Avatar of Techrunner

asked on 

Site to Site VPN Cisco ASA and Cisco Router

Hello Experts,
I have configured  Site to Site IPSec VPN between our Cisco ASA and Cisco Router. The VPN is up but I cannot ping the devices each other from both sites. I dont know what's wrong with the configuration I have Remote Access VPN configured on our ASA for Cisco Anyconnect and Cisco VPN Client

Router Configuration

hostname Router

ip cef
username admin privilege 15 password 0 come$takeit
crypto isakmp policy 2
 encr aes
 authentication pre-share
crypto isakmp key cisco123 address
crypto ipsec transform-set test esp-aes esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to1.1.1.1
 set peer
 set transform-set test
 match address 100
 log config
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 0/35
  pppoe-client dial-pool-number 1
 dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
 ip address
 ip nat inside
 ip virtual-reassembly
interface Dialer1
 ip address negotiated
 ip access-group 101 out
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication pap chap callin
 ppp chap hostname **************
 ppp chap password 7 ************************
 ppp pap sent-username ********************************
 ppp ipcp dns request
 ppp ipcp wins request
 crypto map SDM_CMAP_1
ip forward-protocol nd
ip route Dialer1
no ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip
access-list 101 remark SDM_ACL Category=19
access-list 101 remark IPSec Rule
access-list 101 deny   ip
access-list 101 permit ip any
route-map SDM_RMAP_1 permit 1
 match ip address 101
line con 0
 no modem enable
line aux 0
line vty 0 4
 login local
scheduler max-task-time 5000

ASA Configuration

      access-list Outside_1_cryptomap line 1 extended permit ip
      tunnel-group type ipsec-l2l
      tunnel-group ipsec-attributes
        pre-shared-key **********
        isakmp keepalive threshold 10 retry 2
      crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
      crypto map Outside_map 1 match address Outside_1_cryptomap
      crypto map Outside_map 1 set  peer
      crypto map Outside_map 1 set  transform-set  ESP-AES-128-SHA

Any help please?


Avatar of undefined
Last Comment
Avatar of lisarao

Security Appliance license must be enabled for Data Encryption Standard (DES) encryption

Check if you have ASDM Configured on ASA interface

else download and install cisco asmd

Once its installed you have plenty of ways to configure.

check this and reply back
Avatar of Techrunner


I have no idea what you are talking about

I have problem pinging the sites.
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

>>I have no idea what you are talking about


Don't forget that ping is disabled on the ASA unless you have enabled ICMP in the inspection map

I'm quite weak on the router IOS (sorry)

Try to bring up the tunnel, then on the ASA issue a show cry isa command to see if phase 1 has esablished.
Avatar of Akinsd
Flag of United States of America image

Check if the "interesting traffic" (the 2 networks communicating) are exempted from NAT

Run a capture on the ASA and see if you see traffic on the inside and outside interface. If you see, both, then the traffic is not passing through the tunnel. You should only see traffic on the inside.

The tunnel formation is one thing (between 2 end points), while the traffic passing through the tunnel is another.
Avatar of anoopkmr
Flag of United States of America image

few things we have to check

a) do you have NAT enabled on the ASA  , if so  exempt the VPN  traffic from the NAT  and try the connectivity
b) check the  routing on both side Lan devices are proper ..  both side devices should have proper gateway to reach each other LAN  .
c)  only ping is not working :  inspect icmp in ASA  and try
d) enable Nat-traversal on ASA  and try :  crypto isakmp nat-trav 60
c) remove the access-list 101 from router dialer interface and try

even after doing all workaround still facing issues, kindly show the output of
show crypto isakmp sa  and show crypto ipsec sa  from router and ASA
Avatar of mannyfernandez

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial

A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo