Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cannot reach subnet over site to site VPN ASA 5505 version 9

Hello all,

I have several ASA 5505's that connect to one 5510 at our corporate headquarters.  I just added a new location and for some reason I cannot access resources on the 192.168.1.0 subnet which is at the remote site.  The VPN works fine and traffic to 192.168.5.0 resources work fine. I also have internet access.  Here is my configuration:

 

ASA Version 9.0(1)
!
hostname asa-fw
enable password k4HlcGX2lC1ypFOm encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 description Private-Interface
 nameif inside
 security-level 100
 ip address 172.16.40.254 255.255.0.0
!
interface Vlan2
 description Public-Interface
 nameif outside
 security-level 0
 pppoe client vpdn group xxxxxxxxxxxxxxxxxx
 ip address pppoe setroute
!
ftp mode passive
object network inside-network
 subnet 172.16.40.0 255.255.255.0
object network NETWORK_OBJ_172.16.40.0_24
 subnet 172.16.40.0 255.255.255.0
object network NETWORK_OBJ_192.168.5.0_24
 subnet 192.168.5.0 255.255.255.0
object network NETWORK_OBJ_172.16.25.0_24
 subnet 172.16.25.0 255.255.255.0
object network OBJ_192.168.1.0
 subnet 192.168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.16.40.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.16.40.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.16.40.0 255.255.255.0 172.16.25.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 30000
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_172.16.40.0_24 NETWORK_OBJ_172.16.40.0_24 destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 no-

proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.16.40.0_24 NETWORK_OBJ_172.16.40.0_24 destination static OBJ_192.168.1.0 OBJ_192.168.1.0 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.16.40.0_24 NETWORK_OBJ_172.16.40.0_24 destination static NETWORK_OBJ_172.16.25.0_24 NETWORK_OBJ_172.16.25.0_24 no-

proxy-arp route-lookup
!
object network inside-network
 nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 172.16.40.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer xxx.xxx.xxx.xxx
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-

3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 172.16.40.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group xxxxxxxxxxxxxxxxxxxxxxxxxx request dialout pppoe
vpdn group xxxxxxxxxxxxxxxxxxxxxxxxxx localname xxxxxxxxxxxxxxxxxxxxxxxxx
vpdn group xxxxxxxxxxxxxxxxxxxxxxxxxx ppp authentication pap
vpdn username xxxxxxxxxxxxxxxxxxxxxxx password *****

dhcpd dns 192.168.5.9 192.168.5.10
!
dhcpd address 172.16.40.5-172.16.40.15 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_xxx.xxx.xxx.xxx internal
group-policy GroupPolicy_xxx.xxx.xxx.xxx attributes
 vpn-tunnel-protocol ikev1 ikev2
username xxxxxxxxxxx password 21dkb29Q2GbIGmA9 encrypted privilege 15
username xxxxxxxxxxx password 1NHJ1uyMBfQkbbS9 encrypted privilege 15
username xxxxxxxxxxx password NL1c1I7HLpyQAiL3 encrypted privilege 15
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx general-attributes
 default-group-policy GroupPolicy_xxx.xxx.xxx.xxx
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:bfa3f7b53a5d05aa16514430fdcd0277
: end
no asdm history enable

 

Access lists on the 5510 at the corporate headquarters (remote site) are these:

 

access-list INSIDE_NONAT extended permit ip 192.168.5.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list INSIDE_NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list INSIDE_NONAT extended permit ip 172.16.25.0 255.255.255.0 172.16.40.0 255.255.255.0

access-list outside_3_cryptomap extended permit ip 192.168.5.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 172.16.25.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.40.0 255.255.255.0

I am at wits end on this because I just dont see where I went wrong :( Any help or insight that anyone can provide would be great.

 

Thanks

 

  • Firewalling
2 REPLIES
New Member

Does 'sh crypto ipsec sa'

Does 'sh crypto ipsec sa' show that the SAs are being created on both sides for the 192.168.1.0 ID?

New Member

Thanks for the reply.  I

Thanks for the reply.  I cannot check that until Monday when I am at work.  How does the NAT statements and ACL's look, are they correct?

87
Views
0
Helpful
2
Replies