Solved

Help needed (stuck at remote site)

Posted on 2009-04-02
5
215 Views
Last Modified: 2012-05-06

Head quarters: 172.16.1.0/24, 172.16.10.0/24, 172.16.11.0/24
remote site: 172.16.65.0

Have an IPSEC tunnel between hq and remote. One site (172.16.65.0/24) has a pix. Interesting traffic is defined as 172.16.65.0
The end of the tunnel, terminates to an ASA. The ASA is at headquarters.

I have connectivity from the remote site, to all subnets at HQ EXCEPT 172.16.11.0/24. Please see code for info
pix sh route at remote site:

   outside 0.0.0.0 0.0.0.0 70.106***.1 1 OTHER static

        outside 70.106***.0 255.255.255.0 70.106.***.225 1 CONNECT static

        outside 172.16.1.0 255.255.255.0 70.106.***.1 1 OTHER static

        outside 172.16.11.0 255.255.255.0 70.106***.1 1 OTHER static

        inside 172.16.65.0 255.255.255.0 172.16.65.1 1 CONNECT static
 
 

asa at hq sh route:
 

O IA 172.17.1.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:37, private

S    172.16.254.0 255.255.255.0 [1/0] via 75.145.***.178, outside

S    172.16.232.0 255.255.255.0 [1/0] via 75.145.***.190, outside

O E1 172.16.200.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private

O E1 172.16.60.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private

O E1 172.16.58.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private

O E1 172.16.53.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private

S    172.16.54.0 255.255.255.0 [1/0] via 75.145.***178, outside

O E1 172.16.37.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private

O IA 172.16.32.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private

O IA 172.16.33.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private

O IA 172.16.34.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private

O E1 172.16.35.0 255.255.255.0 [110/30] via 172.16.1.252, 69:06:37, private

O IA 172.16.31.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private

O E1 172.16.25.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private

O    172.16.10.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private

O    172.16.11.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private

O E1 172.16.0.0 255.255.0.0 [110/30] via 172.16.1.252, 69:06:40, private

C    172.16.1.0 255.255.255.0 is directly connected, private

O    172.16.2.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private

O    172.16.3.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private

O IA 172.16.100.0 255.255.255.252 [110/12] via 172.16.1.1, 69:06:40, private

O IA 172.16.101.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private

O IA 172.16.102.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private

O IA 172.16.103.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private

O E1 172.16.70.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private

O E1 172.16.71.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private

S    172.16.65.0 255.255.255.0 [1/0] via 75.145***.178, outside

C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

C    10.10.10.0 255.255.255.0 is directly connected, webdmz

O E1 10.80.8.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private

O E1 10.80.9.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private

C    75.145.***.176 255.255.255.240 is directly connected, outside

S*   0.0.0.0 0.0.0.0 [1/0] via 75.145.***.190, outside

Open in new window

0
Comment
Question by:dissolved
  • 3
  • 2
5 Comments
 

Author Comment

by:dissolved
ID: 24052609
Like I said, from the remote site 172.16.65.0/24, I can ping HQ 172.16.1.0, 172.16.10.0. I am unable to ping 172.16.11.0/24. I even entered a static route into the pix here. No go. All other sites can ping 172.16.11.0
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24052635
Are you sure the interesting traffic access-list includes the 172.16.11.0/24 subnet?
0
 

Author Comment

by:dissolved
ID: 24052747
I believe so, see below
Here is the acls on the pix (remote)

access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.10.0 255.255.255.0

access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.101.0 255.255.255.0

access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.11.0 255.255.255.0

access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.10.0 255.255.255.0

access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.101.0 255.255.255.0

access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.11.0 255.255.255.0
 
 

here it is on asa at hq (only showing relevant ACLs)

#########OBJECT GROUP############

object-group network phones_for_remote_sites

 network-object 172.16.11.0 255.255.255.0

##############################
 

access-list ipsec-BellHaven; 4 elements

access-list ipsec-BellHaven line 1 remark Intersting Traffic for BellHaven VPN

access-list ipsec-BellHaven line 2 extended permit ip object-group sl-ipsec-net object-group Bell-Haven-net 0xd3a9f48c

access-list ipsec-BellHaven line 2 extended permit ip 172.16.1.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=19189) 0x80e01b62

access-list ipsec-BellHaven line 2 extended permit ip 172.16.10.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=4125) 0x15dcc42f

access-list ipsec-BellHaven line 2 extended permit ip 172.16.101.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=16720) 0x9f8016be

access-list ipsec-BellHaven line 3 extended permit ip object-group phones_for_remote_sites object-group Bell-Haven-net 0xea0c6880

access-list ipsec-BellHaven line 3 extended permit ip 172.16.11.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=0) 0xd8b40271

Open in new window

0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24052795
That looks good.  On the HQ ASA, there is NAT exemption also for 172.16.11.0 to 172.16.65.0?
0
 

Author Comment

by:dissolved
ID: 24054132
all I had to do was do a clear isa sa and everything worked. Totally forgot to do this.

Thanks
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 4500 - Supervisor cards and licensing 2 46
Cisco Routing with 2 ISP connection 5 61
port 69 error in solarwind TFTP server 1 51
EIGRP Load sharing 12 57
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now