We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 581 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


295 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. Rene,

    Hello, that was very good! Is there any issue if there are two different versions of the ASA, one before 8.4 and one after with the keyword “ikev1” and “isakmp”, or is that just a local setting?



  2. Hi Chris,

    That shouldn't be an issue, these are just local commands.


  3. Hi Taslim,

    There's no need to do this, the ASA will permit the site-to-site traffic by default. One thing to remember when configuring site-to-site VPNs is to configure NAT excemption. By default the ASA will translate all packets from the INSIDE, even when the destination is on the other side of the tunnel.


  4. Hi Rene,

    I modified the network in your example with a few more nodes on each site. The network diagram is attached.

    The IPSec tunnel is up. Ping from end node 1 to end node 2 is working.
    Ping and wget from End Node 1 to Web Server 1 is working and from End Node 2 to Web Server 2 is also working.

    However, the ping/wget from End node in one site to the web server on the other site is not working in either direction. When checked with ASA logs, the tunnel is set up and the ping is getting delivered to the web server, but the web server is not responding to the ping request.

    Can you please help me find out the issue?

  5. Hmm if you can ping from end node 1 to end node 2 then your IPsec tunnel is up and running. If you are able to ping within the local subnet then at least you know your IP addresses are configured correctly. Couple of things to check/try here:

    1. Do your webservers have a correct default gateway? Maybe they don't know how to get outside of their own subnet.

    2. The ACL that you use for your IPsec tunnel. Does it permit all traffic between and Make sure it matches the traffic that you want to get through the tunnel.


58 more replies! Ask a question or join the discussion by visiting our Community Forum