cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
696
Views
5
Helpful
6
Replies

ISP Migration- Site-to-Site VPN is affected

vipinrajrc
Level 3
Level 3

Hi Experts,

I need your help so badly..............................

We migrated our client's ISP to new one. so all the public ip add is changed. we have a dedicated vpn to this client. we changed the configuration in our side for the new IPs they have got. configuraiotns like 1) crypto map   2) tunnel-group    3)Route

We upload the new edited running-config to the startup-config using a tftp server with the help of an on-site engineer. After the uploading we restarted the ASA. The VPN tunnel was up with in 4minutes. and we are able to access al lthe servers in the client side.

BUT ONE VERY VERY  BIG PROBLEM

we were not able to access the client's ASA from our side. but the onsite engineer can access the ASA from there. we cant even ping to that ASA. we dont know what is the reason. We changed the configuration file using a word-pad. after the changes we saved the configuration. No other configuration changed except the public IP address.

So we revert the old configuration using a tftp server from client side. after reload all were up. And now we can access the ASA from our side itself with no problem.  But we need to change this configuration to the new one...

Could any one please help us from this disaster???? Please ASAP.............

Did we did anything wrong???? we dindt change anyother configuration atall.. thats the confusing part....

If you need any additional information please post.... we need to do this ASAP........... It is a critical task... I'm still searching a solution

Thanks and Regards, Vipin
6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

What IP Address of the client side ASA did you try to access? It's ASA inside interface ip address via the Site-to-Site VPN? or you are trying to access its outside ip address?

If you are trying to access its outside IP address, since the client site has changed ISP, then the IP Address that you will need to access will be the new IP Address?

Also, how do you access the client site ASA? via SSH or ASDM?

Also, do you have any firewall rule within your site that might block access to the new public IP if you are accessing it on its outside interface IP?

halijenn wrote:

What IP Address of the client side ASA did you try to access? It's ASA inside interface ip address via the Site-to-Site VPN? or you are trying to access its outside ip address?

If you are trying to access its outside IP address, since the client site has changed ISP, then the IP Address that you will need to access will be the new IP Address?

Also, how do you access the client site ASA? via SSH or ASDM?

Also, do you have any firewall rule within your site that might block access to the new public IP if you are accessing it on its outside interface IP?

Hi Jennifer,

Yea we were able to get all the servers behind this ASA using the new public IP. Thaqt means the tunnel was UP. This client's ASA is5510. it has tow inside network and one is with security -level 100 and other is with 90. Beore this change we were able telnet to the ASA using the IP address in the security-level 100 interface. But After this migration to the new IP address we can't telnet to this ASA using that IP address. There is no such rule to block this. But after we revert to the old configuration we are able to telnet using that IP address.

We also set as the management interface to this high security-level interface.

We can Telnet to that ASA from the client's server. We did a debug in that ASA. At that time we saw that the ICMP packets were coming from our side's machines.. But we didnt see any ICMP reply to that................................ Do you got my points??????

Dont know what is the problem....................

Could you plzz help us????????

Thanks&Regards

Vipin

Thanks and Regards, Vipin

Without actually looking at the configuration, it is really difficult to tell you what the issue/problem is.

You would need to post the configuration and also tell us the ip address where you are trying to access to and from? with just words description, there could be many different possibilities, even sometimes when you have the configuration correct, it could be other issues that is causing the problem.

The more information you post the better we can assist, otherwise, if you don't want to post the config, please open a TAC case, and engineer can assist you straight away.

Hi Experts,

We got confirmation from ISP that all the Public IP they gave us is blacklisted..

Is this is the problem for not getting pings to the ASA?? Is there any chance of this????

Regards

Vipin

Thanks and Regards, Vipin

Hi Jennifer,

Thanks for the update. I will send the details to you for the reference.

Thanks,

Vipin

Thanks and Regards, Vipin

Hi Jennifer, Please see the attached network diagram and current running configuration and the edited configuration what we uploaded to the ASA.This diagram is our client's. It has 2 internal interfaces. One's name is "abc" and others name is "def". The ASA's WAN interface's name is "xyx". I hope this will help to solve this issue. Please update with your queries.. We also trying to solve this issue. Thanks,Vipin

Thanks and Regards, Vipin