Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Help needed (stuck at remote site)

Posted on 2009-04-02
5
Medium Priority
?
222 Views
Last Modified: 2012-05-06

Head quarters: 172.16.1.0/24, 172.16.10.0/24, 172.16.11.0/24
remote site: 172.16.65.0

Have an IPSEC tunnel between hq and remote. One site (172.16.65.0/24) has a pix. Interesting traffic is defined as 172.16.65.0
The end of the tunnel, terminates to an ASA. The ASA is at headquarters.

I have connectivity from the remote site, to all subnets at HQ EXCEPT 172.16.11.0/24. Please see code for info
pix sh route at remote site:
   outside 0.0.0.0 0.0.0.0 70.106***.1 1 OTHER static
        outside 70.106***.0 255.255.255.0 70.106.***.225 1 CONNECT static
        outside 172.16.1.0 255.255.255.0 70.106.***.1 1 OTHER static
        outside 172.16.11.0 255.255.255.0 70.106***.1 1 OTHER static
        inside 172.16.65.0 255.255.255.0 172.16.65.1 1 CONNECT static
 
 
asa at hq sh route:
 
O IA 172.17.1.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:37, private
S    172.16.254.0 255.255.255.0 [1/0] via 75.145.***.178, outside
S    172.16.232.0 255.255.255.0 [1/0] via 75.145.***.190, outside
O E1 172.16.200.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
O E1 172.16.60.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
O E1 172.16.58.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
O E1 172.16.53.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
S    172.16.54.0 255.255.255.0 [1/0] via 75.145.***178, outside
O E1 172.16.37.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
O IA 172.16.32.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private
O IA 172.16.33.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private
O IA 172.16.34.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private
O E1 172.16.35.0 255.255.255.0 [110/30] via 172.16.1.252, 69:06:37, private
O IA 172.16.31.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private
O E1 172.16.25.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
O    172.16.10.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private
O    172.16.11.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private
O E1 172.16.0.0 255.255.0.0 [110/30] via 172.16.1.252, 69:06:40, private
C    172.16.1.0 255.255.255.0 is directly connected, private
O    172.16.2.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private
O    172.16.3.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private
O IA 172.16.100.0 255.255.255.252 [110/12] via 172.16.1.1, 69:06:40, private
O IA 172.16.101.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private
O IA 172.16.102.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private
O IA 172.16.103.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private
O E1 172.16.70.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
O E1 172.16.71.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
S    172.16.65.0 255.255.255.0 [1/0] via 75.145***.178, outside
C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C    10.10.10.0 255.255.255.0 is directly connected, webdmz
O E1 10.80.8.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
O E1 10.80.9.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
C    75.145.***.176 255.255.255.240 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 75.145.***.190, outside

Open in new window

0
Comment
Question by:dissolved
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 

Author Comment

by:dissolved
ID: 24052609
Like I said, from the remote site 172.16.65.0/24, I can ping HQ 172.16.1.0, 172.16.10.0. I am unable to ping 172.16.11.0/24. I even entered a static route into the pix here. No go. All other sites can ping 172.16.11.0
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24052635
Are you sure the interesting traffic access-list includes the 172.16.11.0/24 subnet?
0
 

Author Comment

by:dissolved
ID: 24052747
I believe so, see below
Here is the acls on the pix (remote)
access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.11.0 255.255.255.0
 
 
here it is on asa at hq (only showing relevant ACLs)
#########OBJECT GROUP############
object-group network phones_for_remote_sites
 network-object 172.16.11.0 255.255.255.0
##############################
 
access-list ipsec-BellHaven; 4 elements
access-list ipsec-BellHaven line 1 remark Intersting Traffic for BellHaven VPN
access-list ipsec-BellHaven line 2 extended permit ip object-group sl-ipsec-net object-group Bell-Haven-net 0xd3a9f48c
access-list ipsec-BellHaven line 2 extended permit ip 172.16.1.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=19189) 0x80e01b62
access-list ipsec-BellHaven line 2 extended permit ip 172.16.10.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=4125) 0x15dcc42f
access-list ipsec-BellHaven line 2 extended permit ip 172.16.101.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=16720) 0x9f8016be
access-list ipsec-BellHaven line 3 extended permit ip object-group phones_for_remote_sites object-group Bell-Haven-net 0xea0c6880
access-list ipsec-BellHaven line 3 extended permit ip 172.16.11.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=0) 0xd8b40271

Open in new window

0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 24052795
That looks good.  On the HQ ASA, there is NAT exemption also for 172.16.11.0 to 172.16.65.0?
0
 

Author Comment

by:dissolved
ID: 24054132
all I had to do was do a clear isa sa and everything worked. Totally forgot to do this.

Thanks
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question