cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
658
Views
0
Helpful
10
Replies
Highlighted
Beginner

VPN Site-to-site up but no reverse traffic

Hi guys,

Help me please to config cisco for back traffic. I'm already set up site-to-site VPN between ASA 5505 and 877W. So I have access to remote network 192.168.17.0/24, but at the same time can't get access from remote network to office.

Office LAN (192.168.10.0/24) -> Cisco 877W (a.a.a.a) -> VPN -> ASA 5505 (b.b.b.b) -> remote lan (192.168.17.0/24)

Packet tracer on ASA site:

Capture.PNG

But there are no records in ASDM syslog during ping from remote lan to office lan.

There are 2 configs:

Result of the command: "show conf"

: Saved
: Written by admin at 12:44:01.758 NZST Fri Mar 25 2011
!
ASA Version 8.2(2)
!
hostname host
domain-name domain
enable password password encrypted
passwd password encrypted
names
!
interface Vlan1
description INTERNET
mac-address 1234.5678.0001
nameif WAN
security-level 0
ip address b.b.b.b 255.255.255.248 standby b1.b1.b1.b1
ospf cost 10
!
interface Vlan2
description OLD-PRIVATE
mac-address 1234.5678.0102
nameif OLD-Private
security-level 100
ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3
ospf cost 10
!
interface Vlan6
description MANAGEMENT
mac-address 1234.5678.0106
nameif Management
security-level 100
ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3
ospf cost 10
!
interface Vlan100
description LAN Failover Interface
!
interface Ethernet0/0
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
switchport access vlan 100
!
interface Ethernet0/6
switchport trunk allowed vlan 2,6
switchport mode trunk
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns domain-lookup WAN
dns server-group DefaultDNS
name-server dns.dns.dns.dns
domain-name domain
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp
description RDP
port-object eq 3389
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list LAN_IP standard permit 192.168.17.0 255.255.255.0
access-list WAN_access_in extended permit ip any any log debugging
access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging
access-list MANAGEMENT_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit object-group DM_INLINE_PROTOCOL_1 interface OLD-Private 192.168.10.0 255.255.255.0 log debugging inactive
access-list OLD-PRIVATE_access_in extended permit object-group TCPUDP interface OLD-Private any log debugging inactive
access-list OLD-PRIVATE_access_in extended permit icmp host 192.168.10.254 interface OLD-Private log debugging inactive
access-list OLD-PRIVATE_access_in extended permit icmp host 192.168.17.155 interface OLD-Private log debugging
access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list capin extended permit ip host 192.18.17.155 host 192.168.10.7
access-list capin extended permit ip host 192.168.10.7 host 192.168.17.155
access-list LAN_access_in extended permit ip any any log debugging
access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_nat0_outbound extended permit ip any 192.168.17.240 255.255.255.252
access-list WAN_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.248
access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list LAN_IP_inbound standard permit 192.168.10.0 255.255.255.0
access-list IPSec_VPN_splitTunnelAcl standard permit any
access-list vpnusers_splitTunnelAcl extended permit ip 192.168.17.0 255.255.255.0 any
access-list nonat-in extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list vpn_ipsec_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging debug-trace
mtu WAN 1500
mtu OLD-Private 1500
mtu Management 1500
ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0
ip local pool vpnclient 192.168.2.1-192.168.2.5 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover Vlan100
failover polltime interface 15 holdtime 75
failover key *****
failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit host a.a.a.a WAN
icmp permit 192.168.10.0 255.255.255.0 WAN
icmp permit 192.168.17.0 255.255.255.0 WAN
icmp permit host b1.b1.b1.b1 WAN
icmp deny any WAN
icmp permit host a.a.a.a OLD-Private
icmp permit 192.168.10.0 255.255.255.0 OLD-Private
icmp permit 192.168.17.0 255.255.255.0 OLD-Private
icmp permit host a.a.a.a Management
icmp permit host 192.168.10.0 Management
icmp permit host 192.168.17.138 Management
icmp permit 192.168.1.0 255.255.255.0 Management
icmp permit host 192.168.1.26 Management
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (WAN) 1 interface
global (OLD-Private) 1 interface
global (Management) 1 interface
nat (OLD-Private) 0 access-list WAN_nat0_outbound
nat (OLD-Private) 1 0.0.0.0 0.0.0.0
access-group WAN_access_in in interface WAN
access-group OLD-PRIVATE_access_in in interface OLD-Private
access-group MANAGEMENT_access_in in interface Management
route WAN 0.0.0.0 0.0.0.0 b.b.b.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 10
http server enable
http b.b.b.b 255.255.255.255 WAN
http 0.0.0.0 0.0.0.0 WAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map WAN_map 1 match address WAN_1_cryptomap
crypto map WAN_map 1 set peer a.a.a.a
crypto map WAN_map 1 set transform-set ESP-DES-SHA
crypto map WAN_map interface WAN
crypto isakmp enable WAN
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh a.a.a.a 255.255.255.255 WAN
ssh timeout 30
ssh version 2
console timeout 0
dhcpd auto_config OLD-Private
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.28 source WAN prefer
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy admin internal
group-policy admin attributes
dns-server value dns.dns.dns.dns
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_ipsec_splitTunnelAcl
address-pools value vpnclient
username admin password password encrypted privilege 15
tunnel-group admin type remote-access
tunnel-group admin general-attributes
address-pool IPSec_VPN_pool
address-pool vpnclient
authorization-server-group LOCAL
default-group-policy admin
tunnel-group a.a.a.a type ipsec-l2l
tunnel-group a.a.a.a general-attributes
default-group-policy admin
tunnel-group a.a.a.a ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group vpn_ipsec type remote-access
tunnel-group vpn_ipsec general-attributes
address-pool vpnclient
tunnel-group CiscoVPNClient type remote-access
!
class-map inspection_default
match default-inspection-traffic
!

------------------------------------------------------------------------------------------------------------------------------------------

Cisco 877W


Building configuration..

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
no service dhcp
!
hostname host
!
boot-start-marker
boot system flash:/c870-advipservicesk9-mz.124-15.T13.bin
boot-end-marker
!
logging buffered 52000
logging console critical
enable secret 5 secret
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default if-authenticated
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network local_auth if-authenticated
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
aaa session-id common
clock timezone
clock summer-time
!
crypto pki trustpoint TP-self-signed
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate
revocation-check none
rsakeypair TP-self-signed
!
!
crypto pki certificate chain TP-self-signed
certificate self-signed 01
 
      quit
dot11 syslog
!
dot11 ssid ssid
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 wpa-key
!
ip cef
!
!
!
!
no ip bootp server
ip domain name doamin
ip dhcp-server 192.168.10.10
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
  protocol l2tp
  virtual-template 1
l2tp tunnel receive-window 256
!
password encryption aes
!
!
username admin privilege 15 secret 5 secret
!
!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp policy 2
authentication pre-share
!
crypto isakmp policy 3
authentication pre-share
!
crypto isakmp policy 4
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 6 key address b.b.b.b
crypto isakmp key 6 key address b1.b1.b1.b1
crypto isakmp invalid-spi-recovery
crypto isakmp nat keepalive 10
!
crypto isakmp client configuration group EasyVPN
key 6 key
dns 192.168.10.10
domain domain
pool SDM_POOL_1
acl 100
save-password
include-local-lan
max-users 2
netmask 255.255.255.0
!
crypto isakmp client configuration group group
key 6 key
pool SDM_POOL_1
firewall are-u-there
include-local-lan
pfs
max-users 2
max-logins 1
netmask 255.255.255.0
!
crypto isakmp client configuration group client
key 6
pool DIAL-IN
acl 103
include-local-lan
max-users 2
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group EasyVPN
   match identity group group
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
crypto isakmp profile ciscocp-ike-profile-2
   match identity group client
   client authentication list ciscocp_vpn_xauth_ml_2
   isakmp authorization list ciscocp_vpn_group_ml_2
   client configuration address respond
   virtual-template 5
!
!
crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 900
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
set security-association idle-time 1200
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-2
!
!
crypto map SDM_CMAP_1 2 ipsec-isakmp
set peer b.b.b.b
set peer b1.b1.b1.b1
set transform-set ASA-IPSEC
match address 160
!
crypto ctcp
archive
log config
  hidekeys
!
!
no ip ftp passive
!
class-map match-any BLOCK
match protocol kazaa2
match protocol bittorrent
match protocol edonkey
match protocol gnutella
!
!
policy-map BLOCK_INTERNET
class BLOCK
  bandwidth 8
!
!
bridge irb
!
!
interface Loopback0
no ip address
!
interface Loopback2
no ip address
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
switchport mode trunk
!
interface FastEthernet3
!
interface Virtual-Template1
ip unnumbered BVI1
ip nat inside
ip virtual-reassembly
peer default ip address dhcp
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2 pap
!
interface Virtual-Template2
no ip address
!
interface Virtual-Template3 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template5 type tunnel
ip unnumbered BVI1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile2
!
interface Dot11Radio0
no ip address
ip flow ingress
ip route-cache flow
!
encryption mode ciphers tkip
!
ssid ssid
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan2
ip address 192.168.11.254 255.255.255.0
!
interface Dialer0
description $OUTSIDE$
ip address negotiated
ip access-group sdm_dialer0_in in
ip access-group 101 out
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp pap sent-username name password 0 password
ppp ipcp dns request
ppp ipcp route default
crypto map SDM_CMAP_1
service-policy output BLOCK_INTERNET
!
interface Dialer1
no ip address
!
interface BVI1
ip address 192.168.10.254 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
ip local pool DIAL-IN 192.168.10.251 192.168.10.253
ip local pool SDM_POOL_1 192.168.10.50 192.168.10.51
ip forward-protocol nd
!
ip flow-cache timeout active 1
ip flow-export source Dot11Radio0
ip flow-export version 9
ip flow-export destination 192.168.10.200 9996
!
