Problem accessing an adjacent remote network over VPN (2 asa5505)

Unanswered Question
Aug 12th, 2007

Hello all,


I have 2 ASA5505 (CORP and remote) connected via VPN. The remote site contains 2 subnets (192.168.1.0/24 and 192.168.0.0/24 (for remote VPN users)). The corp site has 192.168.2.0/24 directly connected to ASA5505 and an adjacent network connected via another device namely the 172.16.0.0/16 network.


I am able to ping site-to-site between 192.168.0 -> 192.168.2

and

192.168.1 -> 192.168.2


I am unable to ping from remote site to the 172.16 network however.


I added permit ACLs on both my NAT and CRYPTO ACLs. and when I am trying to ping the remote 172.16 network I get the following messages on my CORP ASA:


4 Aug 12 2007 02:59:52 400010 192.168.2.1 192.168.0.10 IDS:2000 ICMP echo reply from 192.168.2.1 to 192.168.0.10 on interface inside


reply is timing out though.


Any tips would be appreciated!


My ACLS:


REMOTE SITE:

#NONAT

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.1.0 255.255.255.0



#CRYPTO ACL

access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 100 extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 100 extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0


CORP SITE:

#CORP

access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.3.0 255.255.255.0

access-list 200 extended permit ip 172.17.0.0 255.255.0.0 192.168.3.0 255.255.255.0

access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 200 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list 200 extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list 200

nat (inside) 1 0.0.0.0 0.0.0.0

#CRYPTO ACL

access-list 105 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 105 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 105 extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 105 extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list 105 extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list 105 extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0



Thanks in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Mon, 08/13/2007 - 09:57

The config looks ok.


If you were trying to ping 172.16.x.x I don't see why the log would be what you displayed. Where are you pinging from, the remote site?


"4 Aug 12 2007 02:59:52 400010 192.168.2.1 192.168.0.10 IDS:2000 ICMP echo reply from 192.168.2.1 to 192.168.0.10 on interface inside"


Does the 172.16 network have a route to the 192.168.0.0 and 192.168.1.0 network?

edubrovs1 Mon, 08/13/2007 - 10:29

My apologies, I forgot to post that I resolved the problem. The issue was that I was connecting to remote site via VPN. Looking at the secure routes in the SSL client I realized that I had no route to the 172 network I added the networks I was missing to the SplitTunnel ACL and poof it all started working.


Regards,

Ed

Actions

This Discussion