unique setup of sitetosite VPN using security contexts

i have two 4507s trunked to two ASA's in active active failover mode using security contexts. the ASA's are trunked to a 3560 switch which in turn is connected to a 2811 router that has two internet connections.

i have setup a site2site vpn on the 2811 and I can see the tunnel as active. however,  when I try to send interesting traffic to the tunnel or ping a remote host it is unreachable. also, from the 2811 when i try to reach my internal network via the ASA i get the error

%ASA-3-305005: No translation group found for icmp src outside:119.111.136.17 dst inside:10.10.8.254 (type 8, code 0)

i think in order for the remote network to reach my internal network the 2811 should be able to reach my inside network behind the ASA?

the diagram looks like this  internet-router (public ip addresses)- (outside public addresses)ASA-inside network


crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key motif123 address 203.200.226.138
 
!
!
crypto ipsec transform-set motif_india-set esp-3des esp-md5-hmac
 
!
crypto map motifvpn 10 ipsec-isakmp
 set peer 203.200.226.138
 set transform-set motif_india-set
 match address 120
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.5
 encapsulation dot1Q 5
 ip address 202.124.135.132 255.255.255.224
 ip policy route-map to_helius
 no snmp trap link-status
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.4
 encapsulation dot1Q 4
 ip address 119.111.136.17 255.255.255.240
 ip policy route-map to_prime
 no snmp trap link-status
!
interface FastEthernet0/0/0
 description prime
 switchport access vlan 100
!
interface FastEthernet0/0/1
 description helius
 switchport access vlan 200
!
interface FastEthernet0/0/2
 shutdown
!
interface FastEthernet0/0/3
 shutdown
!
interface Vlan1
 no ip address
!
interface Vlan100
 ip address 119.111.23.22 255.255.255.252
 crypto map motifvpn
!
interface Vlan200
 ip address 202.124.130.142 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 202.124.130.141
ip route 10.10.8.0 255.255.255.0 119.111.136.27
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
 
access-list 120 permit ip host 10.126.1.11 10.10.0.0 0.0.15.255
access-list 120 permit ip host 10.126.1.14 10.10.0.0 0.0.15.255
access-list 120 permit ip host 10.126.1.60 10.10.0.0 0.0.15.255
access-list 120 permit ip 10.10.0.0 0.0.15.255 host 10.126.1.11
access-list 120 permit ip 10.10.0.0 0.0.15.255 host 10.126.1.14
access-list 120 permit ip 10.10.0.0 0.0.15.255 host 10.126.1.60
access-list 120 permit ip host 10.126.1.250 10.10.0.0 0.0.15.255
access-list 120 permit ip 10.10.0.0 0.0.15.255 host 10.126.1.250
access-list 120 permit ip host 119.111.136.17 host 10.126.1.14
access-list 199 permit ip any any
access-list 199 permit icmp any any
access-list 199 permit icmp any any echo-reply
route-map to_prime permit 10
 set ip default next-hop 119.111.23.21
!
route-map to_helius permit 10
 set ip default next-hop 202.124.130.141
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for  one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to
use.
 
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.
 
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
 
username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco
 
Replace <myuser> and <mypassword> with the username and password you want to use.
 
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C

Open in new window

security-context.txt
inquirer23Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

vivek283Commented:
Hi,

First it is not necessary that your router interface can ping your inside network. You VPN traffic can be made to reach the inside network without this.

To enable the Router interface to reach the inside network, you will need to add the following command on the ASA :

access-list inside_nat0 extended permit ip 10.10.0.0 255.255.240.0 host 119.111.136.17

Further, the VPN traffic also needs to be exempted from NAT on ASA. So another ACE will be needed. Example :

access-list inside_nat0 extended permit ip 10.10.0.0 255.255.240.0 <remote network> <mask>

HTH
inquirer23Author Commented:
i added a static route pointing back

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.