Solved

Site to Site VPN access problem

Posted on 2011-02-16
7
581 Views
Last Modified: 2012-05-11
i have configured the site to site vpn between ASA 5510 and 5505. VPN is established but i can't access the resources. i have two subnet on ASA 5510, one is 192.168.x.x and other 172.16.x.x. i can access every thing from 192.168.x.x subnet but not from 172.16.x.x subnet. i have only one subnet on ASA 5505 that is 172.17.x.x. they can access the subnet 192.168.x.x but not the 172.16.x.x subnet. previously it worked fine but now we have problem. we have not changed anything.

i verified the all configuration on both sides and it look like fine. i checked the access lists, nat, etc. i also tested with bulletin cisco packet tracer and it is showing everything fine. i have also other branch offices and everything working fine there.  

please guide me, how i can troubleshoot and solve this problem?
Thanks in advance
0
Comment
Question by:techniasupport
  • 4
  • 2
7 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 34908011
Can you post configs, or at least the access lists from both sides?
0
 

Author Comment

by:techniasupport
ID: 34908865
ASA 5505 Access lists
access-list nonat extended permit ip 172.17.24.0 255.255.248.0 172.16.0.0 255.240.0.0
access-list nonat extended permit ip 172.17.24.0 255.255.248.0 192.168.0.0 255.255.0.0
access-list crypto-se extended permit ip 172.17.24.0 255.255.248.0 172.16.0.0 255.240.0.0
access-list crypto-se extended permit ip 172.17.24.0 255.255.248.0 192.168.0.0 255.255.0.0

ASA 5510 Access lists
access-list crypto-fi extended permit ip 172.16.0.0 255.240.0.0 172.17.24.0 255.255.248.0
access-list crypto-fi extended permit ip 192.168.0.0 255.255.0.0 172.17.24.0 255.255.248.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.240.0.0 172.16.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.240.0.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.240.0.0
0
 
LVL 3

Accepted Solution

by:
Rick_at_ptscinti earned 125 total points
ID: 34910811
I would log onto the 5505 and issue the following:

sh cry ips sa

This should show you something like this:
reynoldshome#sh cry ips sa                  

interface: FastEthernet4
    Crypto map tag: VPN, local addr 96.11.X.X

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
   current_peer 65.23.X.X port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5578, #pkts encrypt: 5578, #pkts digest: 5578
    #pkts decaps: 1754, #pkts decrypt: 1754, #pkts verify: 1754
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 135, #recv errors 0

make sure you the networks are listed and enc and decry packets are incrementing.  You can do a source ping to generate traffic:
ping 172.16.0.1 source 172.17.24.1

That will tell you if the traffic is leaving the device.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:techniasupport
ID: 34914534
i run the sh cry ipsec sa on ASA 5505

 #pkts encaps: 154, #pkts encrypt: 154, #pkts digest: 154
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 154, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

i run the sh cry ipsec sa on ASA 5510

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 154, #pkts decrypt: 154, #pkts verify: 154
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0


it look like traffic is coming from ASA 5505 to ASA 5510. But not going from ASA 5510 to ASA 5505.

any suggestion, why traffic not leaving from ASA 5510.

Thanks in advance
0
 
LVL 3

Expert Comment

by:Rick_at_ptscinti
ID: 34916180
On the "sh cry ips sa" output did the networks look right?

Make sure that you have a "nonat" rule built so that traffic going over the VPN is not being NATed otherwise it will not match the selector and therefore not get sent over the tunnel.

Can you attach a copy of the config?
0
 

Author Comment

by:techniasupport
ID: 34943128
firewall chche the wrong crypto information. after reboot the firewall, problem is solved
0
 

Author Closing Comment

by:techniasupport
ID: 34943151
Solution was not completed.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Office 365 vs. In-House 4 80
2960 and a VLAN id of 1237 2 49
Where do I upload the internet on a cisco catalyst 2960 poe 7 36
Cost effective dual wan w/ qos 5 29
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now