Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ipscec-L2L established, unable to reach other subnet

I have a L2L vpn between a 5515(hub) & remote site w/ 5505 established, however, at the hub there is another network range which is routed via the same gateway.

The interesting traffic as well as the nat statement is defined with an object-group that includes two ranges 10.10.0.0/16 & 192.168.0.0/24.  Everything on the 10.10/16 range is reachable, but nothing is reachable on the 192.168/24 from the remote site (obviously, reachable from the hub).

Seeing that the access-lists & nat statement use the object-group which includes both of the ranges and both routes are defined by the same gateway, any ideas why one network would be reachable and the other not?

ps.  same-security-traffic permit intra/inter interface is configured.

Thanks in advance for any help!

5 REPLIES

ipscec-L2L established, unable to reach other subnet

Since you are able to access the 10.10.0.0/16 network that means ur tunnel is up.

check whether you have the correct access list in the remote site ASA 5505 allowing 192.168.0.0/24.

Please try to run the packet capture  and paste the output

this will give us clear understanding why not able to reach 192.168.0.0/24 network from the remote ASA5505

"packet-tracer input inside icmp (Remote Network any host ip) 8 0 (any host in 192.168.0.X)

Potha

New Member

ipscec-L2L established, unable to reach other subnet

Thanks for the quick response!  I've run the packet-tracer before and phase 4 drops the packet on access-list (implicit rule).

The access-list is as follows (Brazos-Nets includes both 10.10/16 & 192.168.0/24).

"access-list outside_cryptomap extended permit ip 10.2.2.0 255.255.255.0 object-group Brazos-Nets "

"access-list outside_cryptomap extended permit ip object-group Brazos-Nets interface outside"

Packet-Tracer Output:

=====================================

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb0da370, priority=1, domain=permit, deny=false

        hits=1686966, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=inside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static inside-net inside-net destination static Brazos-Nets Brazos-Nets no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface outside

Untranslate 192.168.0.120/0 to 192.168.0.120/0

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb0e60a8, priority=500, domain=permit, deny=true

        hits=2, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=10.2.2.1, mask=255.255.255.255, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ipscec-L2L established, unable to reach other subnet

can you paste the configuration of ur remote site ASA 5505.

check if you have any accesslist which is denying impicit

ipscec-L2L established, unable to reach other subnet

why are u using the this config

"access-list outside_cryptomap extended permit ip object-group Brazos-Nets interface outside"

New Member

ipscec-L2L established, unable to reach other subnet

Thank you for taking the time and replying.  It turns out the issue had nothing to do with the ASA configs.  I was unaware they had dual internet connections on their machines and a 2nd router/gw, so just had to add routes and all is well.

My apologies for wasting your time, and thank you again.

171
Views
0
Helpful
5
Replies