ASA VPN no traffic to remote WAN

cuchara61 · ‎11-24-2010

ASA 1 with VPN to ASA 2. Private WAN behind ASA 2 that I can't seem to reach from ASA 1. Has to be something obvious I'm missing, as I can talk ASA to ASA and ASA1 can talk to WAN....

Map attached. Sanitized configs....

ASA 1

ASA Version 7.2(4)

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.72.1 255.255.248.0

!

access-list 100 extended permit ip 10.0.72.0 255.255.248.0 10.0.0.0 255.255.248.0

access-list 100 extended permit ip 10.0.72.0 255.255.248.0 10.0.16.0 255.255.248.0

access-list nonat extended permit ip 10.0.72.0 255.255.248.0 10.0.0.0 255.255.248.0

access-list nonat extended permit ip 10.0.72.0 255.255.248.0 10.0.16.0 255.255.248.0

access-list 102 extended permit udp any any eq isakmp

access-list 102 extended permit esp any any

access-list 102 extended permit icmp any any

!

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 102 in interface outside

route outside 0.0.0.0 0.0.0.0 68.x.x.1 1

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map outside_map 20 match address 100

crypto map outside_map 20 set peer 72.x.x.210

crypto map outside_map 20 set transform-set myset

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

!

tunnel-group 72.x.x.210 type ipsec-l2l

tunnel-group 72.x.x.210 ipsec-attributes

pre-shared-key *

-----------------------------------------

ASA 2

ASA Version 7.2(4)

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.56 255.255.248.0

!

same-security-traffic permit intra-interface

access-list 100 extended permit ip 10.0.0.0 255.255.248.0 10.0.72.0 255.255.248.0

access-list 100 extended permit ip 10.0.16.0 255.255.248.0 10.0.72.0 255.255.248.0

access-list nonat extended permit ip 10.0.0.0 255.255.248.0 10.0.72.0 255.255.248.0

access-list nonat extended permit ip 10.0.16.0 255.255.248.0 10.0.72.0 255.255.248.0

access-list 102 extended permit udp any any eq isakmp

access-list 102 extended permit esp any any

access-list 102 extended permit icmp any any

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 102 in interface outside

route inside 10.0.16.0 255.255.248.0 10.0.0.1 1

route outside 0.0.0.0 0.0.0.0 72.x.x.1 1

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map outside_map 30 match address 100

crypto map outside_map 30 set peer 68.x.x.220

crypto map outside_map 30 set transform-set myset

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30

tunnel-group 68.x.x.220 type ipsec-l2l

tunnel-group 68.x.x.220 ipsec-attributes

pre-shared-key *

----------------------------------------------------------------

Thanks in advance.

Vikas Saxena · ‎11-24-2010

The Cisco router on the WAN side having IP address 10.0.16.1/21 should either have the route to 10.0.72.0 pointing towards 10.1.1.1/30 or should have the default route pointing towards 10.1.1.1/30.

The Cisco router having ip address 10.1.1.1/30 should either have the route for 10.0.72.0 towards ASA 10.0.0.56 or its default gateway should be towards ASA.

Please check the routing on the internal network (WAN) for 10.0.72.0 if the tunnel is up.