Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
0
Helpful
6
Replies

Remote Office Not tunneling all traffic

Go to solution
donniehoover
Level 1
Level 1

‎07-30-2008 06:09 AM

Attached is the 871 remote router config. Comes into the ASA under DefaultL2Lgroup. Another remote office comes in under the same tunnelgroup. Traffic to 192.168.0.0/24 works but I also need the tunnel to pass all traffic to 10.8.0.0/24. Let me know what you think. Thanks

Labels:
Preview file
5 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
5220
Level 4
Level 4
In response to donniehoover

‎07-30-2008 11:40 PM

Right, the problem might be on the router.

Try to disable the CEF "no ip cef" and check again.

Please rate if this helped.

Regards,

Daniel

View solution in original post

0 Helpful
6 Replies 6

Go to solution
ggilbert
Cisco Employee
Cisco Employee

‎07-30-2008 06:48 AM

Hello Donnie.

I did look into the router config. From looking at the config, your internal network on the ASA side is 192.168.0.0/24 and internal network on the 871 remote side is 10.8.32.0/24.

Where is the network 10.8.0.0/24? Is it behind the ASA or is it behind the second remote office that you mentioned which terminates on the same tunnel-group of the ASA.

According to your config, it seems that 10.8.0.0 is /16 not /24

Can you please try to pass traffic from 10.8.32.x/24 netowrk to 10.8.0.0/16 network and get the output of "sh cry ipsec sa" on the 871 router and on the ASA.

Thanks

Gilbert

0 Helpful

Go to solution
donniehoover
Level 1
Level 1
In response to ggilbert

‎07-30-2008 07:12 AM

10.8.0.0/16 is going to be all our internal network. I have a vlan 10.8.0.0/16 which is what my computer is on. Attached is the show crypto ipsec sa.

Preview file
5 KB
0 Helpful

Go to solution
ggilbert
Cisco Employee
Cisco Employee
In response to donniehoover

‎07-30-2008 07:31 AM

Donnie,

10.8.0.0/16 covers all your 10.8.x.x networks, so you will run into problems since your local network will be in the same range.

To get this to work, change the encryption ACL to /24 rather than /16 for the 10.8.x.x network.

Thanks

Gilbert

0 Helpful

Go to solution
5220
Level 4
Level 4

‎07-30-2008 06:49 AM

Hi,

To be honest the config looks ok.

Only one thing, you should put the crypto map to be /24, not /16. You need to modifiy the lines:

access-list 120 permit ip 10.8.32.0 0.0.0.255 10.8.0.0 0.0.255.255

access-list 130 deny ip 10.8.32.0 0.0.0.255 10.8.0.0 0.0.255.255

Please rate if this helped.

Regards,

Daniel

0 Helpful

Go to solution
donniehoover
Level 1
Level 1
In response to 5220

‎07-30-2008 07:57 AM

FYI I already have the access-lists stating the above. I just worded things wrong at the begin of the conversation. Should I open a TAC on this issue? If I ping from the router to my desktop ever other is successful and from my desktop about one of every 5 or so is successful. The ASA does not show any errors.

0 Helpful

Go to solution
5220
Level 4
Level 4
In response to donniehoover

‎07-30-2008 11:40 PM

Right, the problem might be on the router.

Try to disable the CEF "no ip cef" and check again.

Please rate if this helped.

Regards,

Daniel

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents