Site-to-site | possible routing issue?

Posted on 2009-04-20
Last Modified: 2012-05-06
I have a site to site tunnel between my house and work.
 My house is  Work is, and

Interesting traffic in my pix is defined as>

I am terminating at an ASA5505 (

1. I can not initiate the tunnel. Work has to do it

2. Even with the tunnel established, I cannot access I can only access the network (where I terminate)

Any ideas?

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet1 vlan2 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan2 dmz security50

enable password uCC7HvYx68qN0nG5 encrypted

passwd xIsrlcAkUmuvQSHs encrypted

hostname fwall


fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list ipsec permit ip

access-list nonat permit ip

access-list nonat permit ip

access-list outside-to-inside permit icmp any any

access-list outside-to-inside permit tcp any interface outside eq 9090

access-list outside-to-inside permit tcp any interface outside eq www

access-list split_tunnel_acl permit ip

access-list dmz permit icmp any any echo-reply

pager lines 24

logging on

logging buffered informational

logging history informational

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside

ip address dmz

ip audit info action alarm

ip audit attack action alarm

ip local pool vpn-pool mask

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0 0

nat (inside) 1 0 0

nat (dmz) 1 0 0

static (inside,outside) tcp interface www www netmask 0 0

static (inside,outside) tcp interface 9090 9090 netmask 0 0

static (inside,dmz) netmask 0 0

access-group outside-to-inside in interface outside

access-group dmz in interface dmz

route outside 1

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set aesmap esp-aes-256 esp-md5-hmac

crypto dynamic-map vpn 65535 set transform-set aesmap

crypto dynamic-map vpn 65535 set security-association lifetime seconds 84600 kilobytes 4608000

crypto map mymap 88 ipsec-isakmp

crypto map mymap 88 match address ipsec

crypto map mymap 88 set peer

crypto map mymap 88 set transform-set aesmap

crypto map vpn 65535 ipsec-isakmp dynamic vpn

crypto map vpn client configuration address initiate

crypto map vpn client authentication LOCAL

crypto map vpn interface outside

isakmp enable outside

isakmp key ******** address netmask no-xauth

isakmp nat-traversal 20

isakmp policy 50 authentication pre-share

isakmp policy 50 encryption aes-256

isakmp policy 50 hash sha

isakmp policy 50 group 2

isakmp policy 50 lifetime 86400

vpngroup family address-pool vpn-pool

vpngroup family split-tunnel split_tunnel_acl

vpngroup family idle-time 14400

vpngroup family password ********

vpngroup password idle-time 1800

telnet timeout 5

ssh outside

ssh inside

ssh timeout 60

management-access inside

console timeout 0

username ryan password wo854658/NDCLO encrypted privilege 15

terminal width 80


: end

Open in new window

Question by:dissolved

    Author Comment

    My boss suggested that I apply my "ipsec" ACL  INBOUND on my inside interface. I did this and I still could not initiate the tunnel. I also could not get out to the internet when I had the "ipsec ACL applied to my inside interface (in the INBOUND direction)

    Whats going on with this?
    LVL 43

    Expert Comment

    Your config looks fine.

    Any chance we can see the Work side config?

    Author Comment

    Cool. So the "ipsec" ACL does not need to be applied to an interface via the access-group command?  Just want to be sure. I figured the "ipsec' ACL is only used as a reference point for defining interesting traffic

    I don't have access to the work side right now, as we have a memory leak in that asa and it's at a remote site. But it looks like below (all from my memory)

    I can ping the network fine. Its the and I cannot communicate with> i also cannot initiate the tunnel, it has to be on their end.

    I should note:  The network can ping me and get a response. Just not the other way around. I will try to get the actual config later today.

    object-group network HQ
    object-group test
    route outside
    access-list test_acl extended permit ip object-group network HQ object-group test
    access-list nonat extended permit ip object-group network HQ object-group test

    Open in new window

    LVL 43

    Expert Comment

    >So the "ipsec" ACL does not need to be applied to an interface via the access-group command?  Just want to be sure. I figured the "ipsec' ACL is only used as a reference point for defining interesting traffic

    The access-lists need to be exact mirrors so your ASA "ipsec" access-list should look like this based on the work "test_acl".

    access-list ipsec permit ip
    access-list ipsec permit ip
    access-list ipsec permit ip
    no access-list ipsec permit ip

    Author Comment

    I see. So instead of having ACLs like (to cover 3 of the company's networks).............I should do each one individually
    LVL 43

    Accepted Solution

    Well, the key is that they match on both ends which currently they do not.  You can use as long as both ends are changed to match.  Your end had the /16 and the work end had 3 /24's which won't work.

    Author Comment

    J, can you check this out? I am still having issues. Now I cannot ping anything. Once when I did have the tunnel established (last week), I could ping two out of 2 of the corporate networks. I need to access to all 3. Thank you in advance

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Suggested Solutions

    Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now