07-22-2008 08:18 AM - edited 03-09-2019 09:08 PM
The Remote office can't ping or connect to network shares via the VPN (Site to Site) now, but it did work. According to the ASDM the tunnel is up, but the remote office can't ping through the tunnel. I know the only thing that changed was the routes in the ASA 5510 at HQ and 2811 Router at HQ.
Remote office (192.168.3.1 ASA 5505)-(Internet VPN Tunnel)-(ASA 5510 192.168.2.214) Corp Headquarters-Corp Network-2811 Router (192.168.2.1)--T1 to Data Center
Here is the routes from ASA 5510 Corp HQ.
route INET 0.0.0.0 0.0.0.0 A.B.C.D 1
route inside 192.168.3.0 255.255.255.0 192.168.2.1 1
route inside 192.168.0.0 255.255.255.0 192.168.2.1 1
route inside 10.100.101.0 255.255.255.0 192.168.2.1 1
route inside 172.16.0.0 255.255.255.0 192.168.2.1 1
route inside 192.168.200.0 255.255.255.0 192.168.2.1 1
route inside 192.168.100.0 255.255.255.0 192.168.2.1 1
route inside 0.0.0.0 0.0.0.0 172.16.0.10 tunneled
Here is the routes from the 2811 Router
ip route 0.0.0.0 0.0.0.0 192.168.4.1
ip route 10.100.101.0 255.255.255.0 192.168.2.214
ip route 192.168.3.0 255.255.255.0 192.168.2.214
ip route 192.168.14.0 255.255.255.0 192.168.2.76
ip route 192.168.201.0 255.255.255.0 192.168.2.43
Which route messed up my Remote office from being able to ping and hit network shares on the Corp Network?
Solved! Go to Solution.
07-23-2008 07:48 AM
yes now we can see packets being encrypted.So it should work.
HTH
Saju
Please rate if it helps!
07-22-2008 08:52 AM
Hi,
192.168.3.0 is the remote subnet . But in your config it is pointing to inside network on HQ ASA .
Point it towards outside interface(next-hop).
no route inside 192.168.3.0 255.255.255.0 192.168.2.1 1
route outside 192.168.3.0 255.255.255.0 next hop 1
HTH
Saju
07-22-2008 09:20 AM
What if I just left the route statement out completly?
I am trying what you recommend but the remote office is now closed so I will post results tomorrow.
Thanks,
Dan
07-22-2008 09:41 AM
Yes, you can leave it out also .It should work as you have default route pointing to next hop (outside).
HTH
Saju
07-22-2008 12:21 PM
your routein HQ is incorrect
route inside 192.168.3.0 255.255.255.0 192.168.2.1 1
should be
route INET 192.168.3.0 255.255.255.0 A.B.C.D 1
or just remove this route
07-23-2008 04:19 AM
I removed the route and they still can't ping or get to network shares.
BTW I removed the route from the HQ ASA.
07-23-2008 05:15 AM
Hi ,
sorry i missed earlier , you have two default routes on the HQ ASA .
what is following route for ?
route inside 0.0.0.0 0.0.0.0 172.16.0.10 tunneled
Can you remove this route and check?
HTH
Saju
07-23-2008 05:19 AM
That is to tunnel Remote access internet VPN traffic out through our data center.
Different VPN config. I am having the issue with the site to site VPN (192.168.3.X).
07-23-2008 06:00 AM
Can you ping the inside ip address of the remote VPN device (maybe 192.168.3.1)?
Post "show crypto ipsec sa " from HQ ASA.and configs too if possible of both sides .
07-23-2008 06:09 AM
I did remove the Route tunnled statement and nothing.
here is the show crypto
interface: INET
Crypto map tag: bubba, seq num: 1, local addr: A.B.C.D
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: W.X.Y.Z
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 769, #pkts decrypt: 769, #pkts verify: 769
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: A.B.C.D, remote crypto endpt.: W.X.Y.Z
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 33EC1507
inbound esp sas:
spi: 0x55E3AC6B (1440984171)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: bubba
sa timing: remaining key lifetime (kB/sec): (3824939/24213)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x33EC1507 (871109895)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: bubba
sa timing: remaining key lifetime (kB/sec): (3825000/24212)
IV size: 8 bytes
replay detection support: Y
07-23-2008 06:19 AM
The traffic through the tunnel is coming from remote side but it is not going back from HQ ASA side as we can see pkts being decrypted.
Do you have NAT bypass access-list in place on HQ ASA?
can you ping 192.168.3.1 (source packets from the inside interface of HQ ASA) and then paste "sh crypto ipsec sa"
07-23-2008 06:34 AM
I can't ping 192.168.3.1 because they have a D-LINK DSL router infront of the ASA. The reason for the Dlink is to get ethernet and it blocks incoming traffic unless it is comes from the inside interface.
Someone else configured this part of the VPN and I only saw one ACL entry and it was for the remote access VPN, so I added access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0.
07-23-2008 06:37 AM
So did it work after you added the access-list statement? Can you paste show crypto ipsec sa ?
07-23-2008 07:16 AM
They can ping now, and I am waiting to here if they can hit network shares.
07-23-2008 07:20 AM
Sorry here is the sh crypto
interface: INET
Crypto map tag: bubba, seq num: 1, local addr: A.B.C.D
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: W.X.Y.Z
#pkts encaps: 66, #pkts encrypt: 66, #pkts digest: 66
#pkts decaps: 676, #pkts decrypt: 676, #pkts verify: 676
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 66, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: A.B.C.D, remote crypto endpt.: W.X.Y.Z
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 964DAE35
inbound esp sas:
spi: 0x011AF583 (18544003)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: bubba
sa timing: remaining key lifetime (kB/sec): (3824947/25110)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x964DAE35 (2521673269)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: bubba
sa timing: remaining key lifetime (kB/sec): (3824954/25109)
IV size: 8 bytes
replay detection support: Y
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: