Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unable to access additional IP Range over Site-to-Site IPSec VPN

Hi,
I am trying to setup a straight forward Site-to-Site IPSec VPN between a ASA 5510 (ASA Version 8.2(3))at HQ and a Cisco 877 (12.4(24)T3) at a branch office.

At the branch end I have the 192.168.244.0/24 Subnet.
At the HQ end I have the 172.16.0.0/22 and the 10.0.0.0/8 Subnets
The inside interface of the ASA at HQ is 172.16.0.15/22

During the VPN Wizard Setup I ticked the NAT-T checkbox, and I have included the additional subnet in the protected local networks list.

I can sucessfully get access to all of the 172.16.0.0/22 Subnets but not to anything in the 10.0.0.0/8 Subnets.
The ASA Packet Trace tool shows the traffic from the inside interface from 172.16.0.0/22 heading to 192.168.244.0/24 via the outside interface passess correctly, but from the 10.0.0.0/8 does not. It doesn't give any specific information why the 10.0.0.0/8 traffic is dropped.

[HQ_LAN]---10.0.0.0/8 & 172.16.0.0/22---172.16.0.15(inside_int)-[ASA 5510]---IPSEC---[RTR 877]---192.168.244.0/24---[BRANCH_LAN]

I suspect it might have something to do with NAT?

Please Help.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Unable to access additional IP Range over Site-to-Site IPSec

Hi there,

You VPN Peers do not agree on lan segment between these two vpn peers.

On your ASA

access-list inside_outbound_nat0_acl extended permit ip any <> 255.255.255.0

and

Router:

access-list 100 permit ip 192.168.244.0 0.0.0.255 172.16.0.0 0.0.3.255

access-list 100 permit ip 192.168.244.0 0.0.0.255 10.0.0.0 0.255.255.255

Please make it explicity identical subnet declaration between two vpn peers and lastly please add this route on ASA.

Same issue on this ACL as well, not identical subnet declaration between two vpn peers, so please make it indentical from both ends.

access-list outside_cryptomap_2 extended permit ip object-group <> <> 255.255.255.0

route outside 192.168.244.0 255.255.255.0 ASA_EXTERNAL_GW

Let me know the result.

thanks

Rizwan Rafeek

7 REPLIES

Unable to access additional IP Range over Site-to-Site IPSec VPN

please post your config from ASA and the router config for easier trouble shooting.

thanks

Unable to access additional IP Range over Site-to-Site IPSec VPN

It could be a missing interesting traffic and/or NAT.

Post the running config of both devices (877 and ASA) for easier fault finding.

Please rate replies and mark question as "answered" if applicable.
New Member

Unable to access additional IP Range over Site-to-Site IPSec VPN

Variables:

<>

<>

<>

<>

<>

Branch 877 Config Summation :

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key <> address <>

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to <>

set peer <>

set transform-set ESP-3DES-SHA

set pfs group2

match address 100

!

archive

log config

  hidekeys

!

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

pvc 8/35

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 192.168.244.1 255.255.255.0

ip tcp adjust-mss 1412

!

interface Dialer0

ip address negotiated

ip mtu 1452

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname <>

ppp chap password 0 <>

crypto map SDM_CMAP_1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

!

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.244.0 0.0.0.255 172.16.0.0 0.0.3.255

access-list 100 permit ip 192.168.244.0 0.0.0.255 10.0.0.0 0.255.255.255

dialer-list 1 protocol ip permit

!

!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key <> address <>
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to <>
set peer <>
set transform-set ESP-3DES-SHA
set pfs group2
match address 100
!
archive
log config
  hidekeys
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.244.1 255.255.255.0
ip tcp adjust-mss 1412
!
interface Dialer0
ip address negotiated
ip mtu 1452
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname <>
ppp chap password 0 <>
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.244.0 0.0.0.255 172.16.0.0 0.0.3.255
access-list 100 permit ip 192.168.244.0 0.0.0.255 10.0.0.0 0.255.255.255
dialer-list 1 protocol ip permit
!
!

New Member

Unable to access additional IP Range over Site-to-Site IPSec VPN

Variables:

<>

<>

<>

<>

<>

HQ ASA Config Summation : I've masked out certain information, hopefully the config is still readable. If i've left something important out - let me know.

ASA Version 8.2(3)
!
names
name 172.16.0.7 VAL-CoreStack-SW
name 10.70.0.0 ValleyNewSubnet
name 10.71.0.0 JJNewSubnet
name 10.70.10.0 New-CorpCare-VPN
name 192.168.244.0 <>
!
interface Ethernet0/0
nameif outside
security-level 0
ip address <> 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.0.15 255.255.252.0
!
interface Ethernet0/2
nameif DMZ
security-level 10
ip address <> 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
!
boot system disk0:/asa823-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
object-group network VAL-Subnets
network-object 172.16.0.0 255.255.252.0
network-object ValleyNewSubnet 255.255.0.0
network-object JJNewSubnet 255.255.0.0
network-object LuckyNewSubnetRange 255.255.0.0
network-object VinnyNewSubnetRange 255.255.0.0
object-group network VAL-3-Subnets
network-object 172.16.3.0 255.255.255.128
object-group network VAL-Desktops-Subnets
network-object 172.16.3.0 255.255.255.128
object-group network VAL-DMZ-Subnets
network-object 172.32.250.0 255.255.255.0
object-group network Luck-Subnets
network-object 192.168.1.0 255.255.255.0
object-group network VIN-Subnets
network-object 10.57.10.0 255.255.255.0
object-group network Luck-Doctors-Subnets
network-object 192.168.2.0 255.255.255.0
object-group network Corp-Loc-VPN-Clients-Subnets
network-object 172.16.4.0 255.255.255.0
object-group network Corp-Nat-Subnets
network-object 192.168.84.0 255.255.255.0
object-group network <>
group-object VAL-Subnets
group-object VAL-3-Subnets
group-object VAL-Desktops-Subnets
group-object VAL-DMZ-Subnets
group-object Luck-Subnets
group-object JJ-Subnets
group-object VIN-Subnets


object-group network Corp-Loc-VPN-Access
description Staff are allowed VPN access to these hosts (DC's, mail and home dir)
network-object host VAL-ISD-SVR
network-object host VAL-SQL-SVR
network-object host JJ-Server-SVR
network-object host JJ-Home-SVR
network-object host VAL-Homer-SVR
network-object host JJ-Exchange-SVR
network-object host VAL-National-RTR
network-object host VAL-Web-SVR
object-group service Corp-Loc-TCP-DMZ-Ports tcp
description Allows File Sharing and web access into the DMZ
port-object eq netbios-ssn
port-object eq 3389
port-object eq www
object-group service Corp-Loc-UDP-DMZ-Ports udp
description Allow file sharing into the DMZ
port-object eq netbios-ns
port-object eq netbios-dgm


object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp

object-group network DM_INLINE_NETWORK_1
network-object LuckyNewSubnetRange 255.255.0.0
network-object VinnyNewSubnetRange 255.255.0.0
group-object Corp-Loc-Proxy-SVRs
object-group network DM_INLINE_NETWORK_2
network-object LuckyNewSubnetRange 255.255.0.0
network-object VinnyNewSubnetRange 255.255.0.0
group-object Corp-Loc-Proxy-SVRs
object-group network DM_INLINE_NETWORK_3
network-object 10.57.10.0 255.255.255.0
network-object LuckyNewSubnetRange 255.255.0.0
network-object VinnyNewSubnetRange 255.255.0.0
network-object 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
object-group service DM_INLINE_SERVICE_2
object-group network DM_INLINE_NETWORK_4
network-object 10.57.10.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object LuckyNewSubnetRange 255.255.0.0
network-object VinnyNewSubnetRange 255.255.0.0

object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_5
network-object ValleyNewSubnet 255.255.0.0
network-object 172.16.0.0 255.255.252.0
network-object 10.0.0.0 255.0.0.0
object-group network DM_INLINE_NETWORK_6
network-object SydneyHeadOffice 255.255.254.0
network-object Moorabbin 255.255.255.0
object-group network DM_INLINE_NETWORK_7
network-object New-CorpCare-VPN 255.255.254.0
network-object 834-Subnet 255.255.255.0
object-group network DM_INLINE_NETWORK_8
network-object New-CorpCare-VPN 255.255.254.0
network-object 834-Subnet 255.255.255.0

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group Corp-Loc-Servers-DNS any eq domain
access-list inside_access_in extended permit ip object-group Corp-Loc-DirectAccessHosts any
access-list inside_access_in remark Pure message digest access
access-list inside_access_in extended permit udp host VAL-CoreStack-SW any eq ntp
access-list inside_access_in remark Internal Hosts allowed directly to the Internet
access-list inside_access_in remark Allow Intra interface routing
access-list inside_access_in extended permit ip object-group VAL-Med-Rec-PCs any
access-list inside_access_in remark Internal POP Servers to get direct POP3 Access
access-list inside_access_in extended permit tcp object-group Corp-Loc-POP-Ext-Access any eq pop3
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object-group Ext-Public-Subnets eq www
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 object-group Ext-Public-Subnets eq https
access-list inside_access_in remark Allow Intra interface routing
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_4 any object-group DM_INLINE_TCP_1
access-list inside_access_in remark Allow Intra interface routing
access-list inside_access_in remark Allow Intra interface routing
access-list inside_access_in remark Allow Intra interface routing
access-list inside_access_in remark Allow Intra interface routing
access-list inside_access_in extended permit ip any object-group DM_INLINE_NETWORK_7
access-list inside_access_in remark Temporary testing for 834

access-list inside_access_in extended permit ip any <> 255.255.255.0
access-list inside_access_in remark Allow Intra interface routing
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_8 any
access-list inside_access_in remark Temporary for testing - (WAD)
access-list inside_access_in extended permit ip <> 255.255.255.0 any
access-list inside_access_in remark Allow Intra interface routing
access-list inside_access_in remark Allow Intra interface routing
access-list inside_access_in remark Allow Intra interface routing
access-list inside_access_in remark Allow Intra interface routing
access-list inside_access_in extended permit ip ValleyNewSubnet 255.255.0.0 object-group DM_INLINE_NETWORK_6
access-list inside_access_in remark Allow Intra interface routing
access-list inside_access_in remark Allow Intra interface routing
access-list inside_access_in remark Allow Intra interface routing
access-list inside_access_in remark Allow Intra interface routing

access-list inside_outbound_nat0_acl remark -- VPN Client no nats
access-list inside_outbound_nat0_acl extended permit ip object-group <> object-group Corp-Loc-VPN-Clients-Subnets
access-list inside_outbound_nat0_acl extended permit ip any 834-Subnet 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip any 172.16.4.32 255.255.255.224
access-list inside_outbound_nat0_acl extended permit ip any New-CorpCare-VPN 255.255.254.0
access-list inside_outbound_nat0_acl remark IPSec VPN - No NAT
access-list inside_outbound_nat0_acl extended permit ip any <> 255.255.255.0

access-list WAD-support-tunnel remark -- routes for WAD VPN clients
access-list WAD-support-tunnel extended permit ip object-group <> object-group Ext-WAD-Management-Subnets
access-list staff-client-tunnel remark -- routes for Staff Clients
access-list staff-client-tunnel extended permit ip object-group VAL-Cardiac-SVRs object-group Corp-Loc-VPN-Clients-Subnets
access-list staff-client-tunnel extended permit ip object-group Corp-Loc-VPN-Access object-group Corp-Loc-VPN-Clients-Subnets
access-list ipsec-to-pms-rsn extended permit ip host 10.4.10.60 192.68.48.0 255.255.252.0
access-list ipsec-to-pms-rsn extended permit ip host 10.4.10.65 192.68.48.0 255.255.252.0
access-list ipsec-to-pms-rsn extended permit ip host 10.4.10.66 192.68.48.0 255.255.252.0
access-list ipsec-to-pms-rsn extended permit ip host 10.4.10.118 192.68.48.0 255.255.252.0

access-list CorpCareVPN_splitTunnelAcl standard permit any
access-list Internal-Management_nat0_outbound extended permit ip any 172.16.4.32 255.255.255.224
access-list Internal-Management_nat0_outbound extended permit ip object-group <> 834-Subnet 255.255.255.0
access-list outside_cryptomap_65535.1 extended permit ip interface outside interface inside
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_5 834-Subnet 255.255.255.0
access-list outside_cryptomap_1 extended permit ip object-group <> 834-Subnet 255.255.255.0
access-list outside_cryptomap_2 extended permit ip object-group <> <> 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group <> 834-Subnet 255.255.255.0

ip loCorp pool USER-CLIENT-IP-ADDR-POOL 172.16.4.32-172.16.4.63
ip loCorp pool NEW-USER-Client-IP-ADDR-POOL 10.70.10.50-10.70.10.150 mask 255.255.254.0
ip loCorp pool WAD-SUPPORT-IP-ADDR-POOL 172.16.4.240-172.16.4.250 mask 255.255.255.0

no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any DMZ
no asdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.xxx
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,DMZ) 834-Subnet 834-Subnet netmask 255.255.255.0
static (inside,DMZ) 192.168.120.0 192.168.120.0 netmask 255.255.255.0
static (inside,DMZ) 172.16.0.0 172.16.0.0 netmask 255.255.252.0
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (inside,DMZ) 197.26.1.0 197.26.1.0 netmask 255.255.255.0
static (inside,DMZ) 10.57.10.0 10.57.10.0 netmask 255.255.255.0
static (inside,DMZ) 834-Core-RTR 834-Core-RTR netmask 255.255.255.255

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ

route outside 0.0.0.0 0.0.0.0 <> 1
route inside 10.0.0.0 255.0.0.0 VAL-CoreStack-SW 1
route inside 834-Subnet 255.255.255.0 834-Core-RTR 1

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set CorpSet esp-3des esp-md5-hmac
crypto ipsec transform-set STRONG-AES-TSET esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set STRONG-3DES-TSET esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-MD5
crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_65535.1
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-DES-SHA
crypto map IPSEC-MAP-OUTSIDE 1 match address outside_1_cryptomap
crypto map IPSEC-MAP-OUTSIDE 1 set pfs
crypto map IPSEC-MAP-OUTSIDE 1 set peer xxx.xxx.xxx.xxx
crypto map IPSEC-MAP-OUTSIDE 1 set transform-set ESP-3DES-SHA
crypto map IPSEC-MAP-OUTSIDE 2 match address outside_cryptomap_2
crypto map IPSEC-MAP-OUTSIDE 2 set pfs
crypto map IPSEC-MAP-OUTSIDE 2 set peer <>
crypto map IPSEC-MAP-OUTSIDE 2 set transform-set ESP-3DES-SHA
crypto map IPSEC-MAP-OUTSIDE 2 set security-association lifetime seconds 86400
crypto map IPSEC-MAP-OUTSIDE 20 match address ipsec-to-pms-rsn
crypto map IPSEC-MAP-OUTSIDE 20 set peer xxx.xxx.xxx.xxx
crypto map IPSEC-MAP-OUTSIDE 20 set security-association lifetime seconds 3600
crypto map IPSEC-MAP-OUTSIDE 20 set security-association lifetime kilobytes 4608000
crypto map IPSEC-MAP-OUTSIDE 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map IPSEC-MAP-OUTSIDE 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map IPSEC-MAP-OUTSIDE interface outside

