09-11-2013 11:31 PM
Hi Community,
i have a site to site connection ASA5505 <-> ASA5510. The ikev1 VPN tunnel is up, the ping goes through in both direction, but any other traffic not.
But no ACL drop this other traffic. The exampt nat rules are also added.
Inside ip: 192.168.4.0 /24 Inside ip: 192.168.10.0/24
outsideip 192.168.0.0/24 outside ip: 192.168.178.0/24
Site A (5510) | Site B (5505) |
---|---|
access-list outside_nat0_outbound extended permit ip object NETWORK_OBJ_192.168.4.96_28 any access-list inside_nat0_outbound extended permit ip any4 any4 nat (inside,outside) source static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup nat (inside,any) source static any any no-proxy-arp route-lookup nat (inside,outside) dynamic interface nat (inside,inside) static 192.168.0.111 | nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 no-proxy-arp route-lookup nat (inside,outside) dynamic interface |
access-list thun extended permit ip any4 192.168.4.0 255.255.255.0 access-list thun extended permit ip any4 any4 access-list thun extended permit ip 192.168.4.0 255.255.255.0 any4 access-list thun extended permit ip 192.168.50.0 255.255.255.0 any access-list thun extended permit ip any 192.168.50.0 255.255.255.0 access-list outside_nat0_outbound extended permit ip object NETWORK_OBJ_192.168.4.96_28 any access-list inside_nat0_outbound extended permit ip any4 any4 access-list VPN_Networks standard permit 192.168.0.0 255.255.255.0 access-list VPN_Networks standard permit 192.168.4.0 255.255.255.0 access-list VPN_Networks standard permit 192.168.20.0 255.255.255.0 access-list VPN_Networks standard permit 192.168.50.0 255.255.255.0 access-list VPN_Networks standard permit any4 access-list inside_access_in extended permit ip any object NETWORK_OBJ_192.168.4.96_28 access-list inside_access_in extended permit ip any 192.168.10.0 255.255.255.0 access-list inside_access_in extended permit ip any4 any4 access-list inside_access_in extended deny ip any6 any6 access-list outside_access_in extended permit ip object vpn-192.168.10.0-24 any access-list outside_access_in extended permit ip any any access-list outside_access_in extended permit ip object vpn-192.168.10.0-24 192.168.4.0 255.255.255.0 access-list vpn-dehbu extended permit ip object-group DM_INLINE_NETWORK_12 any access-list outside_authentication extended permit tcp any4 any4 inactive access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_10 access-list ENCDOM-100 extended permit ip 192.168.4.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 access-list ENCDOM-100-NONAT extended permit ip 192.168.4.0 255.255.255.0 object-group DM_INLINE_NETWORK_11 access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_7 access-list outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_6 access-list thun_net webtype deny url rdp://192.168.4.139 log default access-list Webtype_any webtype deny url rdp://192.168.4.139 log default access-list Webtype_any webtype permit url http://192.168.4.140 log default access-group outside_access_in in interface outside access-group inside_access_in in interface inside dynamic-access-policy-record DfltAccessPolicy dynamic-access-policy-record any_thun_dap vpn-access-hours none vpn-access-hours none client-access-rule none | access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_2 any access-list inside_access_in extended permit ip any object-group DM_INLINE_NETWORK_3 access-list inside_access_in extended permit ip any any access-group inside_access_in in interface inside access-group outside_access_in in interface outside dynamic-access-policy-record DfltAccessPolicy threat-detection statistics access-list |
I hope anybody can help me
09-17-2013 02:26 AM
can you get the outputs of the following commands:
site a:
packet-tracer input inside tcp 192.168.4.100 5000 192.168.10.100 80 d
site b:
packet-tracer input inside tcp 192.168.10.100 5000 192.168.4.100 80 d
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide