Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.

VPN s2s Issues

Hi all,

I have two cisco ASA used to connect two offices.

In the main office I have a HTTP server and SMTP server.

In the remote office I have two Vlans (vlan 1 and vlan 90).

Both remote vlans can ping to the HTTP and SMTP server, only the VLAN 1 can access to the HTTP and SMTP service, but, the VLAN 90 can access to these services.

I think is some configuration in the ASA, please give me an advice.

Best regards.


Super Bronze

VPN s2s Issues


Would really need to see some configurations to see what the problem could be.

Since there is somekind of connectivity between the servers and the 2 LAN network it would sound like a problem with some VPN Filter or Interface ACL or perhaps something on the actual servers blocking the connections.

- Jouni


VPN s2s Issues

Hi Jouni, thanks for your reply. This is the config of the remote site:

The network can reach all services of the main office.

The network 10.2.90.X /91.X/92.X/93.X can ping all the servers of tha main office, but cannot access the HTTP and SMTP services.



interface Ethernet0/0

description MPLS

switchport access vlan 2


interface Ethernet0/1

description LAN


interface Ethernet0/2

description INTERNET

switchport access vlan 3


interface Ethernet0/3



interface Ethernet0/4



interface Ethernet0/5



interface Ethernet0/6



interface Ethernet0/7



interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif mpls

security-level 0

ip address


interface Vlan3

no forward interface Vlan2

nameif outside

security-level 0

ip address X.X.X.X


ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside extended permit icmp any any

access-list nonat extended permit ip

access-list nonat extended permit ip

access-list nonat extended permit ip

access-list nonat extended permit ip

access-list nonat extended permit ip

access-list nonat extended permit ip

access-list Riverbed_TCP_Option_76 extended permit tcp any any log

access-list Riverbed_TCP_Option_78 extended permit tcp any any log

access-list lpz extended permit ip

access-list lpz extended permit ip

access-list lpz extended permit ip

access-list lpz extended permit ip

access-list lpz extended permit ip

access-list lpz extended permit ip

access-list mpls extended permit icmp any any


tcp-map Riverbed_TCP_Option_76_Tmap

  tcp-options range 76 76 allow


tcp-map Riverbed_TCP_Option_78_Tmap

  tcp-options range 78 78 allow


pager lines 24

logging console debugging

mtu inside 1500

mtu mpls 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1

nat (inside) 1

nat (inside) 1

nat (inside) 1

nat (inside) 1

nat (inside) 1

access-group mpls in interface mpls

access-group outside in interface outside

route mpls 1

route outside 190.102.X.X

route inside 1

route inside 1

route inside 1

route inside 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication enable console LOCAL

aaa authorization command LOCAL

http server enable

http inside

snmp-server host inside community *****

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map promujer 10 match address lpz

crypto map promujer 10 set peer

crypto map promujer 10 set transform-set ESP-3DES-SHA

crypto map promujer interface mpls

crypto map promujer interface outside

crypto isakmp identity address

crypto isakmp enable mpls

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption aes

hash sha

group 2

lifetime 3600

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

no crypto isakmp nat-traversal


track 10 rtr 1 reachability

telnet timeout 5

ssh inside

ssh mpls

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server source inside prefer

ntp server source inside


tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *****

class-map Riverbed_TCP_Option_76_Cmap

match access-list Riverbed_TCP_Option_76

class-map inspection_default

match default-inspection-traffic

class-map Riverbed_TCP_Option_78_Cmap

match access-list Riverbed_TCP_Option_78



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect skinny

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect waas

  inspect http

class Riverbed_TCP_Option_76_Cmap

  set connection advanced-options Riverbed_TCP_Option_76_Tmap

class Riverbed_TCP_Option_78_Cmap

  set connection advanced-options Riverbed_TCP_Option_78_Tmap

service-policy global_policy global

CreatePlease to create content