10-05-2016 07:20 AM
This has to be something easy I'm missing. I have a main site with a Cisco ASA 5520 and a remote site with a Cisco ASA 5506. I already have an ezvpn site to site set up with several vlans added. I just tried to add another one and can't get pings to go over the tunnel. My configs are below:
MAIN SITE ASA
object-group network Internal_Networks
network-object 12.1.80.0 255.255.255.0
network-object 12.1.70.0 255.255.255.0
network-object 12.1.60.0 255.255.255.0
object network remote_network_1
subnet 12.4.1.0 255.255.255.0
access-list ezvpn_split extended permit ip object-group Internal_Networks object remote_network_1
group-policy ezvpnpolicy internal
group-policy ezvpnpolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn_split
nem enable
username <remote site 1> password <removed>
====================
REMOTE SITE 1 ASA
vpnclient server <ezvpn server IP>
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup <ezvpn group name> password *****
vpnclient username <remote site 1 ezvpn name> password *****
vpnclient enable
PROBLEM: I have the 12.1.80.0 and the 12.1.70.0 subnets pinging to the remote subnet 12.4.1.0 just fine. I added the 12.1.60.0 subnet and can't get it pinging with the 12.4.1.0. What am I missing?
10-05-2016 08:04 AM
Below is my nat entry on the Main ASA:
nat (inside,outside) source static Internal_Networks Internal_Networks destination static remote_network_1 remote_network_1 no-proxy-arp route-lookup
10-05-2016 11:00 AM
I tried removing and re-applying that nat statement, that didn't work. I tried pulling the 12.4.1.0 subnet out of the Internal_Networks and put it in it's own group, applied that to the device, that didn't work either.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: