Avatar of eagle341
eagle341Flag for Australia asked on

VPN network access

Hello, I have established a peer to peer VPN from an ASA 5510 to remote 1812, I can ping the inside addresses of both, but I can't ping any other addresses inside each network.

Any help appreciated!
File Sharing SoftwareVPNRouters

Avatar of undefined
Last Comment
eagle341

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
batry_boy

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
eagle341

Thanks, yes both are default gateways. last night I had to change the 1812 network from 192.169.0.0/24 to 172.16.0.0/24 because I was receiving IPSEC-Spoof error, after that I could see inside interfaces.

Here is the config for both.

ASA Version 7.2(2)
!

names
name 192.168.10.20 ESSDNS1
name 217.xxx.xx.xxKTCDNS1
name 217.xxx.xx.xx KTCDNS2
!
interface Ethernet0/0
 nameif Inside
 security-level 100
 ip address 192.168.10.201 255.255.255.0
 ospf cost 10
!
interface Ethernet0/1
 nameif Outside
 security-level 0
 ip address 77.xxx.xx.xx255.255.255.248
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone AQTST 5
clock summer-time AQTDT recurring last Sun Mar 0:00 last Sun Oct 0:00
dns domain-lookup Inside
dns domain-lookup Outside
dns server-group DefaultDNS
 name-server ESSDNS1
 domain-name ERSS.KZ
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list management_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 any
access-list Outside_20_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any any
access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip interface Inside 192.168.0.0 255.255.255.0
access-list Outside_access_in extended permit ip 217.196.23.0 255.255.255.252 interface Outside
access-list Outside_access_in extended permit ip 192.168.0.0 255.255.255.0 interface Outside
access-list Inside_access_in extended permit ip 192.168.0.0 255.255.255.0 interface Inside
access-list Inside_access_in extended permit ip 217.196.23.0 255.255.255.252 interface Inside
access-list Outside_access_out extended permit ip interface Outside any
access-list Inside_access_out extended permit ip interface Inside any
access-list Outside_nat0_outbound extended permit ip any any
access-list Inside_cryptomap_1 extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list Outside_20_cryptomap_1 extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list Outside_nat0_outbound_1 extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list Inside_nat0_outbound_1 extended permit ip 192.168.10.0 255.255.255.0 any
access-list Outside_access_in_1 extended permit ip any interface Outside
access-list Outside_cryptomap_1 extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list remote1_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list mysplit standard permit 192.168.10.0 255.255.255.0
access-list 202 extended permit ip any any
access-list 202 extended permit ip host 82.71.226.0 any
access-list Inside_nat0_outbound_2 extended permit ip 192.168.10.0 255.255.255.0 172.16.0.0 255.255.255.0
pager lines 24
logging monitor debugging
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
ip local pool pool10 10.10.100.10-10.10.100.20 mask 255.255.255.0
no failover
monitor-interface Inside
monitor-interface Outside
monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound_2
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (management) 0 access-list management_nat0_outbound
nat (management) 0 0.0.0.0 0.0.0.0
access-group 202 in interface Outside
route Outside 0.0.0.0 0.0.0.0 77.xxx.xx.xx1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain value ERSS.KZ
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy remote1 internal
group-policy remote1 attributes
 vpn-tunnel-protocol IPSec
 password-storage enable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value mysplit
 nem enable
username remote1 password PUqTNNpL6kSLDz6F encrypted privilege 1
username remote1 attributes
 vpn-group-policy remote1
username ciscouser password 23tv7l4KjzJreKTg encrypted privilege 15
url-server (Inside) vendor websense host 192.168.10.29 timeout 30 protocol TCP version 1 connections 5
aaa authentication ssh console LOCAL
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http 192.168.10.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
http redirect Inside 80
http redirect Outside 80
http redirect management 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear-df Inside
crypto ipsec df-bit clear-df Outside
crypto ipsec df-bit clear-df management
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group remote1 type ipsec-ra
tunnel-group remote1 general-attributes
 address-pool pool10
 default-group-policy remote1
tunnel-group remote1 ipsec-attributes
 pre-shared-key *
telnet 192.168.10.175 255.255.255.255 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
webvpn
 http-proxy 192.168.10.29 80
prompt hostname context
Cryptochecksum:bbb4c3a66a3c0703be015d2caabdbdef
: end

1812

Building configuration...

Current configuration : 8546 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ESS_E11
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$Jgeo$5DaArp6x1btjm4DNQIPo8/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 5
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool sdm-pool1
   import all
   network 172.16.0.0 255.255.255.0
   default-router 172.16.0.1
   dns-server 217.xxx.xx.xxx217.xxx.xx.xxx
   domain-name erss.kz
   netbios-name-server 192.168.10.20
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name erss.kz
ip name-server 217.xxx.xx.xxx
ip name-server 217.xxx.xx.xxx
ip ssh time-out 60
ip ssh authentication-retries 2
ip ddns update method sdm_ddns1
 DDNS both
!
!
!
crypto pki trustpoint TP-self-signed-96517047
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-96517047
 revocation-check none
 rsakeypair TP-self-signed-96517047
!
!
crypto pki certificate chain TP-self-signed-96517047
 certificate self-signed 01
  30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39363531 37303437 301E170D 30383035 30373133 31343031
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D393635 31373034
  3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100997A
  F234DA03 142F709B C66E6B63 DB149485 EA4A0070 FBAE8E3D A02BF014 8796666D
  90BBA3E3 C756230B 5BA8C510 A8635E86 90AC38C0 E94822E0 D8DFD82B 01E69A17
  DFBC8622 A9AEF997 3EB91789 9F809219 47E8369F 9641EF75 F6EA6022 773DC92B
  DAFC9238 626CEBB1 79CEC30C C7B8E04B 3994441A 3A265C50 DADFD2AE 1F190203
  010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603 551D1104
  13301182 0F455353 5F453131 2E657273 732E6B7A 301F0603 551D2304 18301680
  1465AF36 C7F05281 A6C689E5 E44A9F0D 8E9C648E 46301D06 03551D0E 04160414
  65AF36C7 F05281A6 C689E5E4 4A9F0D8E 9C648E46 300D0609 2A864886 F70D0101
  04050003 81810042 DA3827A6 465C504F CE7719AC 609E5CCD B4927C20 22D32AA0
  50485F3B 13989868 B93E0E6B 819B0AAD C877B5A8 CF66EB3C 6E36544D 27DE9FF9
  C64CAB6C BA1378EA 23055AF1 6894D9CE 2E251760 F065D852 92AF9CCF F201F6C0
  10CBD99D 2AFCEE9A 1A513E02 FA05171E E88AA46E 07C1439B 3CAF6025 9605E104
  57033305 5E297A
  quit
username administrator privilege 15 secret 5 $1$Ny.6$zxFRJ7lv/vW05/hqZOQGK/
username monitor view SDM_Monitor secret 5 $1$wcQt$oU9ZS.7Z1C9a0fMRVlqzE/
username temp_access privilege 0 secret 5 $1$J939$MLaxAT2ERC2SQ4jq7jLQW1
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
!
!
crypto ipsec client ezvpn 77.xxx.xx.xxx
 connect auto
 group remote1 key 01remote007
 mode network-extension
 peer 77.xxx.xx.xxx
 username remote1 password 01remote007
 xauth userid mode local
!
!
bridge irb
!
!
!
interface FastEthernet0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip ddns update hostname ESS_E11.erss.kz
 ip ddns update sdm_ddns1
 ip address 217.196.23.138 255.255.255.252
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto ipsec client ezvpn 77.xxx.xx.xxx
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation hdlc
 ip route-cache flow
 shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 40bit 7 028B93741B05 transmit-key
 encryption mode wep mandatory
 !
 ssid ESS_E11
    authentication open
    guest-mode
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 encryption key 1 size 40bit 7 6E8F57543705 transmit-key
 encryption mode wep mandatory
 !
 ssid ESS_E11
    authentication open
    guest-mode
 !
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet1
 tunnel mode ipsec ipv4
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 172.16.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 crypto ipsec client ezvpn 77.xxx.xx.xxx inside
!
ip route 0.0.0.0 0.0.0.0 217.xxx.xx.xxx2
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet1 overload
!
ip access-list extended mynat
 deny   ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip 192.168.0.0 0.0.0.255 any
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.16.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 217.xxx.xx.xxx0.0.0.3 77.xxx.xx.00.0.0.255
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 172.16.0.0 0.0.0.255 77.xxx.xx.xx0.0.0.7
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.16.0.0 0.0.0.255 77.xxx.xx.xx0.0.0.7
access-list 104 remark SDM_ACL Category=4
access-list 104 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 105 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 106 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 172.16.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 108 remark SDM_ACL Category=4
access-list 108 permit ip host 172.16.0.0 192.168.10.0 0.0.0.255
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 14
 privilege level 15
 login local
 transport input telnet ssh
line vty 15
 privilege level 15
 login local
 transport input telnet ssh
parser view SDM_Monitor
 secret 5 $1$3l7I$w5zB5bvnMzvz9qRp88p0J/
 commands configure include end
 commands configure include all interface
 commands exec include dir all-filesystems
 commands exec include dir
 commands exec include all crypto ipsec client ezvpn
 commands exec include crypto ipsec client
 commands exec include crypto ipsec
 commands exec include crypto
 commands exec include all ping ip
 commands exec include ping
 commands exec include configure terminal
 commands exec include configure
 commands exec include all show
 commands exec include all debug appfw
 commands exec include all debug ip inspect
 commands exec include debug ip
 commands exec include debug
 commands exec include all clear
!
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end
ASKER
eagle341

Sorry, just prior to sending you the config, I updated the 1812 DHCP default gateway, now I can see inside the 172.16.0.0 network, but not the other way around.
ASKER
eagle341

Got it, I had not updated the DC to new gateway, can see both sides, thanks for the tip!
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes