https://community.cisco.com/t5/network-security/site-2-site-unable-to-reach-specific-destination-at-remote-site/m-p/3337136#M969233 <P>I cant spot an issue with your config, the NAT seems correct and the crypto maps have the right objects in them.</P> <P>&nbsp;</P> <P>can you double check and run the packet tracer on both ASAs and see if the traffic passes&nbsp;through/ie isnt blockedn still</P> <P>&nbsp;</P> <P>cheers</P> Sat, 24 Feb 2018 13:07:25 GMT Dennis Mink 2018-02-24T13:07:25Z https://community.cisco.com/t5/network-security/site-2-site-unable-to-reach-specific-destination-at-remote-site/m-p/3337107#M969230 <P>At an customer site i have an Site to Site VPN Tunnel. At the Main Office (SiteA) i also have an AnyConnect VPN solution. At Side A the Firewall has two WAN Connections. One connection is for normal internet access and the other is an specific Intranetconnection to an Dealer Network. At the dealernetwork there are some webservers etc, i have to reach.</P> <P>&nbsp;</P> <P>Site A is working perfect. Internet traffic is going over WAN, while the dealersites requests are going over WAN_PON (second WAN port at Site A). At site A i can ping any host at Site B (and Vice Versa). I Also can manage and reach both ASA Firewall's.</P> <P>The ony problem i have (and i cannot figure out why) is that at Site B, they have to be able to reach the dealernetwork (which is on site A) and i cannot see why.</P> <P>&nbsp;</P> <P>Both configurations of the ASA's are attached.</P> <P>Site A: ASA5506-X HQ.txt</P> <P>Site B: ASA5506-X Branche</P> <P>&nbsp;</P> <P>Please help to find the correct solution. Thank you so much for help...</P> Fri, 21 Feb 2020 15:25:44 GMT https://community.cisco.com/t5/network-security/site-2-site-unable-to-reach-specific-destination-at-remote-site/m-p/3337107#M969230 Robbert Tol 2020-02-21T15:25:44Z https://community.cisco.com/t5/network-security/site-2-site-unable-to-reach-specific-destination-at-remote-site/m-p/3337115#M969231 <P>Robbert can you confirm that you have a problem between:</P> <P>&nbsp;</P> <P>192.168.1.254 255.255.255.0 site a</P> <P><BR /> ip address 192.168.100.1 255.255.255.0 hq</P> <P>&nbsp;</P> <P>if not state the subnets you have a problem with.&nbsp; can you ping LAN if ASA to LAn interface other ASA at all?</P> <P>&nbsp;</P> <P>Groeten</P> Sat, 24 Feb 2018 11:45:15 GMT https://community.cisco.com/t5/network-security/site-2-site-unable-to-reach-specific-destination-at-remote-site/m-p/3337115#M969231 Dennis Mink 2018-02-24T11:45:15Z https://community.cisco.com/t5/network-security/site-2-site-unable-to-reach-specific-destination-at-remote-site/m-p/3337117#M969232 <P>Dennis,</P> <P>&nbsp;</P> <P>Site A (HQ) ASA: 192.168.100.1</P> <P>Site B (Branche) ASA: 192.168.1.254</P> <P>ASA 's can ping each other. Hosts on the internal networks can also ping/reach each other.</P> <P>&nbsp;</P> <P>Site B (Remote site) has also internet access, but from site B users must be able to reach 10.0.0.0 255.0.0.0 network, which is connected at Site A on the WAN_PON port (Second WAN).</P> <P>Users at Site A can reach this network already.</P> Sat, 24 Feb 2018 12:05:45 GMT https://community.cisco.com/t5/network-security/site-2-site-unable-to-reach-specific-destination-at-remote-site/m-p/3337117#M969232 Robbert Tol 2018-02-24T12:05:45Z https://community.cisco.com/t5/network-security/site-2-site-unable-to-reach-specific-destination-at-remote-site/m-p/3337136#M969233 <P>I cant spot an issue with your config, the NAT seems correct and the crypto maps have the right objects in them.</P> <P>&nbsp;</P> <P>can you double check and run the packet tracer on both ASAs and see if the traffic passes&nbsp;through/ie isnt blockedn still</P> <P>&nbsp;</P> <P>cheers</P> Sat, 24 Feb 2018 13:07:25 GMT https://community.cisco.com/t5/network-security/site-2-site-unable-to-reach-specific-destination-at-remote-site/m-p/3337136#M969233 Dennis Mink 2018-02-24T13:07:25Z https://community.cisco.com/t5/network-security/site-2-site-unable-to-reach-specific-destination-at-remote-site/m-p/3337950#M969234 <P>Packet trace from brancheoffice ASA</P> <P>&nbsp;</P> <P>ASA5506X-ZTM(config)# packet-tracer input inside tcp 192.168.1.110 80 10.200.153.29 80</P> <P>Phase: 1<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />MAC Access list</P> <P>Phase: 2<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 145.131.166.97 using egress ifc outside</P> <P>Phase: 3<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />nat (inside,outside) source static Internal_LAN Internal_LAN destination static Waddinxveen_HQ_Group Waddinxveen_HQ_Group no-proxy-arp route-lookup<BR />Additional Information:<BR />NAT divert to egress interface outside<BR />Untranslate 10.200.153.29/80 to 10.200.153.29/80</P> <P>Phase: 4<BR />Type: NAT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />nat (inside,outside) source static Internal_LAN Internal_LAN destination static Waddinxveen_HQ_Group Waddinxveen_HQ_Group no-proxy-arp route-lookup<BR />Additional Information:<BR />Static translate 192.168.1.110/80 to 192.168.1.110/80</P> <P>Phase: 5<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 6<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 7<BR />Type: VPN<BR />Subtype: encrypt<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 8<BR />Type: NAT<BR />Subtype: rpf-check<BR />Result: ALLOW<BR />Config:<BR />nat (inside,outside) source static Internal_LAN Internal_LAN destination static Waddinxveen_HQ_Group Waddinxveen_HQ_Group no-proxy-arp route-lookup<BR />Additional Information:</P> <P>Phase: 9<BR />Type: VPN<BR />Subtype: ipsec-tunnel-flow<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 10<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 11<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 12<BR />Type: FLOW-CREATION<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />New flow created with id 12274, packet dispatched to next module</P> <P>Result:<BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: outside<BR />output-status: up<BR />output-line-status: up<BR />Action: allow</P> Mon, 26 Feb 2018 15:39:44 GMT https://community.cisco.com/t5/network-security/site-2-site-unable-to-reach-specific-destination-at-remote-site/m-p/3337950#M969234 Robbert Tol 2018-02-26T15:39:44Z