Solved

Help needed (stuck at remote site)

Posted on 2009-04-02
5
220 Views
Last Modified: 2012-05-06

Head quarters: 172.16.1.0/24, 172.16.10.0/24, 172.16.11.0/24
remote site: 172.16.65.0

Have an IPSEC tunnel between hq and remote. One site (172.16.65.0/24) has a pix. Interesting traffic is defined as 172.16.65.0
The end of the tunnel, terminates to an ASA. The ASA is at headquarters.

I have connectivity from the remote site, to all subnets at HQ EXCEPT 172.16.11.0/24. Please see code for info
pix sh route at remote site:
   outside 0.0.0.0 0.0.0.0 70.106***.1 1 OTHER static
        outside 70.106***.0 255.255.255.0 70.106.***.225 1 CONNECT static
        outside 172.16.1.0 255.255.255.0 70.106.***.1 1 OTHER static
        outside 172.16.11.0 255.255.255.0 70.106***.1 1 OTHER static
        inside 172.16.65.0 255.255.255.0 172.16.65.1 1 CONNECT static
 
 
asa at hq sh route:
 
O IA 172.17.1.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:37, private
S    172.16.254.0 255.255.255.0 [1/0] via 75.145.***.178, outside
S    172.16.232.0 255.255.255.0 [1/0] via 75.145.***.190, outside
O E1 172.16.200.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
O E1 172.16.60.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
O E1 172.16.58.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
O E1 172.16.53.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
S    172.16.54.0 255.255.255.0 [1/0] via 75.145.***178, outside
O E1 172.16.37.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
O IA 172.16.32.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private
O IA 172.16.33.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private
O IA 172.16.34.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private
O E1 172.16.35.0 255.255.255.0 [110/30] via 172.16.1.252, 69:06:37, private
O IA 172.16.31.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private
O E1 172.16.25.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
O    172.16.10.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private
O    172.16.11.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private
O E1 172.16.0.0 255.255.0.0 [110/30] via 172.16.1.252, 69:06:40, private
C    172.16.1.0 255.255.255.0 is directly connected, private
O    172.16.2.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private
O    172.16.3.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private
O IA 172.16.100.0 255.255.255.252 [110/12] via 172.16.1.1, 69:06:40, private
O IA 172.16.101.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private
O IA 172.16.102.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private
O IA 172.16.103.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private
O E1 172.16.70.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
O E1 172.16.71.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
S    172.16.65.0 255.255.255.0 [1/0] via 75.145***.178, outside
C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C    10.10.10.0 255.255.255.0 is directly connected, webdmz
O E1 10.80.8.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
O E1 10.80.9.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
C    75.145.***.176 255.255.255.240 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 75.145.***.190, outside

Open in new window

0
Comment
Question by:dissolved
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 

Author Comment

by:dissolved
ID: 24052609
Like I said, from the remote site 172.16.65.0/24, I can ping HQ 172.16.1.0, 172.16.10.0. I am unable to ping 172.16.11.0/24. I even entered a static route into the pix here. No go. All other sites can ping 172.16.11.0
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24052635
Are you sure the interesting traffic access-list includes the 172.16.11.0/24 subnet?
0
 

Author Comment

by:dissolved
ID: 24052747
I believe so, see below
Here is the acls on the pix (remote)
access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.11.0 255.255.255.0
 
 
here it is on asa at hq (only showing relevant ACLs)
#########OBJECT GROUP############
object-group network phones_for_remote_sites
 network-object 172.16.11.0 255.255.255.0
##############################
 
access-list ipsec-BellHaven; 4 elements
access-list ipsec-BellHaven line 1 remark Intersting Traffic for BellHaven VPN
access-list ipsec-BellHaven line 2 extended permit ip object-group sl-ipsec-net object-group Bell-Haven-net 0xd3a9f48c
access-list ipsec-BellHaven line 2 extended permit ip 172.16.1.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=19189) 0x80e01b62
access-list ipsec-BellHaven line 2 extended permit ip 172.16.10.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=4125) 0x15dcc42f
access-list ipsec-BellHaven line 2 extended permit ip 172.16.101.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=16720) 0x9f8016be
access-list ipsec-BellHaven line 3 extended permit ip object-group phones_for_remote_sites object-group Bell-Haven-net 0xea0c6880
access-list ipsec-BellHaven line 3 extended permit ip 172.16.11.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=0) 0xd8b40271

Open in new window

0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24052795
That looks good.  On the HQ ASA, there is NAT exemption also for 172.16.11.0 to 172.16.65.0?
0
 

Author Comment

by:dissolved
ID: 24054132
all I had to do was do a clear isa sa and everything worked. Totally forgot to do this.

Thanks
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question