07-09-2013 10:50 AM
I have a L2L vpn between a 5515(hub) & remote site w/ 5505 established, however, at the hub there is another network range which is routed via the same gateway.
The interesting traffic as well as the nat statement is defined with an object-group that includes two ranges 10.10.0.0/16 & 192.168.0.0/24. Everything on the 10.10/16 range is reachable, but nothing is reachable on the 192.168/24 from the remote site (obviously, reachable from the hub).
Seeing that the access-lists & nat statement use the object-group which includes both of the ranges and both routes are defined by the same gateway, any ideas why one network would be reachable and the other not?
ps. same-security-traffic permit intra/inter interface is configured.
Thanks in advance for any help!
07-09-2013 11:18 AM
Since you are able to access the 10.10.0.0/16 network that means ur tunnel is up.
check whether you have the correct access list in the remote site ASA 5505 allowing 192.168.0.0/24.
Please try to run the packet capture and paste the output
this will give us clear understanding why not able to reach 192.168.0.0/24 network from the remote ASA5505
"packet-tracer input inside icmp (Remote Network any host ip) 8 0 (any host in 192.168.0.X)
Potha
07-09-2013 11:39 AM
Thanks for the quick response! I've run the packet-tracer before and phase 4 drops the packet on access-list (implicit rule).
The access-list is as follows (Brazos-Nets includes both 10.10/16 & 192.168.0/24).
"access-list outside_cryptomap extended permit ip 10.2.2.0 255.255.255.0 object-group Brazos-Nets "
"access-list outside_cryptomap extended permit ip object-group Brazos-Nets interface outside"
Packet-Tracer Output:
=====================================
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0da370, priority=1, domain=permit, deny=false
hits=1686966, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static inside-net inside-net destination static Brazos-Nets Brazos-Nets no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.0.120/0 to 192.168.0.120/0
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb0e60a8, priority=500, domain=permit, deny=true
hits=2, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.2.2.1, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
07-09-2013 12:54 PM
can you paste the configuration of ur remote site ASA 5505.
check if you have any accesslist which is denying impicit
07-09-2013 12:59 PM
why are u using the this config
"access-list outside_cryptomap extended permit ip object-group Brazos-Nets interface outside"
07-09-2013 03:42 PM
Thank you for taking the time and replying. It turns out the issue had nothing to do with the ASA configs. I was unaware they had dual internet connections on their machines and a 2nd router/gw, so just had to add routes and all is well.
My apologies for wasting your time, and thank you again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide