05-30-2012 05:33 AM
I have an ASA5505 that has multiple tunnels of different sorts used for testing. I have recently set up a tunnel to a remote location that has on the other end a 1721 router. My location has a 877 ADSL router with the ASA5505 behind it. Since my IP address changes often due to poor DSL service. What I do is set up on the ASA5505 a static to dynamic (remote end). This has worked very well going to a PIX506 and another 1721 here used for testing.
This recent 1721 I set up has an issue where I can pass traffic to the 1721 only to its inside interface IP. From the 1721 I can ping the whole network behind the ASA. Here is the relevant config for the 1721:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key XXXXXX address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set peer XXX.XXX.XXX dynamic
set transform-set IPSEC
match address 120
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
interface FastEthernet0
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.240
crypto map SDM_CMAP_1
ip route 0.0.0.0 0.0.0.0 Ethernet0 dhcp
ip nat pool NAT 10.10.10.1 10.10.10.15 netmask 255.255.255.240
ip nat inside source route-map NONAT interface Ethernet0 overload
access-list 120 permit ip 10.10.10.0 0.0.0.15 192.168.2.0 0.0.0.255
access-list 130 deny ip 10.10.10.0 0.0.0.15 192.168.2.0 0.0.0.255
access-list 130 permit ip 10.10.10.0 0.0.0.15 any
route-map NONAT permit 10
match ip address 130
And for the ASA:
object network obj-10.10.10.0
subnet 10.10.10.0 255.255.255.240
access-list 1721_KS extended permit ip 192.168.2.0 255.255.255.0 10.10.10.0 255.255.255.240
nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-10.10.10.0 obj-10.10.10.0 no-proxy-arp route-lookup
crypto map OUTSIDE_MAP 2 match address 1721_KS
crypto map OUTSIDE_MAP 2 set peer 7x.xx.xxx.xx
crypto map OUTSIDE_MAP 2 set ikev1 phase1-mode aggressive
crypto map OUTSIDE_MAP 2 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map OUTSIDE_MAP 2 set nat-t-disable
On the remote end is a device at 10.10.10.3 that I can not ping, yet when I SSH to the 1721 I can ping it, so I now it is powered on. ICMP debug on the 1721 shows echo-reply from 192.168.2.1 to 10.10.10.1, but not 10.10.10.3.
I am thinking that there must be some really minor detail I must have missed somewhere.
06-01-2012 04:26 AM
This could well be an issue related to CEF on 1721 router
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide