You can originate traffic via the inside interface. Try "ping inside
20.0.0.1" from asa2. Also do a "debug crypto isakamp 255".
Timothy Chin
CCIE #23866
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Piotr Matusiak
Sent: Friday, September 30, 2011 5:04 AM
To: Dinesh Patel
Cc: Joseph L. Brunner; ccielab_at_groupstudy.com
Subject: Re: ASA Site to Site IP Sec tunnel problem
That's what I thought.
1. you cannot ping onther's ASA inside interface as it is not pingable
by
design
2. you're trying to originate traffic from outside IP address of the
ASA2,
so it's simply not hitting crypto ACL
try to ping a host behind ASA2 from the host behind ASA3 and everytging
shoul be fine.
Regards,
--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
blog: www.ccie1.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2011/9/30 Dinesh Patel <jedidinesh_at_googlemail.com>
> Hi All,
>
> I've added "Sysopt connection permit-vpn" to both sides.
>
> I have the following debug:
>
> asa2# sh debug
> debug crypto ipsec enabled at level 1
> debug crypto isakmp enabled at level 1
> I try to ping the remote side loopback
> asa2# ping 20.0.0.1
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:
> ?????
> Success rate is 0 percent (0/5)
>
> I check the crypto:
>
> asa2# sh crypto isakmp sa
> There are no isakmp sas
>
>
> Is there any other debug I could enable. I've got a feeling something
makor
> is missing but can't put my finger on it.
>
> Rgds
> D.
>
>
> Blogs and organic groups at http://www.ccie.net
>
>
Received on Fri Sep 30 2011 - 05:19:40 ART