ASA to 1760 VPN problem, route missing on ASA

tahequivoice · ‎06-25-2010

I hae a L2L IPSec tunnel between sites, and the networks encrypted are 10.100.103.16/28 to a group of single host addresses, 10.4.1.2 - 10.4.1.11.

Tunnel works, ACL's match 100%, Even getting ipsec SA for the individual IPs. Here is what is stumping me. 2 of the IP;s are not in the ASA route table. 10.4.1.4 and 10.4.1.6, all the rest are in the table. One other thing, if I try to ping eithe rof the IP's from the ASA side, it will not attempt to create the tunnel, but if the other side pings from eith er IP the tunnel is built and I can see the PING attempt come through, but no respose back. The route is in the network, and I can ping 10.4.1.2, 3, 5, 7,8,9,10,and 11. All of them have a statement in the ASA route. So everything is in place Except for the route on the ASA.

access-list Remote-VPN permit ip 10.100.103.16 255.255.255.240 host 10.4.1.2

remote ident (addr/mask/prot/port): (10.4.1.2/255.255.255.255/0/0)

access-list Remote-VPN permit ip 10.100.103.16 255.255.255.240 host 10.4.1.6

remote ident (addr/mask/prot/port): (10.4.1.6/255.255.255.255/0/0)

object-group network Remote-IP
network-object host 10.4.1.2
network-object host 10.4.1.3
network-object host 10.4.1.4
network-object host 10.4.1.5
network-object host 10.4.1.6
network-object host 10.4.1.7
network-object host 10.4.1.8
network-object host 10.4.1.9
network-object host 10.4.1.10
network-object host 10.4.1.11

access-list Remote-VPN extended permit ip 172.16.200.0 255.255.255.0 object-group Remote-IP
access-list Remote-VPN extended permit ip 10.100.103.16 255.255.255.240 object-group Remote-IP

access-list NoNat extended permit ip 10.100.103.16 255.255.255.240 object-group Remote-IP
access-list NoNat extended permit ip 172.16.200.0 255.255.255.0 object-group Remote-IP

nat (inside) 0 access-list NoNat

S    10.4.1.11 255.255.255.255 [1/0] via x.x.x.x, outside
S    10.4.1.10 255.255.255.255 [1/0] via, outside
S    10.4.1.9 255.255.255.255 [1/0] via , outside
S    10.4.1.8 255.255.255.255 [1/0] via , outside
S    10.4.1.7 255.255.255.255 [1/0] via , outside
S    10.4.1.5 255.255.255.255 [1/0] via , outside
S    10.4.1.3 255.255.255.255 [1/0] via , outside
S    10.4.1.2 255.255.255.255 [1/0] via , outside

Remote side ACL

ip access-list extended Westerkamp

remark SDM_ACL Category=4

permit ip host 10.4.1.2 172.16.200.0 0.0.0.255

permit ip host 10.4.1.3 172.16.200.0 0.0.0.255

permit ip host 10.4.1.4 172.16.200.0 0.0.0.255

permit ip host 10.4.1.5 172.16.200.0 0.0.0.255

permit ip host 10.4.1.6 172.16.200.0 0.0.0.255

permit ip host 10.4.1.7 172.16.200.0 0.0.0.255

permit ip host 10.4.1.8 172.16.200.0 0.0.0.255

permit ip host 10.4.1.9 172.16.200.0 0.0.0.255

permit ip host 10.4.1.10 172.16.200.0 0.0.0.255

permit ip host 10.4.1.11 172.16.200.0 0.0.0.255

permit ip host 10.4.1.11 10.100.103.16 0.0.0.15

permit ip host 10.4.1.10 10.100.103.16 0.0.0.15

permit ip host 10.4.1.9 10.100.103.16 0.0.0.15

permit ip host 10.4.1.8 10.100.103.16 0.0.0.15

permit ip host 10.4.1.7 10.100.103.16 0.0.0.15

permit ip host 10.4.1.6 10.100.103.16 0.0.0.15

permit ip host 10.4.1.5 10.100.103.16 0.0.0.15

permit ip host 10.4.1.4 10.100.103.16 0.0.0.15

permit ip host 10.4.1.3 10.100.103.16 0.0.0.15

permit ip host 10.4.1.2 10.100.103.16 0.0.0.15

What is keeping the 2 IP's out of the routing table?

Federico Coto Fajardo · ‎06-25-2010

Hi,

Those static routes were assigned manually in the routing table or by the ASA when the VPN client connected?

What if you manually add the route to those IPs?

Federico.

tahequivoice · ‎06-28-2010

They are "supposed" to be added when an IPSec SA is established, but for some odd reason, 10.4.1.4 and 10.1.4.6 do not get added. I found a workaround that isnt pretty. Instead of a global 10.0.0.0/8 route, I broke it down into the actual networks that I need routed back into the network so the default route 0.0.0.0 would force the 10.1.4 & 6 to use the outside interface, so they are working now, just not how they are supposed to.