Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.
COURSE of the MONTH
14 days, 18 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Site to Site VPN access problem
Posted on 2011-02-16
i have configured the site to site vpn between ASA 5510 and 5505. VPN is established but i can't access the resources. i have two subnet on ASA 5510, one is 192.168.x.x and other 172.16.x.x. i can access every thing from 192.168.x.x subnet but not from 172.16.x.x subnet. i have only one subnet on ASA 5505 that is 172.17.x.x. they can access the subnet 192.168.x.x but not the 172.16.x.x subnet. previously it worked fine but now we have problem. we have not changed anything.
i verified the all configuration on both sides and it look like fine. i checked the access lists, nat, etc. i also tested with bulletin cisco packet tracer and it is showing everything fine. i have also other branch offices and everything working fine there.
please guide me, how i can troubleshoot and solve this problem?
Thanks in advance
i verified the all configuration on both sides and it look like fine. i checked the access lists, nat, etc. i also tested with bulletin cisco packet tracer and it is showing everything fine. i have also other branch offices and everything working fine there.
please guide me, how i can troubleshoot and solve this problem?
Thanks in advance
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
4
2
7 Comments
Active 6 days ago
ASA 5505 Access lists
access-list nonat extended permit ip 172.17.24.0 255.255.248.0 172.16.0.0 255.240.0.0
access-list nonat extended permit ip 172.17.24.0 255.255.248.0 192.168.0.0 255.255.0.0
access-list crypto-se extended permit ip 172.17.24.0 255.255.248.0 172.16.0.0 255.240.0.0
access-list crypto-se extended permit ip 172.17.24.0 255.255.248.0 192.168.0.0 255.255.0.0
ASA 5510 Access lists
access-list crypto-fi extended permit ip 172.16.0.0 255.240.0.0 172.17.24.0 255.255.248.0
access-list crypto-fi extended permit ip 192.168.0.0 255.255.0.0 172.17.24.0 255.255.248.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.240.0.0 172.16.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.240.0.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.240.0.0
access-list nonat extended permit ip 172.17.24.0 255.255.248.0 172.16.0.0 255.240.0.0
access-list nonat extended permit ip 172.17.24.0 255.255.248.0 192.168.0.0 255.255.0.0
access-list crypto-se extended permit ip 172.17.24.0 255.255.248.0 172.16.0.0 255.240.0.0
access-list crypto-se extended permit ip 172.17.24.0 255.255.248.0 192.168.0.0 255.255.0.0
ASA 5510 Access lists
access-list crypto-fi extended permit ip 172.16.0.0 255.240.0.0 172.17.24.0 255.255.248.0
access-list crypto-fi extended permit ip 192.168.0.0 255.255.0.0 172.17.24.0 255.255.248.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.240.0.0 172.16.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.240.0.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.240.0.0
I would log onto the 5505 and issue the following:
sh cry ips sa
This should show you something like this:
reynoldshome#sh cry ips sa
interface: FastEthernet4
Crypto map tag: VPN, local addr 96.11.X.X
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.3.0/255.255.255.0/0/
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
current_peer 65.23.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5578, #pkts encrypt: 5578, #pkts digest: 5578
#pkts decaps: 1754, #pkts decrypt: 1754, #pkts verify: 1754
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 135, #recv errors 0
make sure you the networks are listed and enc and decry packets are incrementing. You can do a source ping to generate traffic:
ping 172.16.0.1 source 172.17.24.1
That will tell you if the traffic is leaving the device.
sh cry ips sa
This should show you something like this:
reynoldshome#sh cry ips sa
interface: FastEthernet4
Crypto map tag: VPN, local addr 96.11.X.X
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.3.0/255.255.255.0/0/
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
current_peer 65.23.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5578, #pkts encrypt: 5578, #pkts digest: 5578
#pkts decaps: 1754, #pkts decrypt: 1754, #pkts verify: 1754
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 135, #recv errors 0
make sure you the networks are listed and enc and decry packets are incrementing. You can do a source ping to generate traffic:
ping 172.16.0.1 source 172.17.24.1
That will tell you if the traffic is leaving the device.
Active 6 days ago
i run the sh cry ipsec sa on ASA 5505
#pkts encaps: 154, #pkts encrypt: 154, #pkts digest: 154
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 154, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
i run the sh cry ipsec sa on ASA 5510
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 154, #pkts decrypt: 154, #pkts verify: 154
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
it look like traffic is coming from ASA 5505 to ASA 5510. But not going from ASA 5510 to ASA 5505.
any suggestion, why traffic not leaving from ASA 5510.
Thanks in advance
#pkts encaps: 154, #pkts encrypt: 154, #pkts digest: 154
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 154, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
i run the sh cry ipsec sa on ASA 5510
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 154, #pkts decrypt: 154, #pkts verify: 154
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
it look like traffic is coming from ASA 5505 to ASA 5510. But not going from ASA 5510 to ASA 5505.
any suggestion, why traffic not leaving from ASA 5510.
Thanks in advance
On the "sh cry ips sa" output did the networks look right?
Make sure that you have a "nonat" rule built so that traffic going over the VPN is not being NATed otherwise it will not match the selector and therefore not get sent over the tunnel.
Can you attach a copy of the config?
Make sure that you have a "nonat" rule built so that traffic going over the VPN is not being NATed otherwise it will not match the selector and therefore not get sent over the tunnel.
Can you attach a copy of the config?
Featured Post
Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market. Every year, Cisco displays cutting-edge technol…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal.
As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:
• Key questions to ask when considering a partnership to accelerate your business into the cloud
• Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month14 days, 18 hours left to enroll
771 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.