We have a few remote access

Ty Melrose · ‎10-26-2016

I am trying to connect a small office (5 people) to our main office using a Cisco RV220W to our ASA 55120-X. I can get the VPN connected without issue but I cannot ping any of our internal VLANs. The network at the main office is our ASA then a 3850 Router configured for router on a stick with 5 VLANs. I have tried configuring the VPN to connect to both the 192.168.80.0 network the remote site needs access to as well as the network for the inside interface. Neither configuration allows me to access the resources I need to.

JP Miranda Z · ‎10-26-2016

Hi Ty Melrose,

Can you share the tunnel and nat configuration?

If the tunnel is up can you see phase 1 and 2 up? show crypto isa sa / sh cry ipsec sa

This guide explains step by step the config between an ASA and a RV:

http://sbkb.cisco.com/CiscoSB/GetArticle.aspx?docid=7200e3b590e443af8f27a1ca957705ba_Configuring_a_Site_to_Site_VPN_tunnel_between_RV_Series_Rout.xml

Hope this info helps!!

Rate if helps you!!

-JP-

Ty Melrose · ‎10-26-2016

We have a few remote access users that are in the mix so if I miss something, please let me know.

8   IKE Peer: <Remote Site IP>
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

Crypto map tag: Outside_map, seq num: 1, local addr: <Main Site IP>

      access-list Outside_cryptomap extended permit ip 192.168.80.0 255.255.255.0 192.168.100.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.80.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
      current_peer: 162.229.254.9

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.:<Main Site IP>/0, remote crypto endpt.: <Remote Site IP>/0
      path mtu 1600, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 0BC9DD1A
      current inbound spi : 10A9F793

    inbound esp sas:
      spi: 0x10A9F793 (279574419)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 14110720, crypto-map: Outside_map
         sa timing: remaining key lifetime (sec): 3386
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x0BC9DD1A (197778714)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 14110720, crypto-map: Outside_map
         sa timing: remaining key lifetime (sec): 3386
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

JP Miranda Z · ‎10-26-2016

Ty Melrose,

Seems like ph1 and ph2 as you told us before, now i don't see any encaps or decaps which means there is no traffic passing through the tunnel, can you share your nat configuration on the ASA? Are you initiating the traffic behind of the ASA or behind the RV?

You can also share a packet tracer like the following:

packet-tracer input inside icmp 192.168.80.10 8 0 192.168.100.10 detail

After running that command you can also share a show crypto ipsec sa.

Hope this info helps!!

Rate if helps you!!

-JP-

5512 to RV series- VPN connects but no traffic