapsulated or in other words hits vpn tunnel
it could be a nat issue, and sometime if at all it is a new setup probably isp could have blocked esp traffic in one direction or either direction
the best to approach this is enable "management-access inside" on both firewalls and do a source ping from asa's
ping inside
08-23-2010 03:33 PM
It is most likely that there is a routing or NAT 0 issue.
If you capture multiple "show cry ipsec sa" on both sides, did you see encry/decry count incrementing?
Please paste your configuration from both sides if you would like us to check it for you.
08-24-2010 07:39 AM
as wu suggested, please first confirm that the tunnel is up properly
"sh cry isa sa" -> will tell u if phase 1 is up
"sh cry ips sa" ->will tell if phase 2 is up
now once they r up, when u ping from site a to site b
you should see encaps in site a and decaps in site b for traffic from a to b and vice versa for the return traffic
now we need to see where it is failing
it could be tht the packet is coming till the asa but not getting encrypted or that the packet is not coming to the asa itself
u can run packet tracer to see if it is getting encapsulated or in other words hits vpn tunnel
it could be a nat issue, and sometime if at all it is a new setup probably isp could have blocked esp traffic in one direction or either direction
the best to approach this is enable "management-access inside" on both firewalls and do a source ping from asa's
ping inside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide