cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1066
Views
0
Helpful
5
Replies

CISCO ASA VPN Site to site Problem

lmel
Level 1
Level 1

Hey

 

We changed the PUBLIC IP in one site...and now we are trying to establich new IPSEC TUNNEL ​between both sites (CISCO ASA 7.2 - it was qworking before public IP change) .

I was able to establish the tunnel but i cannot ping both ends\remote networks and i cannot undestand what is happening

As i dont have much experience with ASA, i configured tunnel with ASDM, added the public IP, local and remote networks, same PSK and i have checked PHASE1 and 2 on both ends to make sure they match.

i need some clarification:

1-how i add routes to forward traffic inside the  tunnel? is this added automaticaly?
2-Would i be able to ping "inside" intefaces on both ends once the VPN was working?

 

Thanks

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

The routes generally use the default route to the outside unless you have any existing conflicting routes that would direct the traffic elsewhere. Changing only the peer's public address normally shouldn't change that.

When testing a site-to-site VPN it is best to use an actual remote host address on the other end. An ASA won't normally respond from an interface address to traffic that came in from a remote interface.

The quickest way to check traffic is going into and coming out of a tunnel on an ASA site-to-site VPN is with "show crypto ipsec sa". Look for encaps and decaps on the relevant SAs (security associations = pairs of local and remote subnet addresses in this context) to increase as traffic is introduced.

Hey

thank you for the reply

 

"The routes generally use the default route to the outside"

You mean there is no need to add any route for VPN? we doing the vpn configuration via ASDM...should i be able to ping INSIDE interface in both ends if the tunnel was working with ping?

 

I was able to establish the tunnel ...but i cant ping any IP across the tunnel...what could generate this behavior? i added on the VPN wizard, local and remote networks..

It would help if you could share some more details of the actual configuration. For instance, you say you are able to establish the tunnel. What command output are you using to verify that? A useful one for us to see would be:

show crypto ipsec sa peer <address of the remote peer>

Also can you share output from the packet-tracer command run from cli. That will tell us generally if things are setup to allow the traffic.

packet-tracer input <name of your inside interface> tcp <address of a host that should be allowed to communicate to the remote end> 1025 <address of a remote end host> 80

johnlloyd_13
Level 9
Level 9

hi,

did you change to a new 'outside' public IP?

 

can the remote ASA FW ping the new IP?

 

Hey Thanks for the reply

 

We added the new public IP on different interface (internet is working) of the ASA and disabled the old interface, than we runned the VPN WIZARD to establish the new connection with local and remoted networks added. We can ping the public IPs.

 

We were able to establish the TUNNEL, but we cant ping any ip across the tunnel.
We have another tunnel working with another site. Can existing ACLs from other tunnel conflict? should i add routes manually

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: