07-30-2008 06:09 AM
Attached is the 871 remote router config. Comes into the ASA under DefaultL2Lgroup. Another remote office comes in under the same tunnelgroup. Traffic to 192.168.0.0/24 works but I also need the tunnel to pass all traffic to 10.8.0.0/24. Let me know what you think. Thanks
Solved! Go to Solution.
07-30-2008 11:40 PM
Right, the problem might be on the router.
Try to disable the CEF "no ip cef" and check again.
Please rate if this helped.
Regards,
Daniel
07-30-2008 06:48 AM
Hello Donnie.
I did look into the router config. From looking at the config, your internal network on the ASA side is 192.168.0.0/24 and internal network on the 871 remote side is 10.8.32.0/24.
Where is the network 10.8.0.0/24? Is it behind the ASA or is it behind the second remote office that you mentioned which terminates on the same tunnel-group of the ASA.
According to your config, it seems that 10.8.0.0 is /16 not /24
Can you please try to pass traffic from 10.8.32.x/24 netowrk to 10.8.0.0/16 network and get the output of "sh cry ipsec sa" on the 871 router and on the ASA.
Thanks
Gilbert
07-30-2008 07:12 AM
07-30-2008 07:31 AM
Donnie,
10.8.0.0/16 covers all your 10.8.x.x networks, so you will run into problems since your local network will be in the same range.
To get this to work, change the encryption ACL to /24 rather than /16 for the 10.8.x.x network.
Thanks
Gilbert
07-30-2008 06:49 AM
Hi,
To be honest the config looks ok.
Only one thing, you should put the crypto map to be /24, not /16. You need to modifiy the lines:
access-list 120 permit ip 10.8.32.0 0.0.0.255 10.8.0.0 0.0.255.255
access-list 130 deny ip 10.8.32.0 0.0.0.255 10.8.0.0 0.0.255.255
Please rate if this helped.
Regards,
Daniel
07-30-2008 07:57 AM
FYI I already have the access-lists stating the above. I just worded things wrong at the begin of the conversation. Should I open a TAC on this issue? If I ping from the router to my desktop ever other is successful and from my desktop about one of every 5 or so is successful. The ASA does not show any errors.
07-30-2008 11:40 PM
Right, the problem might be on the router.
Try to disable the CEF "no ip cef" and check again.
Please rate if this helped.
Regards,
Daniel
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: