ISSUE:
I have a site 2 site vpn tunnel but LAN traffic is not passing: e.g. ping, rdp.
1. on restarting the asa firewall I cannot see the tunnel coming up in ADSM:
Monitoring --> VPN --> Sessions - before I could see the tunnel up, do I need to send a ping to other side of VPN Lan to bring it up ? e.g. Lan --> VPN -->Lan
packet-tracer input inside icmp 192.168.33.51 8 8 10.221.31.67
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static inside inside destination static nco-vpn-remote nco-vpn-remote
Additional Information:
NAT divert to egress interface outside
Untranslate 10.221.31.67/0 to 10.221.31.67/0
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.33.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended deny ip any any log
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
============
access-list cached ACL log flows: total 63, denied 63 (deny-flow-max 4096) alert-interval 300
access-list outside_access_in; 2 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit ip object-group vpn-remote object inside log informational interval 300 (hitcnt=0) 0x715de0ee
access-list outside_access_in line 1 extended permit ip 10.221.31.0 255.255.255.0 192.168.33.0 255.255.255.0 log informational interval 300 (hitcnt=0) 0x1785c769
access-list outside_access_in line 2 extended deny ip any any (hitcnt=0) 0x2c1c6a65
access-list inside_access_in; 2 elements; name hash: 0x433a1af1
access-list inside_access_in line 1 remark Remote Desktop Services
access-list inside_access_in line 2 extended permit object RDP object inside object-group vpn-remote (hitcnt=0) 0x90ab3bee
access-list inside_access_in line 2 extended permit tcp 192.168.33.0 255.255.255.0 eq 3389 10.221.31.0 255.255.255.0 eq 3389 (hitcnt=0) 0x2a74e5fb
access-list inside_access_in line 3 extended deny ip any any log informational interval 300 itcnt=8221) 0xbe9efe96
access-list outside_cryptomap; 1 elements; name hash: 0x39bea18f
access-list outside_cryptomap line 1 extended permit ip object inside object-group vpn-remote (hitcnt=12) 0xaa67a4f9
access-list outside_cryptomap line 1 extended permit ip 192.168.33.0 255.255.255.0 10.221.31.0 255.255.255.0 (hitcnt=12) 0xaa99fc57
Many Thanks in adance.