We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 588 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


312 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. Hi Taslim,

    There's no need to do this, the ASA will permit the site-to-site traffic by default. One thing to remember when configuring site-to-site VPNs is to configure NAT excemption. By default the ASA will translate all packets from the INSIDE, even when the destination is on the other side of the tunnel.


  2. Hi Zaman,

    Aggressive mode can be configured in the crypto map:

    ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 phase1-mode aggressive

    And transport mode in the transform set:

    ASA1(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET mode ?         
    configure mode commands/options:
      transport  mode transport

    The first lifetime (ikev1 policy) is for phase 1 and the lifetime in the crypto map is for phase 2.


  3. Hi Rene,

    I modified the network in your example with a few more nodes on each site. The network diagram is attached.

    The IPSec tunnel is up. Ping from end node 1 to end node 2 is working.
    Ping and wget from End Node 1 to Web Server 1 is working and from End Node 2 to Web Server 2 is also working.

    However, the ping/wget from End node in one site to the web server on the other site is not working in either direction. When checked with ASA logs, the tunnel is set up and the ping is getting delivered to the web server, but the web server is not responding to the ping request.

    Can you please help me find out the issue?

  4. Hmm if you can ping from end node 1 to end node 2 then your IPsec tunnel is up and running. If you are able to ping within the local subnet then at least you know your IP addresses are configured correctly. Couple of things to check/try here:

    1. Do your webservers have a correct default gateway? Maybe they don't know how to get outside of their own subnet.

    2. The ACL that you use for your IPsec tunnel. Does it permit all traffic between and Make sure it matches the traffic that you want to get through the tunnel.


  5. Hello Kartika

    The command show crypto isa sa detail will show you the values for the encryption hash and so on, however it does not give you the number of the policy in use. Looking at the hash you can then determine the policy, however a more elegant way would be to initiate a debug crypto isakmp and bring the tunnel down and back up again and follow the phase one negotiation messages. The debug messages will show the router going through each individual policy until it finds a match and you can determine which policy was matched.

    I hope this has been helpful!


58 more replies! Ask a question or join the discussion by visiting our Community Forum