Link to home
Start Free TrialLog in
Avatar of techniasupport
techniasupportFlag for Sweden

asked on

Site to Site VPN access problem

i have configured the site to site vpn between ASA 5510 and 5505. VPN is established but i can't access the resources. i have two subnet on ASA 5510, one is 192.168.x.x and other 172.16.x.x. i can access every thing from 192.168.x.x subnet but not from 172.16.x.x subnet. i have only one subnet on ASA 5505 that is 172.17.x.x. they can access the subnet 192.168.x.x but not the 172.16.x.x subnet. previously it worked fine but now we have problem. we have not changed anything.

i verified the all configuration on both sides and it look like fine. i checked the access lists, nat, etc. i also tested with bulletin cisco packet tracer and it is showing everything fine. i have also other branch offices and everything working fine there.  

please guide me, how i can troubleshoot and solve this problem?
Thanks in advance
Avatar of John Meggers
John Meggers
Flag of United States of America image

Can you post configs, or at least the access lists from both sides?
Avatar of techniasupport

ASKER

ASA 5505 Access lists
access-list nonat extended permit ip 172.17.24.0 255.255.248.0 172.16.0.0 255.240.0.0
access-list nonat extended permit ip 172.17.24.0 255.255.248.0 192.168.0.0 255.255.0.0
access-list crypto-se extended permit ip 172.17.24.0 255.255.248.0 172.16.0.0 255.240.0.0
access-list crypto-se extended permit ip 172.17.24.0 255.255.248.0 192.168.0.0 255.255.0.0

ASA 5510 Access lists
access-list crypto-fi extended permit ip 172.16.0.0 255.240.0.0 172.17.24.0 255.255.248.0
access-list crypto-fi extended permit ip 192.168.0.0 255.255.0.0 172.17.24.0 255.255.248.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.240.0.0 172.16.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.240.0.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.240.0.0
ASKER CERTIFIED SOLUTION
Avatar of Rick_at_ptscinti
Rick_at_ptscinti

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
i run the sh cry ipsec sa on ASA 5505

 #pkts encaps: 154, #pkts encrypt: 154, #pkts digest: 154
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 154, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

i run the sh cry ipsec sa on ASA 5510

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 154, #pkts decrypt: 154, #pkts verify: 154
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0


it look like traffic is coming from ASA 5505 to ASA 5510. But not going from ASA 5510 to ASA 5505.

any suggestion, why traffic not leaving from ASA 5510.

Thanks in advance
Avatar of Rick_at_ptscinti
Rick_at_ptscinti

On the "sh cry ips sa" output did the networks look right?

Make sure that you have a "nonat" rule built so that traffic going over the VPN is not being NATed otherwise it will not match the selector and therefore not get sent over the tunnel.

Can you attach a copy of the config?
firewall chche the wrong crypto information. after reboot the firewall, problem is solved
Solution was not completed.