cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2993
Views
0
Helpful
7
Replies

Unable to access additional IP Range over Site-to-Site IPSec VPN

rowansakul
Beginner
Beginner

Hi,
I am trying to setup a straight forward Site-to-Site IPSec VPN between a ASA 5510 (ASA Version 8.2(3))at HQ and a Cisco 877 (12.4(24)T3) at a branch office.

At the branch end I have the 192.168.244.0/24 Subnet.
At the HQ end I have the 172.16.0.0/22 and the 10.0.0.0/8 Subnets
The inside interface of the ASA at HQ is 172.16.0.15/22

During the VPN Wizard Setup I ticked the NAT-T checkbox, and I have included the additional subnet in the protected local networks list.

I can sucessfully get access to all of the 172.16.0.0/22 Subnets but not to anything in the 10.0.0.0/8 Subnets.
The ASA Packet Trace tool shows the traffic from the inside interface from 172.16.0.0/22 heading to 192.168.244.0/24 via the outside interface passess correctly, but from the 10.0.0.0/8 does not. It doesn't give any specific information why the 10.0.0.0/8 traffic is dropped.

[HQ_LAN]---10.0.0.0/8 & 172.16.0.0/22---172.16.0.15(inside_int)-[ASA 5510]---IPSEC---[RTR 877]---192.168.244.0/24---[BRANCH_LAN]

I suspect it might have something to do with NAT?

Please Help.

1 ACCEPTED SOLUTION

Accepted Solutions

Hi there,

You VPN Peers do not agree on lan segment between these two vpn peers.

On your ASA

access-list inside_outbound_nat0_acl extended permit ip any <> 255.255.255.0

and

Router:

access-list 100 permit ip 192.168.244.0 0.0.0.255 172.16.0.0 0.0.3.255

access-list 100 permit ip 192.168.244.0 0.0.0.255 10.0.0.0 0.255.255.255

Please make it explicity identical subnet declaration between two vpn peers and lastly please add this route on ASA.

Same issue on this ACL as well, not identical subnet declaration between two vpn peers, so please make it indentical from both ends.

access-list outside_cryptomap_2 extended permit ip object-group <> <> 255.255.255.0

route outside 192.168.244.0 255.255.255.0 ASA_EXTERNAL_GW

Let me know the result.

thanks

Rizwan Rafeek

View solution in original post

7 REPLIES 7

rizwanr74
Rising star
Rising star

please post your config from ASA and the router config for easier trouble shooting.

thanks

Rejohn Cuares
Enthusiast
Enthusiast

It could be a missing interesting traffic and/or NAT.

Post the running config of both devices (877 and ASA) for easier fault finding.

Please rate replies and mark question as "answered" if applicable.