Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
5
Helpful
1
Replies

Site2site VPN (RV325 Router & ASA firewall 5555)

Go to solution
andrwalk
Cisco Employee
Cisco Employee

‎03-30-2015 07:17 AM - edited ‎03-07-2019 11:19 PM

All

Unfortunately I have a customer that is exposed from a service coverage point of view (which we are currently resolving & proposing a direct SmartNet service).

 

However just wondering whether anyone would be able to provide some guidance on the following issue;

 

I can see the VPN tunnel activated between the ASA5555 and RV325 device.

Client devices connected to the RV device (and using its DHCP) are unable to log onto the network domain which is behind the firewall.

They cannot ping LAN subnets behind the firewall even though these LAN subnets and client DHCP scope are allowed via the VPN tunnel.

 

Any help would be much appreciated

 

Andrew

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Johan Castro Fernandez
Level 3
Level 3

‎03-30-2015 11:30 AM

Hi Andrew,

 

On this case, we will need to see the counters of the SAs built on both sides, on the ASA:

- show crypto isakmp sa --> check if Phase 1 is up 

- Show crypto ipsec sa peer <Peer IP address>--> Check if the ASA is encrypting or decrypting the traffic.

    + If you see encaps and no decaps on the ASA, it is most likely an issue on the remote side.

    + If you see decaps and no encaps, it is a misconfiguration on the ASA

 

Recommended steps from the ASA perspective:

* Make sure the traffic is matching at both sides

* Make sure there is NAT exemption, to avoid the traffic from being NATed dynamically

* Review the Routing, to see if the traffic from the RV325 is being reached from the outside of the ASA (Use tracert or Packet tracer)

* Make sure there is not overlapping on your side, with the destination address. Also make sure that there is not other site to site set up with the same destination.

* After this clear the SAs on both sides, on the ASA command --> clear crypto ipsec sa peer <Peer IP address>.

 

Please proceed to rate and mark as correct this post if it was helpful!

 

David Castro,

Regards,

View solution in original post

1 Reply 1

Go to solution
David Johan Castro Fernandez
Level 3
Level 3

‎03-30-2015 11:30 AM

Hi Andrew,

 

On this case, we will need to see the counters of the SAs built on both sides, on the ASA:

- show crypto isakmp sa --> check if Phase 1 is up 

- Show crypto ipsec sa peer <Peer IP address>--> Check if the ASA is encrypting or decrypting the traffic.

    + If you see encaps and no decaps on the ASA, it is most likely an issue on the remote side.

    + If you see decaps and no encaps, it is a misconfiguration on the ASA

 

Recommended steps from the ASA perspective:

* Make sure the traffic is matching at both sides

* Make sure there is NAT exemption, to avoid the traffic from being NATed dynamically

* Review the Routing, to see if the traffic from the RV325 is being reached from the outside of the ASA (Use tracert or Packet tracer)

* Make sure there is not overlapping on your side, with the destination address. Also make sure that there is not other site to site set up with the same destination.

* After this clear the SAs on both sides, on the ASA command --> clear crypto ipsec sa peer <Peer IP address>.

 

Please proceed to rate and mark as correct this post if it was helpful!

 

David Castro,

Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card