Solved

Help needed (stuck at remote site)

Posted on 2009-04-02
5
218 Views
Last Modified: 2012-05-06

Head quarters: 172.16.1.0/24, 172.16.10.0/24, 172.16.11.0/24
remote site: 172.16.65.0

Have an IPSEC tunnel between hq and remote. One site (172.16.65.0/24) has a pix. Interesting traffic is defined as 172.16.65.0
The end of the tunnel, terminates to an ASA. The ASA is at headquarters.

I have connectivity from the remote site, to all subnets at HQ EXCEPT 172.16.11.0/24. Please see code for info
pix sh route at remote site:
   outside 0.0.0.0 0.0.0.0 70.106***.1 1 OTHER static
        outside 70.106***.0 255.255.255.0 70.106.***.225 1 CONNECT static
        outside 172.16.1.0 255.255.255.0 70.106.***.1 1 OTHER static
        outside 172.16.11.0 255.255.255.0 70.106***.1 1 OTHER static
        inside 172.16.65.0 255.255.255.0 172.16.65.1 1 CONNECT static
 
 
asa at hq sh route:
 
O IA 172.17.1.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:37, private
S    172.16.254.0 255.255.255.0 [1/0] via 75.145.***.178, outside
S    172.16.232.0 255.255.255.0 [1/0] via 75.145.***.190, outside
O E1 172.16.200.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
O E1 172.16.60.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
O E1 172.16.58.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
O E1 172.16.53.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
S    172.16.54.0 255.255.255.0 [1/0] via 75.145.***178, outside
O E1 172.16.37.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
O IA 172.16.32.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private
O IA 172.16.33.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private
O IA 172.16.34.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private
O E1 172.16.35.0 255.255.255.0 [110/30] via 172.16.1.252, 69:06:37, private
O IA 172.16.31.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private
O E1 172.16.25.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
O    172.16.10.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private
O    172.16.11.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private
O E1 172.16.0.0 255.255.0.0 [110/30] via 172.16.1.252, 69:06:40, private
C    172.16.1.0 255.255.255.0 is directly connected, private
O    172.16.2.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private
O    172.16.3.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private
O IA 172.16.100.0 255.255.255.252 [110/12] via 172.16.1.1, 69:06:40, private
O IA 172.16.101.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private
O IA 172.16.102.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private
O IA 172.16.103.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private
O E1 172.16.70.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
O E1 172.16.71.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
S    172.16.65.0 255.255.255.0 [1/0] via 75.145***.178, outside
C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C    10.10.10.0 255.255.255.0 is directly connected, webdmz
O E1 10.80.8.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
O E1 10.80.9.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
C    75.145.***.176 255.255.255.240 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 75.145.***.190, outside

Open in new window

0
Comment
Question by:dissolved
  • 3
  • 2
5 Comments
 

Author Comment

by:dissolved
ID: 24052609
Like I said, from the remote site 172.16.65.0/24, I can ping HQ 172.16.1.0, 172.16.10.0. I am unable to ping 172.16.11.0/24. I even entered a static route into the pix here. No go. All other sites can ping 172.16.11.0
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24052635
Are you sure the interesting traffic access-list includes the 172.16.11.0/24 subnet?
0
 

Author Comment

by:dissolved
ID: 24052747
I believe so, see below
Here is the acls on the pix (remote)
access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.11.0 255.255.255.0
 
 
here it is on asa at hq (only showing relevant ACLs)
#########OBJECT GROUP############
object-group network phones_for_remote_sites
 network-object 172.16.11.0 255.255.255.0
##############################
 
access-list ipsec-BellHaven; 4 elements
access-list ipsec-BellHaven line 1 remark Intersting Traffic for BellHaven VPN
access-list ipsec-BellHaven line 2 extended permit ip object-group sl-ipsec-net object-group Bell-Haven-net 0xd3a9f48c
access-list ipsec-BellHaven line 2 extended permit ip 172.16.1.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=19189) 0x80e01b62
access-list ipsec-BellHaven line 2 extended permit ip 172.16.10.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=4125) 0x15dcc42f
access-list ipsec-BellHaven line 2 extended permit ip 172.16.101.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=16720) 0x9f8016be
access-list ipsec-BellHaven line 3 extended permit ip object-group phones_for_remote_sites object-group Bell-Haven-net 0xea0c6880
access-list ipsec-BellHaven line 3 extended permit ip 172.16.11.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=0) 0xd8b40271

Open in new window

0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24052795
That looks good.  On the HQ ASA, there is NAT exemption also for 172.16.11.0 to 172.16.65.0?
0
 

Author Comment

by:dissolved
ID: 24054132
all I had to do was do a clear isa sa and everything worked. Totally forgot to do this.

Thanks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

766 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question