Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1341
Views
0
Helpful
9
Replies

Cannot access ASA after network change

Go to solution
Roger Richards
Level 1
Level 1

‎01-29-2014 01:37 PM

I will try to make sense as I am. I do not have access to all my resources at this location.

Attached is the updated network diagram opposed what was previous created. i have the same setup on the other side of the VPN except my

ASA is 10.10.20.2

2921 is 10.10.20.1

Local network 172.20.16.0

Other Side

ASA is 10.10.10.2

2921 is 10.10.20.1

Local network 10.20.60.0

I can get to all nodes excpet the ASA on the opposite sides.

Ill try to elaborate more

Labels:
15374855-asastt.txt.zip
57 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Roger Richards

‎01-30-2014 07:37 AM

Roger

I think the issue is with your crypto map access lists ie. before the ASAs had inside interfaces on the client network but now they are using different IPs and you haven't included those IPs in the acl applied to your crypto map for the VPN.

Check both ASAs.

Jon

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Roger Richards
Level 1
Level 1

‎01-29-2014 01:38 PM

************* IGNORE THE NOTES ON THE IMAGE **********

0 Helpful

Go to solution
Roger Richards
Level 1
Level 1
In response to Roger Richards

‎01-30-2014 06:31 AM

router_net1.11.gif

I have no tools in my location so I had to use the next best thing.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Roger Richards

‎01-30-2014 06:58 AM

Roger

So you ssh to from 10.20.60.x to inside interface of the remote ASA ie. 10.10.20.2 ?

Are you sure the traffic is not going through the VPN tunnel ?

Jon

0 Helpful

Go to solution
Roger Richards
Level 1
Level 1
In response to Jon Marshall

‎01-30-2014 07:09 AM

Yes... and cannot get to it... 

Should it not go through the tunnel? How can confirm that it is or isnt.. I did do a tracert route and at one time..

it showed me the first hop was my 17.20.16.11

then it showed me a 66.185.x.x which is a router on the internet trying to get to the other side.

0 Helpful

Go to solution
Roger Richards
Level 1
Level 1
In response to Roger Richards

‎01-30-2014 07:12 AM

also before I changed the other side to match the new router setup. I couldve reached the ASA when the inside interface was 172.20.16.11, now its 10.10.20.2

** note that this is after the frst was side was changed and worked... accessing the asa used to work. Now when second side changed no workie. **

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Roger Richards

‎01-30-2014 07:21 AM

Just to clarify, when you did the original change that we had all those posts about it still worked okay ?

And then you did another site and now it's isn't working ?

If so what did you change on the ASA in the second site and what about the routing internally ?

Jon

0 Helpful

Go to solution
Roger Richards
Level 1
Level 1
In response to Jon Marshall

‎01-30-2014 07:29 AM

The change went exactly as the other site.. but with different ip ofcourse.. The routing to the data , and other subnets are working fine.

The only issue is getting accross the vpn to manage the asa's. Either with ssh or ASDM...

So how I see it maybe;

my inside interface of the asa 10.10.10.1 ===== vpn ====== 10.10.20.2 .. probably doesnt know how to get to it?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Roger Richards

‎01-30-2014 07:37 AM

Roger

I think the issue is with your crypto map access lists ie. before the ASAs had inside interfaces on the client network but now they are using different IPs and you haven't included those IPs in the acl applied to your crypto map for the VPN.

Check both ASAs.

Jon

0 Helpful

Go to solution
Roger Richards
Level 1
Level 1
In response to Jon Marshall

‎02-07-2014 09:33 AM

It was....

Thanks again...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents