Thanks for the import Federico,

I know the ASA is different from the PIX which, in turn is different from IOS Routers.  That's not necessarily the problem (although it is for debug purposes as I'm having to rely heavily on forums at the moment).  I have successfully configured remote users and other remote sites (18xx and 8xx series routers advanced ip IOS / adv. sec IOS) on the ASA and these work fine.  The settings follow the same rules (albeit different phase 1 / 2 info) as the other tunnels but still nothing.  This leads me to believe it's a routing issue?  Internal to Main Office is a L3 Switch and a Watchguard Firewall.  Internal to remote site is Cisco 2950 Switch.

See attached for configs -

Thanks, Rob

Rob,

The traffic that you want to encrypt is between ASA's inside 192.168.1.0/24 and remote 192.168.0.0/24

The encrypt ACL on the ASA is:
access-list BTNET_7_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

But I don't see that traffic being exempt from NAT, you should add on the ASA:
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

On the PIX you don't seem to have the problem.

Please try it and let us know.

Federico.

Hi Federico,

The NAT excemption for that particular network is:

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 WATFORD-EXPO-Net 255.255.255.0

That was my original thought as I had missed it.  Even with it there now though, I still can't transmit any interesting traffic

Rob

Rob,

Let's do the following:

Things to check on the configurations:

1. On the ASA and PIX check that the interesting traffic 192.168.1.0/24 and 192.168.0.0/24 is not matched to any other tunnel (ACL of any other crypto map instance).

2. Check there's no route to the remote network (LAN of the peer) pointing to any other interface (should point to the outside).

Add the command management-access inside to both sides and PING between internal IPs:

ASA:

ping inside 192.168.0.3

PIX:

ping inside 192.168.1.253

The above will enable the inside interface to participate in the interesting traffic so that you can try to bring up the tunnel by sending a PING to the peer's internal IP.

It the above works, then we need to check that the default gateway of the LANs on each side is the respective ASA/PIX or at least they have a route to reach the remote network.

Federico.

Federico,

Thanks for your ongoing support,

1. I've made sure the interesting traffic is not matched to any other crypto ACL on either side using the GUI (ASDM and PDM).

2. There's a static route configured to point my inside network to remote external IP and there is nothing else pointing to this IP Address.

I will add the following command to both devices and report back with the results of the PING:

management-access inside

On the last note, my local default gateway is the L3 Switch (HP) could this be having an adverse affect?  All devices on the local LAN have a default gateway of .254 (switch) which, in turn points to the ASA.  Could this be having an adverse affect on the routing?  I've checked the switch configs and there is nothing to suggest there is a problem  (there is no mention of the other remote sites in the routing table on the L3 switch).

The one thing that I do find odd is how a remote user (logs into our LAN via VPN Client but whilst at the remote site at question, comes in on the VPN tunnel remote IP - obviously connecting through their LAN, accessing the www through their PIX and finally to the local LAN) can log on, when this user has connectivity, the show crypto isakmp sa on the ASA, it shows his connection as MM_ACTIVE, initiator L2L whereas other remote users show as AM_ACTIVE, responder, user.  I know that MM and AM are different (AM - aggressive mode / MM - main mode) but why does this tunnel show as L2L when it is a user tunnel with a different phase 1 / 2 configuration?

I think this is the cause of my issues at the moment, do you agree?

Once again, thanks for your ongoing support,

Rob

The result of doing the:
ASA:
ping inside 192.168.0.3
PIX:
ping inside 192.168.1.253
were succesful?

The test that we are doing with the above is making sure we can send traffic through the L2L tunnel (originated
from the inside IP of the respective device).

If the default gateway of the internal LAN is a switch, you just need to make sure that the switch has either
a default gateway to the ASA/PIX or a route to point back to the remote L2L subnet.

Can you post the output of:
sh cry isa sa
sh cry ips sa
For the L2L tunnel between the ASA and the PIX on both sides when attempting to send traffic?

Federico.