Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

All the subnets are not reachable over the VPN

Hi all,

 

We have a EZVPN connection to one of our branch office. Connectivity diagram is attached with this discussion.

 

HO LAN (10.1.0.0/16 & 192.6.14.0/24) --------- ASA5520-------- Internet ---------- Cisco2911-------- LAN of remote location (10.2.0.0/16)

we are using 10.2.0.0/26 subnet at remote office and 10.1.0.0/16 & 192.6.14.0/24 subnets at HO. From HO through 10.1.0.0/16 & 192.6.14.0/24 all the devices are reachable except the firewall which is connected with GigabitEthernet0/2 interface of cisco2911 router(on which VPN is created).

Its a fortigate firewall and it is reachable locally from the network 10.2.0.0/16. I believe its an issue with phase2 ACLs but didn't able to resolve the issue.

I'm not able to take GUI / CLI interfaces of fortigate firewall even i'm not able to ping the IP of GigabitEthernet0/2 interface of cisco2911.

 

 

kindly advise on same.

 

Below is the configuration of ASA5520 of HO and cisco2911 router of branch office

 

ASA5520:-

 

access-list inside_access_in extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list splittunnelacl_JNC_AUH extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list splittunnelacl_JNC_AUH extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list Outside_cryptomap_65534.191 extended permit ip object-group DM_INLINE_NETWORK_103 10.2.0.0 255.255.0.0
jashanmalasa/sec/act# sho run obj
jashanmalasa/sec/act# sho run object-group | b DM_INLINE_NETWORK_103
object-group network DM_INLINE_NETWORK_103
 network-object 10.1.0.0 255.255.0.0
 network-object 192.6.14.0 255.255.255.0

 


group-policy AUHNEW internal
group-policy AUHNEW attributes
 dns-server value 192.6.14.189 192.6.14.182
 vpn-access-hours none
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 ip-comp disable
 re-xauth disable
 pfs enable
 ipsec-udp disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value
 default-domain value xxxxxx
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout none
 ip-phone-bypass disable
 leap-bypass disable
 nem enable


tunnel-group AUHNEW type remote-access
tunnel-group AUHNEW general-attributes
 authorization-server-group LOCAL
 default-group-policy AUHNEW
tunnel-group AUHNEW ipsec-attributes
 pre-shared-key *****
 peer-id-validate nocheck
 isakmp ikev1-user-authentication none

  

 

 

 

 

Cisco2911:-

 

 


Current configuration : 10258 bytes
!
! Last configuration change at 19:06:18 AST Thu May 8 2014 by admin
! NVRAM config last updated at 19:01:43 AST Thu May 8 2014 by admin
! NVRAM config last updated at 19:01:43 AST Thu May 8 2014 by admin
version 15.1
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname AUHOffice_RTR
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.151-4.M4.bin
boot-end-marker
!
!
card type e1 0 0
!
no aaa new-model
!
clock timezone AST 4 0
network-clock-participate wic 0
network-clock-select 1 E1 0/0/0
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip name-server 213.42.xxx.xxx
!
multilink bundle-name authenticated
!
!
!
!
isdn switch-type primary-net5
!
crypto pki token default removal timeout 0
!
!
voice-card 0
 dspfarm
 dsp services dspfarm
!
!
!
voice service voip
 fax protocol pass-through g711ulaw
!
voice class codec 1
 codec preference 1 g711ulaw
 codec preference 2 g711alaw
 codec preference 3 g729r8
 codec preference 4 g729br8
!
voice class h323 1
  h225 timeout tcp establish 3
!
!
!
!
voice translation-rule 1
 rule 1 /^9\(.*\)/ /\1/
!
voice translation-rule 2
 rule 1 /^0\(2.......\)$/ /00\1/
 rule 2 /^0\(3.......\)$/ /00\1/
 rule 3 /^0\(4.......\)$/ /00\1/
 rule 4 /^0\(5........\)$/ /00\1/
 rule 5 /^0\(6.......\)$/ /00\1/
 rule 6 /^0\(7.......\)$/ /00\1/
 rule 7 /^0\(9.......\)$/ /00\1/
 rule 8 /^00\(.*\)/ /0\1/
 rule 9 /^.......$/ /0&/
 rule 10 // /000\1/
!
voice translation-rule 3
 rule 1 /^3../ /026969&/
!
!
voice translation-profile FROM_PSTN
 translate calling 2
 translate called 1
!
voice translation-profile TO_PSTN
 translate calling 3
!
!
license udi pid CISCO2911/K9 sn xxxxxxxxx
license accept end user agreement
license boot module c2900 technology-package securityk9
hw-module pvdm 0/0
!
hw-module sm 1
!
!
!
username admin privilege 15 secret 4 Ckg/sS5mzi4xFYrh1ggXo92THcL6Z0c6ng70wM9oOxg
!
redundancy
!
!
!
!
controller E1 0/0/0
 framing NO-CRC4
 pri-group timeslots 1-10,16
!
!
!
!
!
!
!
crypto ipsec client ezvpn jashanvpn
 connect auto
 group AUHNEW key jashvpn786
 mode network-extension
 peer 83.111.xxx.xxx
 acl 150
 nat allow
 nat acl 110
 xauth userid mode interactive
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 10.2.0.1 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1430
 ip policy route-map temp
 duplex auto
 speed auto
 crypto ipsec client ezvpn jashanvpn inside
 h323-gateway voip interface
 h323-gateway voip bind srcaddr 10.2.0.1
!
interface GigabitEthernet0/1
 description *** Connected to 40MB Internet ***
 no ip address
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/2
 ip address 10.2.0.11 255.255.255.248
 duplex auto
 speed auto
!
interface Serial0/0/0:15
 no ip address
 encapsulation hdlc
 isdn switch-type primary-net5
 isdn incoming-voice voice
 no cdp enable
!
interface SM1/0
 ip unnumbered GigabitEthernet0/0
 service-module ip address 10.2.0.3 255.255.255.248
 !Application: CUE Running on SM
 service-module ip default-gateway 10.2.0.1
!
interface SM1/1
 description Internal switch interface connected to Service Module
 no ip address
!
interface Vlan1
 no ip address
!
interface Dialer0
 description *** JASHANMAL 40MB Internet ***
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname xxxxx
 ppp chap password 7 0252150B0C0D5B2748
 ppp pap sent-username xxxxxx password 7 15461A5C03217F222C
 crypto ipsec client ezvpn jashanvpn
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map nonat interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.2.0.0 255.255.248.0 10.2.0.2
ip route 10.2.0.3 255.255.255.255 SM1/0
ip route 10.2.6.1 255.255.255.255 10.2.0.2
ip route 10.2.7.1 255.255.255.255 10.2.0.2
ip route 172.16.5.0 255.255.255.0 10.2.0.2
!
access-list 100 deny   ip 10.2.4.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 100 deny   ip 10.2.4.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 100 deny   ip 10.2.4.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 100 deny   ip 10.2.4.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 100 deny   ip 172.16.5.0 0.0.0.255 10.1.6.0 0.0.0.255
access-list 100 permit ip 10.2.4.0 0.0.0.255 any
access-list 100 permit ip 172.16.5.0 0.0.0.255 any
access-list 110 deny   ip 10.2.0.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.2.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.3.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.1.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.5.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.5.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.3.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.2.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 10.1.9.0 0.0.0.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 deny   ip 10.2.6.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny   ip 10.2.6.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.6.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.9.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 permit ip host 10.2.6.1 any
access-list 110 permit ip host 10.2.6.2 any
access-list 110 permit ip host 10.2.6.3 any
access-list 110 permit ip host 10.2.6.4 any
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 86.96.201.72 eq 10008
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 86.96.254.136 eq 10008
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 216.52.207.67 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.151.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.148.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.149.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.150.22 eq www
access-list 110 permit tcp 172.16.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.4.0 0.0.0.255 any
access-list 150 permit ip 10.2.0.0 0.0.0.255 any
access-list 150 permit ip 10.2.1.0 0.0.0.255 any
access-list 150 permit ip 10.2.2.0 0.0.0.255 any
access-list 150 permit ip 10.2.3.0 0.0.0.255 any
access-list 150 permit ip 10.2.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.6.0 0.0.0.255 any
access-list 150 permit ip 172.16.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.7.0 0.0.0.255 any
!
!
!
!
route-map temp permit 100
 match ip address 100
 set ip next-hop 10.2.0.9
!
route-map temp permit 110
!
route-map nonat permit 10
 match ip address 110
!
!
snmp-server community xxxxxxxx
snmp-server location JNC AbuDhabi Office
snmp-server contact xxxxxxxx
snmp-server enable traps tty
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server host xxxxx version 2c jash
!
control-plane
!
!
voice-port 0/0/0:15
 translation-profile incoming FROM_PSTN
 bearer-cap Speech
!
voice-port 0/1/0
!
voice-port 0/1/1
!
voice-port 0/1/2
!
voice-port 0/1/3
!
!
!
mgcp profile default
!
!
dial-peer cor custom
 name CCM
 name 0
 name 00
!
!
dial-peer cor list CCM
 member CCM
 member 0
 member 00
!
dial-peer cor list 0
 member 0
!
dial-peer cor list 00
 member 0
 member 00
!
!
dial-peer voice 100 voip
 corlist incoming CCM
 preference 1
 destination-pattern [1-8]..
 session target ipv4:10.1.2.12
 incoming called-number [1-8]..
 voice-class codec 1  
 voice-class h323 1
 dtmf-relay h245-alphanumeric
 no vad
!
dial-peer voice 101 voip
 corlist incoming CCM
 huntstop
 preference 2
 destination-pattern [1-8]..
 session target ipv4:10.1.2.11
 incoming called-number [1-8]..
 voice-class codec 1  
 voice-class h323 1
 dtmf-relay h245-alphanumeric
 no vad
!
dial-peer voice 201 pots
 corlist outgoing 0
 translation-profile outgoing TO_PSTN
 destination-pattern 0[1-9]T
 incoming called-number .
 direct-inward-dial
 port 0/0/0:15
!
dial-peer voice 202 pots
 corlist outgoing 0
 translation-profile outgoing TO_PSTN
 destination-pattern 00[1-9]T
 incoming called-number .
 direct-inward-dial
 port 0/0/0:15
 prefix 0
!
dial-peer voice 203 pots
 corlist outgoing 00
 translation-profile outgoing TO_PSTN
 destination-pattern 000T
 incoming called-number .
 direct-inward-dial
 port 0/0/0:15
 prefix 00
!
!
gateway
 timer receive-rtp 1200
!
!
!
gatekeeper
 shutdown
!
!
call-manager-fallback
 secondary-dialtone 0
 max-conferences 8 gain -6
 transfer-system full-consult
 timeouts interdigit 4
 ip source-address 10.2.0.1 port 2000
 max-ephones 58
 max-dn 100
 system message primary Your Current Options SRST Mode
 transfer-pattern .T
 alias 1 300 to 279
 call-forward pattern .T
 time-zone 35
 date-format dd-mm-yy
 cor incoming 0 1 100 - 899
!
!
!
line con 0
 password 7 030359065206234104
 login local
line aux 0
 password 7 030359065206234104
 login local
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line 67
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password 7 110E1B08431B09014E
 login local
 transport input all
line vty 5 15
 password 7 030359065206234104
 login local
 transport input all
!
scheduler allocate 20000 1000
ntp master 1
end

 

Everyone's tags (1)
1 REPLY
New Member

Attached is the result from

Attached is the result from packet tracer of ASA5520-ASDM

213
Views
0
Helpful
1
Replies