10-02-2013 10:30 AM
I have a site-to-site VPN with 4 networks on each end; I have no problem accessing 3 of them except one network. Packet Trace works with no errors on all four of them. All the configurations are set up identical. Able to ping all three except the one, see the ICMP packets get through all but receive no response from the fourth.
10-02-2013 11:02 AM
In order to help you further please post the device configuration...
Also paste the packet trace output too.
Sent from Cisco Technical Support iPad App
10-02-2013 12:17 PM
Posted
10-02-2013 12:19 PM
packet-tracer input DMZ-ISCSI icmp 10.10.60.10 0 0 10.10.160.10
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (DMZ-ISCSI,any) source static any any destination static MICH-dmz-iscsi-network MICH-dmz-iscsi-network no-proxy-arp
Additional Information:
NAT divert to egress interface outside
Untranslate 10.10.160.10/0 to 10.10.160.10/0
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-map-timestamp
match any
policy-map policy-map-timestamp
class class-map-timestamp
set connection advanced-options tcp-map-timestamp
service-policy policy-map-timestamp global
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (DMZ-ISCSI,any) source static any any destination static MICH-dmz-iscsi-network MICH-dmz-iscsi-network no-proxy-arp
Additional Information:
Static translate 10.10.60.10/0 to 10.10.60.10/0
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map policy-map-timestamp
class inspection_default
inspect icmp
service-policy policy-map-timestamp global
Additional Information:
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ-ISCSI,any) source static any any destination static MICH-dmz-iscsi-network MICH-dmz-iscsi-network no-proxy-arp
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4593909, packet dispatched to next module
Result:
input-interface: DMZ-ISCSI
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
10-02-2013 12:19 PM
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xx.xx.xx.xx standby xx.xx.xx.xx
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0 standby 192.168.50.5
!
interface GigabitEthernet0/2
nameif d-priv
security-level 50
ip address 192.168.60.1 255.255.255.0 standby 192.168.60.5
!
interface GigabitEthernet0/3
nameif ISCSI
security-level 55
ip address 10.10.10.252 255.255.255.0 standby 10.10.10.5
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
nameif DMZ-ISCSI
security-level 56
ip address 10.10.60.1 255.255.255.0
!
interface GigabitEthernet0/7
description LAN/STATE Failover Interface
!
interface Management0/0
management-only
nameif Mangement
security-level 0
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.5
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-192.168.50.0
subnet 192.168.50.0 255.255.255.0
object network obj-192.168.60.0
subnet 192.168.60.0 255.255.255.0
object network obj-10.10.10.0
subnet 10.10.10.0 255.255.255.0
object network MICH-inside-network
subnet 192.168.150.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MICH-ISCSI-network
subnet 10.10.110.0 255.255.255.0
object network MICH-d-priv-network
subnet 192.168.160.0 255.255.255.0
object-group network DM_INLINE_NETWORK_22
network-object 192.168.50.0 255.255.255.0
network-object 192.168.60.0 255.255.255.0
object-group network DM_INLINE_NETWORK_21
network-object 192.168.50.0 255.255.255.0
network-object 192.168.60.0 255.255.255.0
access-list dmz-in extended permit object-group DM_INLINE_SERVICE_7 192.168.60.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
access-list dmz-in extended permit ip 192.168.60.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.50.0 255.255.255.0 object-group DM_INLINE_NETWORK_8
access-list ISCSI_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 object MICH-ISCSI-network inactive
!
tcp-map tcp-map-timestamp
tcp-options timestamp clear
!
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging trap informational
logging history critical
logging asdm informational
logging facility 16
logging queue 0
logging permit-hostdown
no logging message 710005
mtu outside 1500
mtu inside 1500
mtu d-priv 1500
mtu ISCSI 1500
mtu Mangement 1500
mtu DMZ-ISCSI 1500
ip verify reverse-path interface outside
failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any unreachable outside
no arp permit-nonconnected
nat (inside,any) source static any any destination static DM_INLINE_NETWORK_17 DM_INLINE_NETWORK_17 no-proxy-arp
nat (d-priv,any) source static any any destination static MICH-d-priv-network MICH-d-priv-network no-proxy-arp
nat (ISCSI,any) source static any any destination static MICH-ISCSI-network MICH-ISCSI-network no-proxy-arp
nat (DMZ-ISCSI,any) source static any any destination static MICH-dmz-iscsi-network MICH-dmz-iscsi-network no-proxy-arp
nat (inside,outside) after-auto source dynamic any xx.xx.xx.xx
access-group 100 in interface outside
access-group dmz-in in interface d-priv
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map ann_arbor 4 match address outside_cryptomap_2
crypto map ann_arbor 4 set pfs
crypto map ann_arbor 4 set peer xx.xx.xx.xx
crypto map ann_arbor 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map ann_arbor 4 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx general-attributes
default-group-policy GroupPolicy_xx.xx.xx.xx
tunnel-group xx.xx.xx.xx ipsec-attributes
ikev1 pre-shared-key DRSite
ikev2 remote-authentication pre-shared-key DRSite
ikev2 local-authentication pre-shared-key DRSite
!
class-map global-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
class-map global-class1
description SMTP01 Passive mode setting
match access-list global_mpc
class-map global-class2
match access-list global_mpc_1
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: