Hi everyone, If I understood Parvez' email, the VPN is not a LAN-2-LAN between ASAs. It looks as though the VPN is between ASA1 and the RTR.
Based on that topology, I think his original SSH statements look ok. However, let me know if I missed something. Parvez, SSH traffic to the ASA itself doesnt require any "permits" on the outside ACL. Just a corresponding "ssh" statement, which u have. Double-check ASA1 and ensure your routing and VPN setup is correctly directing 10.60.x.x destined traffic through the VPN, and that your 10.70.x.x sourced traffic is not being NAT'd (on ASA1 or on your RTR)...if it arrives at ASA2 other than 10.70.x.x, it won't match your "ssh" statement. Likewise verify the reverse path and ensure that 10.60.x.x is included in your interesting VPN traffic on your RTR, and that routing to it is up, and that you're exempting it from NAT for VPN traffic. Jason Sent from my iPhone On Jul 7, 2012, at 12:36 AM, Piotr Tokarzewski <[email protected]> wrote: > Hi, > > You must set management interface: > management-access inside > > and then use this interface instead of outside: > SSh 10.70.X.X Inside > > SSh 10.60.X.X Inside > > > Regards > Piotr > > 2012/7/7 Parvez Ahmad <[email protected]> > Hello, > > Topology > > LAN1(10.70.X.X)-------ASA1(Public)--------------Internet-------------(Public)Router1-----(Outside)ASA2(Inside)----LAN2(10.60.X.X) > > > > There is site to site IPSec tunnel between ASA1 and Router1; I want to access > ASA2 over the VPN form LAN1. > > > > I put below commands on ASA2 by taking remote. > > > > SSh 10.70.X.X outside > > SSh 10.60.X.X Inside > > > > And apply an ACL to permit source IP (10.70.x.x)and destination IP (any) port > tcp 22 on outside interface. > > > > But it is still not working. However it is working form LAN2. > > > > Please suggest, how I can access ASA2 over the IPSec VPN from LAN1. > > > > > > Thanks, > > Parvez > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