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 3
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp policy 4
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

group-policy CorpCareSSL internal
group-policy CorpCareSSL attributes
vpn-tunnel-protocol svc webvpn
webvpn
  url-list none
  svc ask enable
group-policy DfltGrpPolicy attributes
group-policy CorpCare internal
group-policy CorpCare attributes
dns-server value 10.70.0.100 10.0.0.3
vpn-tunnel-protocol IPSec
default-domain value Corpcare.loCorp
address-pools value NEW-USER-Client-IP-ADDR-POOL

tunnel-group DefaultRAGroup general-attributes
address-pool (outside) WAD-SUPPORT-IP-ADDR-POOL
authentication-server-group (outside) LOCorp
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool (outside) WAD-SUPPORT-IP-ADDR-POOL
authentication-server-group (outside) LOCorp
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group xxx.xxx.xxx.xxxtype ipsec-l2l
tunnel-group xxx.xxx.xxx.xxxipsec-attributes
pre-shared-key *****
tunnel-group WAD_Support_VPN type remote-access
tunnel-group WAD_Support_VPN general-attributes
address-pool (outside) WAD-SUPPORT-IP-ADDR-POOL
authentication-server-group (outside) LOCorp
tunnel-group WAD_Support_VPN ipsec-attributes
pre-shared-key *****
tunnel-group Staff_Client_VPN type remote-access
tunnel-group Staff_Client_VPN general-attributes
address-pool (outside) USER-CLIENT-IP-ADDR-POOL
authentication-server-group (outside) IAS-Radius-Auth
tunnel-group Staff_Client_VPN ipsec-attributes
pre-shared-key *****
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
tunnel-group CorpCare type remote-access
tunnel-group CorpCare general-attributes
address-pool (Internal-Management) NEW-USER-Client-IP-ADDR-POOL
address-pool WAD-SUPPORT-IP-ADDR-POOL
authentication-server-group CorpCare
default-group-policy CorpCare
tunnel-group CorpCare ipsec-attributes
pre-shared-key *****
tunnel-group "834 test" type ipsec-l2l
tunnel-group "834 test" ipsec-attributes
pre-shared-key *****
tunnel-group <> type ipsec-l2l
tunnel-group <> ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect dns preset_dns_map
!
: end

Re: Unable to access additional IP Range over Site-to-Site IPSec

Hi there,

You VPN Peers do not agree on lan segment between these two vpn peers.

On your ASA

access-list inside_outbound_nat0_acl extended permit ip any <> 255.255.255.0

and

Router:

access-list 100 permit ip 192.168.244.0 0.0.0.255 172.16.0.0 0.0.3.255

access-list 100 permit ip 192.168.244.0 0.0.0.255 10.0.0.0 0.255.255.255

Please make it explicity identical subnet declaration between two vpn peers and lastly please add this route on ASA.

Same issue on this ACL as well, not identical subnet declaration between two vpn peers, so please make it indentical from both ends.

access-list outside_cryptomap_2 extended permit ip object-group <> <> 255.255.255.0

route outside 192.168.244.0 255.255.255.0 ASA_EXTERNAL_GW

Let me know the result.

thanks

Rizwan Rafeek

New Member

Unable to access additional IP Range over Site-to-Site IPSec VPN

Thanks Rizwan, you're a legend.

Just for clarification - What is the "technical" reason for the ACL having to reflect the exact opposite at each end? I assumed that the "any" statement should cover all the possible sources?

Or is that just the way it is.

Thanks again.

Unable to access additional IP Range over Site-to-Site IPSec VPN

"Just for clarification - What is the "technical" reason for the ACL having to reflect the exact opposite at each end?"

They must match, they cannot be assumed otherwise it is a security breach.

Hope that answers your question.

thanks

Rizwan Rafeek.

2136
Views
0
Helpful
7
Replies
CreatePlease login to create content