• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 329
  • Last Modified:

Site-to-site | possible routing issue?

I have a site to site tunnel between my house and work.
 My house is  Work is, and

Interesting traffic in my pix is defined as>

I am terminating at an ASA5505 (

1. I can not initiate the tunnel. Work has to do it

2. Even with the tunnel established, I cannot access I can only access the network (where I terminate)

Any ideas?
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan2 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz security50
enable password uCC7HvYx68qN0nG5 encrypted
passwd xIsrlcAkUmuvQSHs encrypted
hostname fwall
domain-name chpk.cpk.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list ipsec permit ip
access-list nonat permit ip
access-list nonat permit ip
access-list outside-to-inside permit icmp any any
access-list outside-to-inside permit tcp any interface outside eq 9090
access-list outside-to-inside permit tcp any interface outside eq www
access-list split_tunnel_acl permit ip
access-list dmz permit icmp any any echo-reply
pager lines 24
logging on
logging buffered informational
logging history informational
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside
ip address dmz
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool mask
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0 0
nat (inside) 1 0 0
nat (dmz) 1 0 0
static (inside,outside) tcp interface www www netmask 0 0
static (inside,outside) tcp interface 9090 9090 netmask 0 0
static (inside,dmz) netmask 0 0
access-group outside-to-inside in interface outside
access-group dmz in interface dmz
route outside 1
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set aesmap esp-aes-256 esp-md5-hmac
crypto dynamic-map vpn 65535 set transform-set aesmap
crypto dynamic-map vpn 65535 set security-association lifetime seconds 84600 kilobytes 4608000
crypto map mymap 88 ipsec-isakmp
crypto map mymap 88 match address ipsec
crypto map mymap 88 set peer
crypto map mymap 88 set transform-set aesmap
crypto map vpn 65535 ipsec-isakmp dynamic vpn
crypto map vpn client configuration address initiate
crypto map vpn client authentication LOCAL
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address netmask no-xauth
isakmp nat-traversal 20
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption aes-256
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
vpngroup family address-pool vpn-pool
vpngroup family split-tunnel split_tunnel_acl
vpngroup family idle-time 14400
vpngroup family password ********
vpngroup password idle-time 1800
telnet timeout 5
ssh outside
ssh inside
ssh timeout 60
management-access inside
console timeout 0
username ryan password wo854658/NDCLO encrypted privilege 15
terminal width 80
: end

Open in new window

  • 4
  • 3
1 Solution
dissolvedAuthor Commented:
My boss suggested that I apply my "ipsec" ACL  INBOUND on my inside interface. I did this and I still could not initiate the tunnel. I also could not get out to the internet when I had the "ipsec ACL applied to my inside interface (in the INBOUND direction)

Whats going on with this?
Your config looks fine.

Any chance we can see the Work side config?
dissolvedAuthor Commented:
Cool. So the "ipsec" ACL does not need to be applied to an interface via the access-group command?  Just want to be sure. I figured the "ipsec' ACL is only used as a reference point for defining interesting traffic

I don't have access to the work side right now, as we have a memory leak in that asa and it's at a remote site. But it looks like below (all from my memory)

I can ping the network fine. Its the and I cannot communicate with> i also cannot initiate the tunnel, it has to be on their end.

I should note:  The network can ping me and get a response. Just not the other way around. I will try to get the actual config later today.

object-group network HQ
object-group test
route outside
access-list test_acl extended permit ip object-group network HQ object-group test
access-list nonat extended permit ip object-group network HQ object-group test

Open in new window

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

>So the "ipsec" ACL does not need to be applied to an interface via the access-group command?  Just want to be sure. I figured the "ipsec' ACL is only used as a reference point for defining interesting traffic

The access-lists need to be exact mirrors so your ASA "ipsec" access-list should look like this based on the work "test_acl".

access-list ipsec permit ip
access-list ipsec permit ip
access-list ipsec permit ip
no access-list ipsec permit ip
dissolvedAuthor Commented:
I see. So instead of having ACLs like (to cover 3 of the company's networks).............I should do each one individually
Well, the key is that they match on both ends which currently they do not.  You can use as long as both ends are changed to match.  Your end had the /16 and the work end had 3 /24's which won't work.
dissolvedAuthor Commented:
J, can you check this out? I am still having issues. Now I cannot ping anything. Once when I did have the tunnel established (last week), I could ping two out of 2 of the corporate networks. I need to access to all 3. Thank you in advance

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now