Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
513
Views
0
Helpful
2
Replies

Side2Side not working

MPIBGC_Jena
Level 1
Level 1

‎12-11-2012 07:10 AM

Hi,

we are trying to set up a side2side connection between 2 locations

over the internet.

We already have succesfully connected both ASAs, but we are not able

to comunicate through the tunnel.

10.64.0.0  IN-ASA-Remote-OUT-------INTERNET------OUT-ASA-Main

                                                                              |

                                                                          (is DMZ, only interface)

A ping on the remote side starts the tunnel, but the ping is lost - no reply.

When we try to traceroute from the Main-ASA to the remote ASA not the tunnel is

used, but the main gateway.

The Main-ASA has only one interface, because we do not use it for routing.

On the main side we have private and offical ip ranges, which should be transported

through the tunnel. On the remote side, we only have a private segment, which should

have direct access to our networks.

Normal VPN (ipsec and ssl) is running fine.

How can we check the routing ?

Which parts of the configuration would be helpful ?

Bye, Peer

Labels:
0 Helpful
2 Replies 2

Collin Clark
VIP Alumni
VIP Alumni

‎12-11-2012 07:14 AM

Take a look at this document, it's very helpful when troubleshooting VPN's.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

0 Helpful

ju_mobile
Level 1
Level 1

‎12-11-2012 03:16 PM

Hi,

As I understand it were going to have an interesting chat. You asked how you can verify connectivity and routing.
I would recommend that you use ping to verify that the two firewalls can communicate with each other.
The configuration of a single interface is not one that I've personally tried and I'm assuming that you would need to enable access between hosts on the same interface. The acl's would need to be defined for the same interface and your NAT translations if required would need to define the same interface.

If your gateways are different for Internet and your internal traffic then you will need to ensure that a static is in place for the peer or via the default and for the subnet your attempting to get to.

I'd have to suggest that you post your configurations. Do you really need the single interface, for simplicity would it not be easier to add an inside and the your routing for you remote subnet is sent to the inside.

Best Regards

Ju

http://helpamunky.wordpress.com/



Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents