I have a site 2 site vpn tunnel but LAN traffic is not passing: e.g. ping, rdp.
1. on restarting the asa firewall I cannot see the tunnel coming up in ADSM:
Monitoring --> VPN --> Sessions - before I could see the tunnel up, do I need to send a ping to other side of VPN Lan to bring it up ? e.g. Lan --> VPN -->Lan
packet-tracer input inside icmp 192.168.33.51 8 8 10.221.31.67
Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,outside) source static inside inside destination static nco-vpn-remote nco-vpn-remote Additional Information: NAT divert to egress interface outside Untranslate 10.221.31.67/0 to 10.221.31.67/0
Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.33.0 255.255.255.0 inside
Phase: 3 Type: ACCESS-LIST Subtype: log Result: DROP Config: access-group inside_access_in in interface inside access-list inside_access_in extended deny ip any any log Additional Information:
Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
access-list cached ACL log flows: total 63, denied 63 (deny-flow-max 4096) alert-interval 300 access-list outside_access_in; 2 elements; name hash: 0x6892a938 access-list outside_access_in line 1 extended permit ip object-group vpn-remote object inside log informational interval 300 (hitcnt=0) 0x715de0ee access-list outside_access_in line 1 extended permit ip 10.221.31.0 255.255.255.0 192.168.33.0 255.255.255.0 log informational interval 300 (hitcnt=0) 0x1785c769 access-list outside_access_in line 2 extended deny ip any any (hitcnt=0) 0x2c1c6a65 access-list inside_access_in; 2 elements; name hash: 0x433a1af1 access-list inside_access_in line 1 remark Remote Desktop Services access-list inside_access_in line 2 extended permit object RDP object inside object-group vpn-remote (hitcnt=0) 0x90ab3bee access-list inside_access_in line 2 extended permit tcp 192.168.33.0 255.255.255.0 eq 3389 10.221.31.0 255.255.255.0 eq 3389 (hitcnt=0) 0x2a74e5fb access-list inside_access_in line 3 extended deny ip any any log informational interval 300 itcnt=8221) 0xbe9efe96 access-list outside_cryptomap; 1 elements; name hash: 0x39bea18f access-list outside_cryptomap line 1 extended permit ip object inside object-group vpn-remote (hitcnt=12) 0xaa67a4f9 access-list outside_cryptomap line 1 extended permit ip 192.168.33.0 255.255.255.0 10.221.31.0 255.255.255.0 (hitcnt=12) 0xaa99fc57
Many Thanks in adance.
... View more
Hi and thanks for your reply.
No patting in vpn.
Is the server range 10.221.2.0 and.4.0 and .6.0 able to communicate with 10.221.31.0 network without adding a static route or should i use EIGRP to update routes dynamically.
layer 2 switch
asa 5506 f/w
... View more
Hi All. I have a site to site vpn between 1x asa 5506 (HQ) & 1x asa 5505 (remote). I cannot test the config until remote f/w is deployed on site (remote). Setup HQ x.x.x x - outside 10.221.31.0 - inside 10.221.2.0 - Server group 1 10.221.4.0 - Server group 2 10.221.6.0 - Server group 3 route 0.0.0.0 0.0.0.0 x.x.x.x outside VPN Tunnel configured
My HQ question: do i need to create vlans for .2.0 - .4.0 - .6.0 servers and route the vlans to 10.221.31.1 inside gateway address for remote site to reach them ?
Remote Site x.x x x - outside 192.168.33.0 - inside 192.168.33.50-200 dhcp pool configured working assigns dhcp + dns route - 0.0.0.0 0.0.0.0 x.x.x.x outside route - 192.168.33.0 255.255.255.0 192.168.33.1 inside - route already there message when trying to add manually, but can't see it in routing table. VPN Tunnel configured My REMOTE question: do i need to setup any additional routing/access list/natting at HQ f/w to reach HQ servers from REMOTE site. Many Thanks in advance. This is my first post and new to Cisco.
... View more