«

Site-to-site VPN between two ASAs. From the ASA, I can't ping hosts on
the remote network, other side of the site-to-site. I would like to be
able to upload the config (write net) to a tftp server there.

Thanks,
Paul

"P1" <> wrote in message
news:4a24475e$0$2698$...
> Site-to-site VPN between two ASAs. From the ASA, I can't ping hosts on
> the remote network, other side of the site-to-site. I would like to be
> able to upload the config (write net) to a tftp server there.
>
> Thanks,
> Paul

management-access inside on both ASA's. That will allow you to
connect/ping/tftp to the inside interfaces from the opposite LAN's

Artie Lange wrote:
> P1 wrote:
>> Site-to-site VPN between two ASAs. From the ASA, I can't ping hosts
>> on the remote network, other side of the site-to-site. I would like
>> to be able to upload the config (write net) to a tftp server there.
>>
>> Thanks,
>> Paul
>
>
> Must create ACL. You have chosen to check ACL for VPN traffic
>
>
> access-list OUTSIDE_access_in extended permit ip 172.16.1.0
> 255.255.255.0 192.168.0.0 255.255.255.0
>
> general allow IP rule, source is remote network to local network
> customize for icmp

I was unsuccessful... Partial configs below, public IPs changed to
protect the innocent...

FIREWALL 1:
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 68.40.247.2 255.255.255.0
no igmp
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.30.1 255.255.255.0
!
access-list outside extended permit ip 172.16.1.0 255.255.255.0
192.168.30.0 255.255.255.0
!

FIREWALL 2:
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 208.206.113.196 255.255.255.224
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
access-list outside extended permit ip 192.168.30.0 255.255.255.0
172.16.1.0 255.255.255.0
!

Thanks again,
Paul