cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
842
Views
0
Helpful
16
Replies

Routing mess up.

ddevecka
Level 1
Level 1

The Remote office can't ping or connect to network shares via the VPN (Site to Site) now, but it did work. According to the ASDM the tunnel is up, but the remote office can't ping through the tunnel. I know the only thing that changed was the routes in the ASA 5510 at HQ and 2811 Router at HQ.

Remote office (192.168.3.1 ASA 5505)-(Internet VPN Tunnel)-(ASA 5510 192.168.2.214) Corp Headquarters-Corp Network-2811 Router (192.168.2.1)--T1 to Data Center

Here is the routes from ASA 5510 Corp HQ.

route INET 0.0.0.0 0.0.0.0 A.B.C.D 1

route inside 192.168.3.0 255.255.255.0 192.168.2.1 1

route inside 192.168.0.0 255.255.255.0 192.168.2.1 1

route inside 10.100.101.0 255.255.255.0 192.168.2.1 1

route inside 172.16.0.0 255.255.255.0 192.168.2.1 1

route inside 192.168.200.0 255.255.255.0 192.168.2.1 1

route inside 192.168.100.0 255.255.255.0 192.168.2.1 1

route inside 0.0.0.0 0.0.0.0 172.16.0.10 tunneled

Here is the routes from the 2811 Router

ip route 0.0.0.0 0.0.0.0 192.168.4.1

ip route 10.100.101.0 255.255.255.0 192.168.2.214

ip route 192.168.3.0 255.255.255.0 192.168.2.214

ip route 192.168.14.0 255.255.255.0 192.168.2.76

ip route 192.168.201.0 255.255.255.0 192.168.2.43

Which route messed up my Remote office from being able to ping and hit network shares on the Corp Network?

1 Accepted Solution

Accepted Solutions

yes now we can see packets being encrypted.So it should work.

HTH

Saju

Please rate if it helps!

View solution in original post

16 Replies 16

singhsaju
Level 4
Level 4

Hi,

192.168.3.0 is the remote subnet . But in your config it is pointing to inside network on HQ ASA .

Point it towards outside interface(next-hop).

no route inside 192.168.3.0 255.255.255.0 192.168.2.1 1

route outside 192.168.3.0 255.255.255.0 next hop 1

HTH

Saju

What if I just left the route statement out completly?

I am trying what you recommend but the remote office is now closed so I will post results tomorrow.

Thanks,

Dan

Yes, you can leave it out also .It should work as you have default route pointing to next hop (outside).

HTH

Saju

a.alekseev
Level 7
Level 7

your routein HQ is incorrect

route inside 192.168.3.0 255.255.255.0 192.168.2.1 1

should be

route INET 192.168.3.0 255.255.255.0 A.B.C.D 1

or just remove this route

I removed the route and they still can't ping or get to network shares.

BTW I removed the route from the HQ ASA.

Hi ,

sorry i missed earlier , you have two default routes on the HQ ASA .

what is following route for ?

route inside 0.0.0.0 0.0.0.0 172.16.0.10 tunneled

Can you remove this route and check?

HTH

Saju

That is to tunnel Remote access internet VPN traffic out through our data center.

Different VPN config. I am having the issue with the site to site VPN (192.168.3.X).

Can you ping the inside ip address of the remote VPN device (maybe 192.168.3.1)?

Post "show crypto ipsec sa " from HQ ASA.and configs too if possible of both sides .

I did remove the Route tunnled statement and nothing.

here is the show crypto

interface: INET

Crypto map tag: bubba, seq num: 1, local addr: A.B.C.D

local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

current_peer: W.X.Y.Z

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 769, #pkts decrypt: 769, #pkts verify: 769

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: A.B.C.D, remote crypto endpt.: W.X.Y.Z

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 33EC1507

inbound esp sas:

spi: 0x55E3AC6B (1440984171)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 1, crypto-map: bubba

sa timing: remaining key lifetime (kB/sec): (3824939/24213)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x33EC1507 (871109895)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 1, crypto-map: bubba

sa timing: remaining key lifetime (kB/sec): (3825000/24212)

IV size: 8 bytes

replay detection support: Y

The traffic through the tunnel is coming from remote side but it is not going back from HQ ASA side as we can see pkts being decrypted.

Do you have NAT bypass access-list in place on HQ ASA?

can you ping 192.168.3.1 (source packets from the inside interface of HQ ASA) and then paste "sh crypto ipsec sa"

I can't ping 192.168.3.1 because they have a D-LINK DSL router infront of the ASA. The reason for the Dlink is to get ethernet and it blocks incoming traffic unless it is comes from the inside interface.

Someone else configured this part of the VPN and I only saw one ACL entry and it was for the remote access VPN, so I added access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0.

So did it work after you added the access-list statement? Can you paste show crypto ipsec sa ?

They can ping now, and I am waiting to here if they can hit network shares.

Sorry here is the sh crypto

interface: INET

Crypto map tag: bubba, seq num: 1, local addr: A.B.C.D

local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

current_peer: W.X.Y.Z

#pkts encaps: 66, #pkts encrypt: 66, #pkts digest: 66

#pkts decaps: 676, #pkts decrypt: 676, #pkts verify: 676

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 66, #pkts comp failed: 0, #pkts decomp failed: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: A.B.C.D, remote crypto endpt.: W.X.Y.Z

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 964DAE35

inbound esp sas:

spi: 0x011AF583 (18544003)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 1, crypto-map: bubba

sa timing: remaining key lifetime (kB/sec): (3824947/25110)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x964DAE35 (2521673269)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 1, crypto-map: bubba

sa timing: remaining key lifetime (kB/sec): (3824954/25109)

IV size: 8 bytes

replay detection support: Y

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: