cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Unable to access additional IP Range over Site-to-Site IPSec VPN

rowansakul
Beginner
Beginner

Hi,
I am trying to setup a straight forward Site-to-Site IPSec VPN between a ASA 5510 (ASA Version 8.2(3))at HQ and a Cisco 877 (12.4(24)T3) at a branch office.

At the branch end I have the 192.168.244.0/24 Subnet.
At the HQ end I have the 172.16.0.0/22 and the 10.0.0.0/8 Subnets
The inside interface of the ASA at HQ is 172.16.0.15/22

During the VPN Wizard Setup I ticked the NAT-T checkbox, and I have included the additional subnet in the protected local networks list.

I can sucessfully get access to all of the 172.16.0.0/22 Subnets but not to anything in the 10.0.0.0/8 Subnets.
The ASA Packet Trace tool shows the traffic from the inside interface from 172.16.0.0/22 heading to 192.168.244.0/24 via the outside interface passess correctly, but from the 10.0.0.0/8 does not. It doesn't give any specific information why the 10.0.0.0/8 traffic is dropped.

[HQ_LAN]---10.0.0.0/8 & 172.16.0.0/22---172.16.0.15(inside_int)-[ASA 5510]---IPSEC---[RTR 877]---192.168.244.0/24---[BRANCH_LAN]

I suspect it might have something to do with NAT?

Please Help.

1 ACCEPTED SOLUTION

Accepted Solutions

Hi there,

You VPN Peers do not agree on lan segment between these two vpn peers.

On your ASA

access-list inside_outbound_nat0_acl extended permit ip any <> 255.255.255.0

and

Router:

access-list 100 permit ip 192.168.244.0 0.0.0.255 172.16.0.0 0.0.3.255

access-list 100 permit ip 192.168.244.0 0.0.0.255 10.0.0.0 0.255.255.255

Please make it explicity identical subnet declaration between two vpn peers and lastly please add this route on ASA.

Same issue on this ACL as well, not identical subnet declaration between two vpn peers, so please make it indentical from both ends.

access-list outside_cryptomap_2 extended permit ip object-group <> <> 255.255.255.0

route outside 192.168.244.0 255.255.255.0 ASA_EXTERNAL_GW

Let me know the result.

thanks

Rizwan Rafeek

View solution in original post

7 REPLIES 7

rizwanr74
Rising star
Rising star

please post your config from ASA and the router config for easier trouble shooting.

thanks

Rejohn Cuares
Enthusiast
Enthusiast

It could be a missing interesting traffic and/or NAT.

Post the running config of both devices (877 and ASA) for easier fault finding.

Please rate replies and mark question as "answered" if applicable.

Variables:

<>

<>

<>

<>

<>

Branch 877 Config Summation :

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key <> address <>

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to <>

set peer <>

set transform-set ESP-3DES-SHA

set pfs group2

match address 100

!

archive

log config

  hidekeys

!

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

pvc 8/35

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 192.168.244.1 255.255.255.0

ip tcp adjust-mss 1412

!

interface Dialer0

ip address negotiated

ip mtu 1452

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname <>

ppp chap password 0 <>

crypto map SDM_CMAP_1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

!

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.244.0 0.0.0.255 172.16.0.0 0.0.3.255

access-list 100 permit ip 192.168.244.0 0.0.0.255 10.0.0.0 0.255.255.255

dialer-list 1 protocol ip permit

!

!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key <> address <>
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to <>
set peer <>
set transform-set ESP-3DES-SHA
set pfs group2
match address 100
!
archive
log config
  hidekeys
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.244.1 255.255.255.0
ip tcp adjust-mss 1412
!
interface Dialer0
ip address negotiated
ip mtu 1452
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname <>
ppp chap password 0 <>
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.244.0 0.0.0.255 172.16.0.0 0.0.3.255
access-list 100 permit ip 192.168.244.0 0.0.0.255 10.0.0.0 0.255.255.255
dialer-list 1 protocol ip permit
!
!