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source static tcp 192.168.10.19 443 interface Dialer0 443
ip nat inside source static tcp 192.168.10.8 5900 interface Dialer0 5900
ip nat inside source static udp a.a.a.a 500 interface Dialer0 500
ip nat inside source static tcp 192.168.10.130 9090 interface Dialer0 9090
ip nat inside source list NAT_INTERNET interface Dialer0 overload
ip nat inside source static udp a.a.a.a 4500 interface Dialer0 4500
ip nat inside source static tcp 192.168.10.9 1723 interface Dialer0 1723
ip nat inside source static tcp a.a.a.a 10000 interface Dialer0 10000
!
ip access-list extended NAT_INTERNET
deny   ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended NAT_INTERNET_1
deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended sdm_dialer0_in
permit ahp host b.b.b.b any
remark Allow all
permit ip any any
permit esp host b.b.b.b any
permit udp host b.b.b.b any eq isakmp
permit udp host b.b.b.b any eq non500-isakmp
permit ahp host b1.b1.b1.b1 any
permit esp host b1.b1.b1.b1 any
permit udp host b1.b1.b1.b1 any eq isakmp
permit udp host b1.b1.b1.b1 any eq non500-isakmp
permit ip 192.168.17.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
deny   ip host 209.239.31.195 any log
deny   ip host 98.108.59.171 any log
remark CCP_ACL Category=1
!
access-list 1 remark #NAT INTERNET USERS#
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip host 192.168.10.0 any
access-list 101 remark CCP_ACL Category=17
access-list 101 remark RULES FOR FW TO INTERNET
access-list 101 deny   ip any host 121.22.6.121 log
access-list 101 deny   ip any host 74.120.10.51 log
access-list 101 deny   ip any host 112.230.192.99 log
access-list 101 deny   ip any host 61.55.167.19 log
access-list 101 permit ip any any
access-list 101 deny   ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.17.0 0.0.0.255 any
access-list 101 remark Syslog for ASA1
access-list 101 permit udp host b.b.b.b eq syslog any eq syslog
access-list 101 remark Syslog for ASA2
access-list 101 permit udp any any eq syslog
access-list 101 remark Cisco_VPN_10000
access-list 101 permit tcp x.x.0.0 0.0.255.255 any eq 10000 log
access-list 101 remark Cisco_VPN_500
access-list 101 permit udp any any eq non500-isakmp log
access-list 101 remark Cisco_VPN_4500
access-list 101 permit udp any any eq isakmp log
access-list 101 permit tcp any host a.a.a.a eq 81
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.0.2.0 0.0.0.255 any
access-list 101 deny   ip 198.18.0.0 0.1.255.255 any
access-list 101 deny   ip 224.0.0.0 0.15.255.255 any
access-list 101 remark OWA
access-list 101 permit tcp any any eq 443 log
access-list 101 remark VNC port
access-list 101 permit tcp x.x.0.0 0.0.255.255 any eq 5900 log
access-list 101 remark CRM service 8081
access-list 101 permit tcp any any eq 8081 log
access-list 102 deny   tcp any any eq 445 log
access-list 103 remark CCP_ACL Category=4
access-list 103 permit ip 192.168.10.0 0.0.0.255 any
access-list 115 remark CCP_ACL Category=16
access-list 115 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 130 deny   ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 130 permit ip 192.168.10.0 0.0.0.255 any
access-list 130 permit ip 129.168.10.0 0.0.0.255 any
access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 any
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
snmp-server ifindex persist
!
!
!
route-map nonat permit 10
match ip address 150
!
!
control-plane
!
bridge 1 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
password password
login authentication local
!
scheduler max-task-time 5000
end

------------------------------------------------------------------------------------------------------------

Thanks for your time and help

10 REPLIES 10
Highlighted
Cisco Employee

Looks like you might have missed the NAT exemption (nonat) on the router between the 2 subnets.

Currently you have:

access-list 150 deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 any

you would need to also add the following:

ip access-list extended 150

     1 deny ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

Then, please clear the existing translation and try the connection again.

Highlighted

Hi Jennifer,

Thanks again for your help.

I've added ip access-list extended 150 deny ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

So 877W access-list next:

access-list 150 deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 any

access-list 150 deny   ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

then run

clear ip nat translation *

It didn't help

Highlighted

The "deny" statement needs to be on top of the "permit" statement.

Here you go:

ip access-list extended 150

     1 deny   ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

Then "clear ip nat trans *"

Let us know how it goes.

Highlighted

access-list 150 deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 150 deny   ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 any

then run

clear ip nat translation *

Unsuccessfull. Even if I try to ping from 192.168.17.0 to 192.168.10.0 the S2S VPN tunnel is not establishing.
Highlighted

The set peer on the router only needs to be configured to the active ASA outside interface IP, not to the standby IP as the standby IP will never be used for routing.

crypto map SDM_CMAP_1 2 ipsec-isakmp
set peer b.b.b.b
set peer b1.b1.b1.b1  --> pls remove this line.
set transform-set ASA-IPSEC
match address 160

Also on ASA, try to add: management-access OLD-Private

and see if you can ping 192.168.17.2 from the router LAN.

Or, alternatively from the ASA LAN, ping 192.168.10.254.

If still doesn't work, please share the debug output from both devices, and also the output of:

show cry isa sa

show cry ipsec sa

Highlighted

add: management-access OLD-Private didn't help

ping for ASA to 192.168.10.254 unsuccessfull

---------------------------------------------------------------------------

ASA# show cry isa sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: a.a.a.a
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

------------------------------------------------------------------------------

ASA# show cry ipsec sa
interface: WAN
    Crypto map tag: WAN_map, seq num: 1, local addr: b.b.b.b

      access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
      current_peer: a.a.a.a

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: b.b.b.b, remote crypto endpt.: a.a.a.a

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 8DF7922C
      current inbound spi : 227127D3

    inbound esp sas:
      spi: 0x227127D3 (577841107)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2318336, crypto-map: WAN_map
         sa timing: remaining key lifetime (kB/sec): (4374000/2506)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x8DF7922C (2381812268)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2318336, crypto-map: WAN_map
         sa timing: remaining key lifetime (kB/sec): (4374000/2506)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

-----------------------------------------------------------------------------------

Cisco 877W

877W#show cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
b.b.b.b    a.a.a.a  QM_IDLE           2002    0 ACTIVE

IPv6 Crypto ISAKMP SA

-----------------------------------------------------------------------------------

877#show cry ipsec sa

interface: Dialer0
    Crypto map tag: SDM_CMAP_1, local addr a.a.a.a

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer b.b.b.b port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

     local crypto endpt.: a.a.a.a, remote crypto endpt.: b.b.b.b
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x227127D3(577841107)

     inbound esp sas:
      spi: 0x8DF7922C(2381812268)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: Motorola SEC 1.0:5, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4559528/1966)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x227127D3(577841107)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: Motorola SEC 1.0:6, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4559528/1966)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.17.0/255.255.255.0/0/0)
   current_peer b.b.b.b port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: a.a.a.a, remote crypto endpt.: b.b.b.b
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access3
    Crypto map tag: SDM_CMAP_1, local addr 0.0.0.0

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer b.b.b.b port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: b.b.b.b
     path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access3
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.17.0/255.255.255.0/0/0)
   current_peer b.b.b.b port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: b.b.b.b
     path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access3
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Highlighted

How did you ping from the ASA? Did you perform: ping OLD-PRIVATE 192.168.10.254 from the ASA itself?


Or, did you just did ping 192.168.10.254 from the ASA?

Do you try to ping from behind the ASA? from a host that is connected to OLD-PRIVATE interface?

Highlighted

Hi Jennifer,

My fault before I've tried to

ping 192.168.10.254 - no luck, but

ping OLD-PRIVATE 192.168.10.254 - OK! Still I can't ping from 192.168.17.138 to 192.168.10.254


Highlighted

Sorry Jeniffer,

I've found source of problem - my hands Im my case on 192.168.17.138 were incorrect routing settings:

Persistent Routes:
  Network Address          Netmask  Gateway Address          Metric
          0.0.0.0                    0.0.0.0          192.168.17.2          Default
          0.0.0.0                    0.0.0.0            b.b.b.b                      1

I've changed registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\PersistentRoutes to

0.0.0.0,0.0.0.0,b.b.b.b,-1               REG_SZ

0.0.0.0,0.0.0.0,192.168.17.2,-1     REG_SZ

Now all OK.

Can I ask next question?

All VMs have static public IP with gateway b.b.b.b. Also I have dhcp server which assigning IP with gateway 192.168.17.2 It becomes multiple default gateways and DHCP gateway become primary (lowest metric). Is it possible to set up static gateway always primary or give to dhcp gateway higher metric than static? In the same time if dhcp gateway metric higher - I can't get access to remote network via S2S VPN.

Thanks

Highlighted

What you can configure on the VM is persistent static route so you have route for 192.168.10.0/24 pointing towards 192.168.17.2. While default gateway still points towards b.b.b.b.

Hope that helps.