That's what I thought.
1. you cannot ping onther's ASA inside interface as it is not pingable by
design
2. you're trying to originate traffic from outside IP address of the ASA2,
so it's simply not hitting crypto ACL
try to ping a host behind ASA2 from the host behind ASA3 and everytging
shoul be fine.
Regards,
--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
blog: www.ccie1.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2011/9/30 Dinesh Patel <jedidinesh_at_googlemail.com>
> Hi All,
>
> I've added "Sysopt connection permit-vpn" to both sides.
>
> I have the following debug:
>
> asa2# sh debug
> debug crypto ipsec enabled at level 1
> debug crypto isakmp enabled at level 1
> I try to ping the remote side loopback
> asa2# ping 20.0.0.1
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:
> ?????
> Success rate is 0 percent (0/5)
>
> I check the crypto:
>
> asa2# sh crypto isakmp sa
> There are no isakmp sas
>
>
> Is there any other debug I could enable. I've got a feeling something makor
> is missing but can't put my finger on it.
>
> Rgds
> D.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 30 2011 - 11:03:49 ART