cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
782
Views
0
Helpful
1
Replies

VPN Tunnel up, Ping goes through, no other traffic

Markus Thun
Level 1
Level 1

Hi Community,

i have a site to site connection ASA5505 <-> ASA5510. The ikev1 VPN tunnel is up, the ping goes through in both direction, but any other traffic not.

But no ACL drop this other traffic. The exampt nat rules are also added.

ospf.png

Inside ip: 192.168.4.0 /24                                                  Inside ip: 192.168.10.0/24

outsideip 192.168.0.0/24                                                   outside ip: 192.168.178.0/24

Site A (5510)Site B (5505)

access-list outside_nat0_outbound extended permit ip object NETWORK_OBJ_192.168.4.96_28 any

access-list inside_nat0_outbound extended permit ip any4 any4

nat (inside,outside) source static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup

nat (inside,any) source static any any no-proxy-arp route-lookup

nat (inside,outside) dynamic interface

nat (inside,inside) static 192.168.0.111

nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 no-proxy-arp route-lookup

nat (inside,outside) dynamic interface

access-list thun extended permit ip any4 192.168.4.0 255.255.255.0

access-list thun extended permit ip any4 any4

access-list thun extended permit ip 192.168.4.0 255.255.255.0 any4

access-list thun extended permit ip 192.168.50.0 255.255.255.0 any

access-list thun extended permit ip any 192.168.50.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip object NETWORK_OBJ_192.168.4.96_28 any

access-list inside_nat0_outbound extended permit ip any4 any4

access-list VPN_Networks standard permit 192.168.0.0 255.255.255.0

access-list VPN_Networks standard permit 192.168.4.0 255.255.255.0

access-list VPN_Networks standard permit 192.168.20.0 255.255.255.0

access-list VPN_Networks standard permit 192.168.50.0 255.255.255.0

access-list VPN_Networks standard permit any4

access-list inside_access_in extended permit ip any object NETWORK_OBJ_192.168.4.96_28

access-list inside_access_in extended permit ip any 192.168.10.0 255.255.255.0

access-list inside_access_in extended permit ip any4 any4

access-list inside_access_in extended deny ip any6 any6

access-list outside_access_in extended permit ip object vpn-192.168.10.0-24 any

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit ip object vpn-192.168.10.0-24 192.168.4.0 255.255.255.0

access-list vpn-dehbu extended permit ip object-group DM_INLINE_NETWORK_12 any

access-list outside_authentication extended permit tcp any4 any4 inactive

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_10

access-list ENCDOM-100 extended permit ip 192.168.4.0 255.255.255.0 object-group DM_INLINE_NETWORK_2

access-list ENCDOM-100-NONAT extended permit ip 192.168.4.0 255.255.255.0 object-group DM_INLINE_NETWORK_11

access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_7

access-list outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_6

access-list thun_net webtype deny url rdp://192.168.4.139 log default

access-list Webtype_any webtype deny url rdp://192.168.4.139 log default

access-list Webtype_any webtype permit url http://192.168.4.140 log default

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

dynamic-access-policy-record DfltAccessPolicy

dynamic-access-policy-record any_thun_dap

vpn-access-hours none

vpn-access-hours none

client-access-rule none

access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_2 any

access-list inside_access_in extended permit ip any object-group DM_INLINE_NETWORK_3

access-list inside_access_in extended permit ip any any

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

dynamic-access-policy-record DfltAccessPolicy

threat-detection statistics access-list

I hope anybody can help me

1 Reply 1

Tariq Bader
Cisco Employee
Cisco Employee

can you get the outputs of the following commands:

site a:

packet-tracer input inside tcp 192.168.4.100 5000 192.168.10.100 80 d

site b:

packet-tracer input inside tcp 192.168.10.100 5000 192.168.4.100 80 d