Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 225
  • Last Modified:

Help needed (stuck at remote site)


Head quarters: 172.16.1.0/24, 172.16.10.0/24, 172.16.11.0/24
remote site: 172.16.65.0

Have an IPSEC tunnel between hq and remote. One site (172.16.65.0/24) has a pix. Interesting traffic is defined as 172.16.65.0
The end of the tunnel, terminates to an ASA. The ASA is at headquarters.

I have connectivity from the remote site, to all subnets at HQ EXCEPT 172.16.11.0/24. Please see code for info
pix sh route at remote site:
   outside 0.0.0.0 0.0.0.0 70.106***.1 1 OTHER static
        outside 70.106***.0 255.255.255.0 70.106.***.225 1 CONNECT static
        outside 172.16.1.0 255.255.255.0 70.106.***.1 1 OTHER static
        outside 172.16.11.0 255.255.255.0 70.106***.1 1 OTHER static
        inside 172.16.65.0 255.255.255.0 172.16.65.1 1 CONNECT static
 
 
asa at hq sh route:
 
O IA 172.17.1.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:37, private
S    172.16.254.0 255.255.255.0 [1/0] via 75.145.***.178, outside
S    172.16.232.0 255.255.255.0 [1/0] via 75.145.***.190, outside
O E1 172.16.200.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
O E1 172.16.60.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
O E1 172.16.58.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
O E1 172.16.53.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
S    172.16.54.0 255.255.255.0 [1/0] via 75.145.***178, outside
O E1 172.16.37.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
O IA 172.16.32.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private
O IA 172.16.33.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private
O IA 172.16.34.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private
O E1 172.16.35.0 255.255.255.0 [110/30] via 172.16.1.252, 69:06:37, private
O IA 172.16.31.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private
O E1 172.16.25.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
O    172.16.10.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private
O    172.16.11.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private
O E1 172.16.0.0 255.255.0.0 [110/30] via 172.16.1.252, 69:06:40, private
C    172.16.1.0 255.255.255.0 is directly connected, private
O    172.16.2.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private
O    172.16.3.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private
O IA 172.16.100.0 255.255.255.252 [110/12] via 172.16.1.1, 69:06:40, private
O IA 172.16.101.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private
O IA 172.16.102.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private
O IA 172.16.103.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private
O E1 172.16.70.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
O E1 172.16.71.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
S    172.16.65.0 255.255.255.0 [1/0] via 75.145***.178, outside
C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C    10.10.10.0 255.255.255.0 is directly connected, webdmz
O E1 10.80.8.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
O E1 10.80.9.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
C    75.145.***.176 255.255.255.240 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 75.145.***.190, outside

Open in new window

0
dissolved
Asked:
dissolved
  • 3
  • 2
1 Solution
 
dissolvedAuthor Commented:
Like I said, from the remote site 172.16.65.0/24, I can ping HQ 172.16.1.0, 172.16.10.0. I am unable to ping 172.16.11.0/24. I even entered a static route into the pix here. No go. All other sites can ping 172.16.11.0
0
 
JFrederick29Commented:
Are you sure the interesting traffic access-list includes the 172.16.11.0/24 subnet?
0
 
dissolvedAuthor Commented:
I believe so, see below
Here is the acls on the pix (remote)
access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.11.0 255.255.255.0
 
 
here it is on asa at hq (only showing relevant ACLs)
#########OBJECT GROUP############
object-group network phones_for_remote_sites
 network-object 172.16.11.0 255.255.255.0
##############################
 
access-list ipsec-BellHaven; 4 elements
access-list ipsec-BellHaven line 1 remark Intersting Traffic for BellHaven VPN
access-list ipsec-BellHaven line 2 extended permit ip object-group sl-ipsec-net object-group Bell-Haven-net 0xd3a9f48c
access-list ipsec-BellHaven line 2 extended permit ip 172.16.1.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=19189) 0x80e01b62
access-list ipsec-BellHaven line 2 extended permit ip 172.16.10.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=4125) 0x15dcc42f
access-list ipsec-BellHaven line 2 extended permit ip 172.16.101.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=16720) 0x9f8016be
access-list ipsec-BellHaven line 3 extended permit ip object-group phones_for_remote_sites object-group Bell-Haven-net 0xea0c6880
access-list ipsec-BellHaven line 3 extended permit ip 172.16.11.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=0) 0xd8b40271

Open in new window

0
 
JFrederick29Commented:
That looks good.  On the HQ ASA, there is NAT exemption also for 172.16.11.0 to 172.16.65.0?
0
 
dissolvedAuthor Commented:
all I had to do was do a clear isa sa and everything worked. Totally forgot to do this.

Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now