Solved

Help needed (stuck at remote site)

Posted on 2009-04-02
5
214 Views
Last Modified: 2012-05-06

Head quarters: 172.16.1.0/24, 172.16.10.0/24, 172.16.11.0/24
remote site: 172.16.65.0

Have an IPSEC tunnel between hq and remote. One site (172.16.65.0/24) has a pix. Interesting traffic is defined as 172.16.65.0
The end of the tunnel, terminates to an ASA. The ASA is at headquarters.

I have connectivity from the remote site, to all subnets at HQ EXCEPT 172.16.11.0/24. Please see code for info
pix sh route at remote site:

   outside 0.0.0.0 0.0.0.0 70.106***.1 1 OTHER static

        outside 70.106***.0 255.255.255.0 70.106.***.225 1 CONNECT static

        outside 172.16.1.0 255.255.255.0 70.106.***.1 1 OTHER static

        outside 172.16.11.0 255.255.255.0 70.106***.1 1 OTHER static

        inside 172.16.65.0 255.255.255.0 172.16.65.1 1 CONNECT static
 
 

asa at hq sh route:
 

O IA 172.17.1.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:37, private

S    172.16.254.0 255.255.255.0 [1/0] via 75.145.***.178, outside

S    172.16.232.0 255.255.255.0 [1/0] via 75.145.***.190, outside

O E1 172.16.200.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private

O E1 172.16.60.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private

O E1 172.16.58.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private

O E1 172.16.53.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private

S    172.16.54.0 255.255.255.0 [1/0] via 75.145.***178, outside

O E1 172.16.37.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private

O IA 172.16.32.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private

O IA 172.16.33.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private

O IA 172.16.34.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private

O E1 172.16.35.0 255.255.255.0 [110/30] via 172.16.1.252, 69:06:37, private

O IA 172.16.31.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private

O E1 172.16.25.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private

O    172.16.10.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private

O    172.16.11.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private

O E1 172.16.0.0 255.255.0.0 [110/30] via 172.16.1.252, 69:06:40, private

C    172.16.1.0 255.255.255.0 is directly connected, private

O    172.16.2.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private

O    172.16.3.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private

O IA 172.16.100.0 255.255.255.252 [110/12] via 172.16.1.1, 69:06:40, private

O IA 172.16.101.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private

O IA 172.16.102.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private

O IA 172.16.103.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private

O E1 172.16.70.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private

O E1 172.16.71.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private

S    172.16.65.0 255.255.255.0 [1/0] via 75.145***.178, outside

C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

C    10.10.10.0 255.255.255.0 is directly connected, webdmz

O E1 10.80.8.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private

O E1 10.80.9.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private

C    75.145.***.176 255.255.255.240 is directly connected, outside

S*   0.0.0.0 0.0.0.0 [1/0] via 75.145.***.190, outside

Open in new window

0
Comment
Question by:dissolved
  • 3
  • 2
5 Comments
 

Author Comment

by:dissolved
ID: 24052609
Like I said, from the remote site 172.16.65.0/24, I can ping HQ 172.16.1.0, 172.16.10.0. I am unable to ping 172.16.11.0/24. I even entered a static route into the pix here. No go. All other sites can ping 172.16.11.0
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24052635
Are you sure the interesting traffic access-list includes the 172.16.11.0/24 subnet?
0
 

Author Comment

by:dissolved
ID: 24052747
I believe so, see below
Here is the acls on the pix (remote)

access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.10.0 255.255.255.0

access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.101.0 255.255.255.0

access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.11.0 255.255.255.0

access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.10.0 255.255.255.0

access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.101.0 255.255.255.0

access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.11.0 255.255.255.0
 
 

here it is on asa at hq (only showing relevant ACLs)

#########OBJECT GROUP############

object-group network phones_for_remote_sites

 network-object 172.16.11.0 255.255.255.0

##############################
 

access-list ipsec-BellHaven; 4 elements

access-list ipsec-BellHaven line 1 remark Intersting Traffic for BellHaven VPN

access-list ipsec-BellHaven line 2 extended permit ip object-group sl-ipsec-net object-group Bell-Haven-net 0xd3a9f48c

access-list ipsec-BellHaven line 2 extended permit ip 172.16.1.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=19189) 0x80e01b62

access-list ipsec-BellHaven line 2 extended permit ip 172.16.10.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=4125) 0x15dcc42f

access-list ipsec-BellHaven line 2 extended permit ip 172.16.101.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=16720) 0x9f8016be

access-list ipsec-BellHaven line 3 extended permit ip object-group phones_for_remote_sites object-group Bell-Haven-net 0xea0c6880

access-list ipsec-BellHaven line 3 extended permit ip 172.16.11.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=0) 0xd8b40271

Open in new window

0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24052795
That looks good.  On the HQ ASA, there is NAT exemption also for 172.16.11.0 to 172.16.65.0?
0
 

Author Comment

by:dissolved
ID: 24054132
all I had to do was do a clear isa sa and everything worked. Totally forgot to do this.

Thanks
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now