Hi Rick, thanks a lot for your mail. I did the corrections in the   configuraciont, but still I can't reack the network 172.26.1.0/24 from the ASA1.   Please check the network graphic.

ASA1

object-group network net-1

network-object 10.2.0.0 255.255.255.0

network-object 172.26.1.0 255.255.255.0

object-group network net-2

network-object 10.2.69.0 255.255.255.0

access-list lpz extended permit ip 10.2.69.0 255.255.255.0 10.2.0.0 255.255.255.0

access-list lpz extended permit ip 10.2.69.0 255.255.255.0 172.26.1.0 255.255.255.0

nat (inside,outside) source static net-1 net-1 destination static net-2 net-2

crypto map remote 10 match address lpz

crypto map remote 10 set peer X.X.X.X

crypto map remote 10 set transform-set ESP-3DES-MD5

ASA2

access-list net-2 extended permit ip 10.2.0.0 255.255.255.0 10.2.69.0 255.255.255.0

access-list net-2 extended permit ip 172.26.1.0 255.255.255.0 10.2.69.0 255.255.255.0

access-list nonat extended permit ip 10.2.0.0 255.255.255.0 10.2.69.0 255.255.255.0

access-list nonat extended permit ip 172.26.1.0 255.255.255.0 10.2.69.0 255.255.255.0

nat (inside) 0 access-list nonat

crypto map remote 1080 match address net-2

crypto map remote 1080 set peer X.X.X.X

crypto map remote 1080 set transform-set ESP-3DES-MD5

route inside 172.26.1.0 255.255.255.0 10.2.0.10

ROUTER 2800 (IP f0/0:10.2.0.10, IP f0/1: 172.26.1.1)

ip route 10.2.69.0 255.255.255.0 10.2.0.1 (IP of the ASA 2)

SWITCH 3750

IP ROUTE 10.2.69.0 255.255.255.0 10.2.0.1 (ASA2 IP address)

IP ROUTE 172.26.1.0 255.255.255.0 10.2.0.10 (Router 2800 IP address)

- it is not clear whether ASA1 has a route to the 172.26.1.0 network.

The 172.26.1.0/24 is a network that is not connected directly to the ASA 2. This network is connected through a router.

Thanks again for your time

David

David

Thanks for the update. The access lists and address translation are now consistent between the ASAs, and that is an improvement.

My point about routing and ASA1 is that I have not seen anything that tells me that ASA1 will atually try to get to the 172.26.1 network by going through the VPN tunnel. I am assuming that it will - but I keep learning (over and over it seems) the lesson about making assumptions when troubleshooting. So I ask what sometimes seem like obvious questions just so I do not get trapped by an assumption.

You have described that problem being that you can not access the 172.26.1.0 network from ASA1. Now I need us to dig a bit deeper in identifying the problem. So can you tell me whether the ISAKMP negotiation is successful? Can you tell me whether the IPSec negotiation is successful?

HTH

Rick

Hi Rick, thanks a lot for your time again.

The VPN Tunnel in ASA1 and ASA2 is UP.

ASA1# sh cry isa sa

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 190.181.5.178

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

From the ASA 1, I can reach the ASA2 network 10.2.0.0/24

ASA1# ping  inside 10.2.0.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.2.0.4, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 220/228/230 ms

But I can't reach the network 172.26.1.0/0

ASA1# ping inside 172.26.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.26.1.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

I have confiure the route in the ASA1 as follow:

route outside 0.0.0.0 0.0.0.0 PUBLIC-IP-ADDRESS

I have the same scheme working with a CIsco ASA 5505 with IOS 8.2(5), the difference I have is the configuration in the ASA1(ver 8.3) with object groups, and the ASA 5505 (ver 8.2) with nat 0.

Thanks again for your help Rick.

David

David

Thanks for the additional information. I am encouraged to know that both ISAKMP and IPSec seem to be working ok. So now the question is why is access to 10.2.0 working but access to 172.26.1 is not working. I have a couple of requests:

- would you post the output of the command on ASA1 show run | include 172.26.1

I particularly want to be sure that it does not show up somewhere that we do not expect.

- would you test access to 172.26.1 from a device connected behind ASA1?

- would you test access to 10.2.69 from the 2801 behind ASA2?

- and perhaps in this testing use both ping and traceroute. It would be interesting to see what traceroute tells us about the forwarding path.

HTH

Rick

Hi Rick,

- would you post the output of the command on ASA1 show run | include 172.26.1 I particularly want to be sure that it does not show up somewhere that we do not expect.

ASA1# sh run | include 172.26.1

network-object 172.26.1.0 255.255.255.0

access-list lpz extended permit ip 10.2.69.0 255.255.255.0 172.26.1.0 255.255.255.0

- would you test access to 172.26.1 from a device connected behind ASA1?

I can't ping to 172.26.1.1, but I can ping to the 10.2.0.10

- would you test access to 10.2.69 from the 2801 behind ASA2?

I can't access to te netwoek 10.2.69.0, the route that I have in the router is:

ip route 10.2.69.0 255.255.255.0 10.2.0.1 (IP of ASA 2)

I tried with the same connection with a Cisco ASA 5505 (8.2(5)) using the nat 0 confifiguration with the same address and routing and it works.

The only difference is:

ASA ver 8.2

nat (inside) 0 access-list nonat

ASA ver 8.3

object-group network net-1

network-object 10.2.0.0 255.255.255.0

network-object 172.26.1.0 255.255.255.0

object-group network net-2

network-object 10.2.69.0 255.255.255.0

nat (inside,outside) source static net-1 net-1 destination static net-2 net-2

So, do I'm missing something in the nat configuration...:(?

Thanks a lot again for your time.

David

David

The fact that you can access the 10.2.0 network indicates that in general the ISAKMP and IPSec are working. So we do not need to troubleshoot those parts.

The fact that it worked with a 5505 using same addressing does seem to indicate that the problem is something that changed in 8.3, and NAT would seem to be the leading possibility. But as I look at what is posted I am not seeing the problem. I will continue to give it some thought.

Perhaps someone else in the forum will have a suggestion?

HTH

Rick