We help IT Professionals succeed at work.

Help needed (stuck at remote site)

dissolved
dissolved asked
on
238 Views
Last Modified: 2012-05-06

Head quarters: 172.16.1.0/24, 172.16.10.0/24, 172.16.11.0/24
remote site: 172.16.65.0

Have an IPSEC tunnel between hq and remote. One site (172.16.65.0/24) has a pix. Interesting traffic is defined as 172.16.65.0
The end of the tunnel, terminates to an ASA. The ASA is at headquarters.

I have connectivity from the remote site, to all subnets at HQ EXCEPT 172.16.11.0/24. Please see code for info
pix sh route at remote site:
   outside 0.0.0.0 0.0.0.0 70.106***.1 1 OTHER static
        outside 70.106***.0 255.255.255.0 70.106.***.225 1 CONNECT static
        outside 172.16.1.0 255.255.255.0 70.106.***.1 1 OTHER static
        outside 172.16.11.0 255.255.255.0 70.106***.1 1 OTHER static
        inside 172.16.65.0 255.255.255.0 172.16.65.1 1 CONNECT static
 
 
asa at hq sh route:
 
O IA 172.17.1.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:37, private
S    172.16.254.0 255.255.255.0 [1/0] via 75.145.***.178, outside
S    172.16.232.0 255.255.255.0 [1/0] via 75.145.***.190, outside
O E1 172.16.200.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
O E1 172.16.60.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
O E1 172.16.58.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
O E1 172.16.53.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
S    172.16.54.0 255.255.255.0 [1/0] via 75.145.***178, outside
O E1 172.16.37.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:37, private
O IA 172.16.32.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private
O IA 172.16.33.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private
O IA 172.16.34.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private
O E1 172.16.35.0 255.255.255.0 [110/30] via 172.16.1.252, 69:06:37, private
O IA 172.16.31.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:37, private
O E1 172.16.25.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
O    172.16.10.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private
O    172.16.11.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private
O E1 172.16.0.0 255.255.0.0 [110/30] via 172.16.1.252, 69:06:40, private
C    172.16.1.0 255.255.255.0 is directly connected, private
O    172.16.2.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private
O    172.16.3.0 255.255.255.0 [110/11] via 172.16.1.1, 69:06:40, private
O IA 172.16.100.0 255.255.255.252 [110/12] via 172.16.1.1, 69:06:40, private
O IA 172.16.101.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private
O IA 172.16.102.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private
O IA 172.16.103.0 255.255.255.0 [110/12] via 172.16.1.1, 69:06:40, private
O E1 172.16.70.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
O E1 172.16.71.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
S    172.16.65.0 255.255.255.0 [1/0] via 75.145***.178, outside
C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C    10.10.10.0 255.255.255.0 is directly connected, webdmz
O E1 10.80.8.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
O E1 10.80.9.0 255.255.255.0 [110/110] via 172.16.1.254, 69:06:40, private
C    75.145.***.176 255.255.255.240 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 75.145.***.190, outside

Open in new window

Comment
Watch Question

Author

Commented:
Like I said, from the remote site 172.16.65.0/24, I can ping HQ 172.16.1.0, 172.16.10.0. I am unable to ping 172.16.11.0/24. I even entered a static route into the pix here. No go. All other sites can ping 172.16.11.0
Top Expert 2009

Commented:
Are you sure the interesting traffic access-list includes the 172.16.11.0/24 subnet?

Author

Commented:
I believe so, see below
Here is the acls on the pix (remote)
access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list nonat permit ip 172.16.65.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list ipsec permit ip 172.16.65.0 255.255.255.0 172.16.11.0 255.255.255.0
 
 
here it is on asa at hq (only showing relevant ACLs)
#########OBJECT GROUP############
object-group network phones_for_remote_sites
 network-object 172.16.11.0 255.255.255.0
##############################
 
access-list ipsec-BellHaven; 4 elements
access-list ipsec-BellHaven line 1 remark Intersting Traffic for BellHaven VPN
access-list ipsec-BellHaven line 2 extended permit ip object-group sl-ipsec-net object-group Bell-Haven-net 0xd3a9f48c
access-list ipsec-BellHaven line 2 extended permit ip 172.16.1.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=19189) 0x80e01b62
access-list ipsec-BellHaven line 2 extended permit ip 172.16.10.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=4125) 0x15dcc42f
access-list ipsec-BellHaven line 2 extended permit ip 172.16.101.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=16720) 0x9f8016be
access-list ipsec-BellHaven line 3 extended permit ip object-group phones_for_remote_sites object-group Bell-Haven-net 0xea0c6880
access-list ipsec-BellHaven line 3 extended permit ip 172.16.11.0 255.255.255.0 172.16.65.0 255.255.255.0 (hitcnt=0) 0xd8b40271

Open in new window

Top Expert 2009
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
all I had to do was do a clear isa sa and everything worked. Totally forgot to do this.

Thanks

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.