Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
407
Views
3
Helpful
2
Replies

Unable to access internal resources for site-to-site VPN

Go to solution
jill.johnson
Level 1
Level 1

‎08-23-2010 02:59 PM

We have two ASA's.  We just setup site-to-site VPN.  For some reasons, we are not able to access the internal resources at the Main office from the Remote office.  Do you have any suggestions?  Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to Yudong Wu

‎08-24-2010 07:39 AM

as wu suggested, please first confirm that the tunnel is up properly

"sh cry isa sa" -> will tell u if phase 1 is up

"sh cry ips sa" ->will tell if phase 2 is up

now once they r up, when u ping from site a to site b

you should see encaps in site a and decaps in site b for traffic from a to b and vice versa for the return traffic

now we need to see where it is failing

it could be tht the packet is coming till the asa but not getting encrypted or that the packet is not coming to the asa itself

u can run packet tracer to see if it is getting encapsulated or in other words hits vpn tunnel

it could be a nat issue, and sometime if at all it is a new setup probably isp could have blocked esp traffic in one direction or either direction

the best to approach this is enable "management-access inside" on both firewalls and do a source ping from asa's

ping inside

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Yudong Wu
Level 7
Level 7

‎08-23-2010 03:33 PM

It is most likely that there is a routing or NAT 0 issue.

If you capture multiple "show cry ipsec sa" on both sides, did you see encry/decry count incrementing?

Please paste your configuration from both sides if you would like us to check it for you.

Go to solution
Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to Yudong Wu

‎08-24-2010 07:39 AM

as wu suggested, please first confirm that the tunnel is up properly

"sh cry isa sa" -> will tell u if phase 1 is up

"sh cry ips sa" ->will tell if phase 2 is up

now once they r up, when u ping from site a to site b

you should see encaps in site a and decaps in site b for traffic from a to b and vice versa for the return traffic

now we need to see where it is failing

it could be tht the packet is coming till the asa but not getting encrypted or that the packet is not coming to the asa itself

u can run packet tracer to see if it is getting encapsulated or in other words hits vpn tunnel

it could be a nat issue, and sometime if at all it is a new setup probably isp could have blocked esp traffic in one direction or either direction

the best to approach this is enable "management-access inside" on both firewalls and do a source ping from asa's

ping inside

0 Helpful
Customers Also Viewed These Support Documents