Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Remote Office Not tunneling all traffic

Attached is the 871 remote router config. Comes into the ASA under DefaultL2Lgroup. Another remote office comes in under the same tunnelgroup. Traffic to 192.168.0.0/24 works but I also need the tunnel to pass all traffic to 10.8.0.0/24. Let me know what you think. Thanks

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Remote Office Not tunneling all traffic

Right, the problem might be on the router.

Try to disable the CEF "no ip cef" and check again.

Please rate if this helped.

Regards,

Daniel

6 REPLIES
Cisco Employee

Re: Remote Office Not tunneling all traffic

Hello Donnie.

I did look into the router config. From looking at the config, your internal network on the ASA side is 192.168.0.0/24 and internal network on the 871 remote side is 10.8.32.0/24.

Where is the network 10.8.0.0/24? Is it behind the ASA or is it behind the second remote office that you mentioned which terminates on the same tunnel-group of the ASA.

According to your config, it seems that 10.8.0.0 is /16 not /24

Can you please try to pass traffic from 10.8.32.x/24 netowrk to 10.8.0.0/16 network and get the output of "sh cry ipsec sa" on the 871 router and on the ASA.

Thanks

Gilbert

New Member

Re: Remote Office Not tunneling all traffic

10.8.0.0/16 is going to be all our internal network. I have a vlan 10.8.0.0/16 which is what my computer is on. Attached is the show crypto ipsec sa.

Cisco Employee

Re: Remote Office Not tunneling all traffic

Donnie,

10.8.0.0/16 covers all your 10.8.x.x networks, so you will run into problems since your local network will be in the same range.

To get this to work, change the encryption ACL to /24 rather than /16 for the 10.8.x.x network.

Thanks

Gilbert

Re: Remote Office Not tunneling all traffic

Hi,

To be honest the config looks ok.

Only one thing, you should put the crypto map to be /24, not /16. You need to modifiy the lines:

access-list 120 permit ip 10.8.32.0 0.0.0.255 10.8.0.0 0.0.255.255

access-list 130 deny ip 10.8.32.0 0.0.0.255 10.8.0.0 0.0.255.255

Please rate if this helped.

Regards,

Daniel

New Member

Re: Remote Office Not tunneling all traffic

FYI I already have the access-lists stating the above. I just worded things wrong at the begin of the conversation. Should I open a TAC on this issue? If I ping from the router to my desktop ever other is successful and from my desktop about one of every 5 or so is successful. The ASA does not show any errors.

Re: Remote Office Not tunneling all traffic

Right, the problem might be on the router.

Try to disable the CEF "no ip cef" and check again.

Please rate if this helped.

Regards,

Daniel

121
Views
0
Helpful
6
Replies
This widget could not be displayed.