Site to Site VPN with multiple networks

gjohnson1963 · ‎10-02-2013

I have a site-to-site VPN with 4 networks on each end; I have no problem accessing 3 of them except one network. Packet Trace works with no errors on all four of them. All the configurations are set up identical. Able to ping all three except the one, see the ICMP packets get through all but receive no response from the fourth.

shine pothen · ‎10-02-2013

In order to help you further please post the device configuration...

Also paste the packet trace output too.

Sent from Cisco Technical Support iPad App

gjohnson1963 · ‎10-02-2013

Posted

gjohnson1963 · ‎10-02-2013

packet-tracer input DMZ-ISCSI icmp 10.10.60.10 0 0 10.10.160.10

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (DMZ-ISCSI,any) source static any any destination static MICH-dmz-iscsi-network MICH-dmz-iscsi-network no-proxy-arp

Additional Information:

NAT divert to egress interface outside

Untranslate 10.10.160.10/0 to 10.10.160.10/0

Phase: 3

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map class-map-timestamp

match any

policy-map policy-map-timestamp

class class-map-timestamp

set connection advanced-options tcp-map-timestamp

service-policy policy-map-timestamp global

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (DMZ-ISCSI,any) source static any any destination static MICH-dmz-iscsi-network MICH-dmz-iscsi-network no-proxy-arp

Additional Information:

Static translate 10.10.60.10/0 to 10.10.60.10/0

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map policy-map-timestamp

class inspection_default

inspect icmp

service-policy policy-map-timestamp global

Additional Information:

Phase: 8

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (DMZ-ISCSI,any) source static any any destination static MICH-dmz-iscsi-network MICH-dmz-iscsi-network no-proxy-arp

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 4593909, packet dispatched to next module

Result:

input-interface: DMZ-ISCSI

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

gjohnson1963 · ‎10-02-2013

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address xx.xx.xx.xx standby xx.xx.xx.xx

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.50.1 255.255.255.0 standby 192.168.50.5

!

interface GigabitEthernet0/2

nameif d-priv

security-level 50

ip address 192.168.60.1 255.255.255.0 standby 192.168.60.5

!

interface GigabitEthernet0/3

nameif ISCSI

security-level 55

ip address 10.10.10.252 255.255.255.0 standby 10.10.10.5

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

nameif DMZ-ISCSI

security-level 56

ip address 10.10.60.1 255.255.255.0

!

interface GigabitEthernet0/7

description LAN/STATE Failover Interface

!

interface Management0/0

management-only

nameif Mangement

security-level 0

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.5

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj-192.168.50.0

subnet 192.168.50.0 255.255.255.0

object network obj-192.168.60.0

subnet 192.168.60.0 255.255.255.0

object network obj-10.10.10.0

subnet 10.10.10.0 255.255.255.0

object network MICH-inside-network

subnet 192.168.150.0 255.255.255.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network MICH-ISCSI-network

subnet 10.10.110.0 255.255.255.0

object network MICH-d-priv-network

subnet 192.168.160.0 255.255.255.0

object-group network DM_INLINE_NETWORK_22

network-object 192.168.50.0 255.255.255.0

network-object 192.168.60.0 255.255.255.0

object-group network DM_INLINE_NETWORK_21

network-object 192.168.50.0 255.255.255.0

network-object 192.168.60.0 255.255.255.0

access-list dmz-in extended permit object-group DM_INLINE_SERVICE_7 192.168.60.0 255.255.255.0 object-group DM_INLINE_NETWORK_20

access-list dmz-in extended permit ip 192.168.60.0 255.255.255.0

access-list outside_cryptomap extended permit ip 192.168.50.0 255.255.255.0 object-group DM_INLINE_NETWORK_8

access-list ISCSI_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 object MICH-ISCSI-network inactive

!

tcp-map tcp-map-timestamp

tcp-options timestamp clear

!

pager lines 24

logging enable

logging timestamp

logging monitor debugging

logging trap informational

logging history critical

logging asdm informational

logging facility 16

logging queue 0

logging permit-hostdown

no logging message 710005

mtu outside 1500

mtu inside 1500

mtu d-priv 1500

mtu ISCSI 1500

mtu Mangement 1500

mtu DMZ-ISCSI 1500

ip verify reverse-path interface outside

failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any unreachable outside

no arp permit-nonconnected

nat (inside,any) source static any any destination static DM_INLINE_NETWORK_17 DM_INLINE_NETWORK_17 no-proxy-arp

nat (d-priv,any) source static any any destination static MICH-d-priv-network MICH-d-priv-network no-proxy-arp

nat (ISCSI,any) source static any any destination static MICH-ISCSI-network MICH-ISCSI-network no-proxy-arp

nat (DMZ-ISCSI,any) source static any any destination static MICH-dmz-iscsi-network MICH-dmz-iscsi-network no-proxy-arp

nat (inside,outside) after-auto source dynamic any xx.xx.xx.xx

access-group 100 in interface outside

access-group dmz-in in interface d-priv

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map ann_arbor 4 match address outside_cryptomap_2

crypto map ann_arbor 4 set pfs

crypto map ann_arbor 4 set peer xx.xx.xx.xx

crypto map ann_arbor 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map ann_arbor 4 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

tunnel-group xx.xx.xx.xx type ipsec-l2l

tunnel-group xx.xx.xx.xx general-attributes

default-group-policy GroupPolicy_xx.xx.xx.xx

tunnel-group xx.xx.xx.xx ipsec-attributes

ikev1 pre-shared-key DRSite

ikev2 remote-authentication pre-shared-key DRSite

ikev2 local-authentication pre-shared-key DRSite

!

class-map global-class

match default-inspection-traffic

class-map inspection_default

match default-inspection-traffic

class-map global-class1

description SMTP01 Passive mode setting

match access-list global_mpc

class-map global-class2

match access-list global_mpc_1