Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unable to access internal resources for site-to-site VPN

We have two ASA's.  We just setup site-to-site VPN.  For some reasons, we are not able to access the internal resources at the Main office from the Remote office.  Do you have any suggestions?  Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Unable to access internal resources for site-to-site VPN

as wu suggested, please first confirm that the tunnel is up properly

"sh cry isa sa" -> will tell u if phase 1 is up

"sh cry ips sa" ->will tell if phase 2 is up

now once they r up, when u ping from site a to site b

you should see encaps in site a and decaps in site b for traffic from a to b and vice versa for the return traffic

now we need to see where it is failing

it could be tht the packet is coming till the asa but not getting encrypted or that the packet is not coming to the asa itself

u can run packet tracer to see if it is getting encapsulated or in other words hits vpn tunnel

it could be a nat issue, and sometime if at all it is a new setup probably isp could have blocked esp traffic in one direction or either direction

the best to approach this is enable "management-access inside" on both firewalls and do a source ping from asa's

ping inside

2 REPLIES

Re: Unable to access internal resources for site-to-site VPN

It is most likely that there is a routing or NAT 0 issue.

If you capture multiple "show cry ipsec sa" on both sides, did you see encry/decry count incrementing?

Please paste your configuration from both sides if you would like us to check it for you.

Cisco Employee

Re: Unable to access internal resources for site-to-site VPN

as wu suggested, please first confirm that the tunnel is up properly

"sh cry isa sa" -> will tell u if phase 1 is up

"sh cry ips sa" ->will tell if phase 2 is up

now once they r up, when u ping from site a to site b

you should see encaps in site a and decaps in site b for traffic from a to b and vice versa for the return traffic

now we need to see where it is failing

it could be tht the packet is coming till the asa but not getting encrypted or that the packet is not coming to the asa itself

u can run packet tracer to see if it is getting encapsulated or in other words hits vpn tunnel

it could be a nat issue, and sometime if at all it is a new setup probably isp could have blocked esp traffic in one direction or either direction

the best to approach this is enable "management-access inside" on both firewalls and do a source ping from asa's

ping inside

165
Views
3
Helpful
2
Replies