Remote Office Not tunneling all traffic

Answered Question
Jul 30th, 2008
User Badges:

Attached is the 871 remote router config. Comes into the ASA under DefaultL2Lgroup. Another remote office comes in under the same tunnelgroup. Traffic to 192.168.0.0/24 works but I also need the tunnel to pass all traffic to 10.8.0.0/24. Let me know what you think. Thanks



Attachment: 
Correct Answer by Daniel Voicu about 8 years 10 months ago

Right, the problem might be on the router.

Try to disable the CEF "no ip cef" and check again.


Please rate if this helped.


Regards,

Daniel

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
ggilbert Wed, 07/30/2008 - 06:48
User Badges:
  • Cisco Employee,

Hello Donnie.


I did look into the router config. From looking at the config, your internal network on the ASA side is 192.168.0.0/24 and internal network on the 871 remote side is 10.8.32.0/24.


Where is the network 10.8.0.0/24? Is it behind the ASA or is it behind the second remote office that you mentioned which terminates on the same tunnel-group of the ASA.


According to your config, it seems that 10.8.0.0 is /16 not /24


Can you please try to pass traffic from 10.8.32.x/24 netowrk to 10.8.0.0/16 network and get the output of "sh cry ipsec sa" on the 871 router and on the ASA.


Thanks

Gilbert



donniehoover Wed, 07/30/2008 - 07:12
User Badges:

10.8.0.0/16 is going to be all our internal network. I have a vlan 10.8.0.0/16 which is what my computer is on. Attached is the show crypto ipsec sa.



ggilbert Wed, 07/30/2008 - 07:31
User Badges:
  • Cisco Employee,

Donnie,


10.8.0.0/16 covers all your 10.8.x.x networks, so you will run into problems since your local network will be in the same range.


To get this to work, change the encryption ACL to /24 rather than /16 for the 10.8.x.x network.


Thanks

Gilbert

Daniel Voicu Wed, 07/30/2008 - 06:49
User Badges:
  • Silver, 250 points or more

Hi,


To be honest the config looks ok.

Only one thing, you should put the crypto map to be /24, not /16. You need to modifiy the lines:


access-list 120 permit ip 10.8.32.0 0.0.0.255 10.8.0.0 0.0.255.255

access-list 130 deny ip 10.8.32.0 0.0.0.255 10.8.0.0 0.0.255.255


Please rate if this helped.


Regards,

Daniel

donniehoover Wed, 07/30/2008 - 07:57
User Badges:

FYI I already have the access-lists stating the above. I just worded things wrong at the begin of the conversation. Should I open a TAC on this issue? If I ping from the router to my desktop ever other is successful and from my desktop about one of every 5 or so is successful. The ASA does not show any errors.

Correct Answer
Daniel Voicu Wed, 07/30/2008 - 23:40
User Badges:
  • Silver, 250 points or more

Right, the problem might be on the router.

Try to disable the CEF "no ip cef" and check again.


Please rate if this helped.


Regards,

Daniel

Actions

This Discussion