• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 417
  • Last Modified:

Cisco ASA site-to-site VPN issue with adding second subnet in one site

I have an existing IPsec VPN connection from a ASA 5510 to and ASA 5505. Everything is working properly between sites. I am adding a second subnet that I won't accessible on the 5510 side.

Currently the networks are:

5510:     (working) 192.168.1.0/24
(addition - not working) 10.10.191.0/24

5505:     192.168.131.0/24

I need for devices from the 192.168.131.0/24 network to access devices on the 10.10.191.0/24 network. Currently all devices on 192.168.131.0/24 can access all devices on 192.168.1.0/24



 
5510 Config:

object-group network CNetworks
 network-object 10.10.191.0 255.255.255.0
 network-object 192.168.1.0 255.255.255.0

access-list nonat extended permit ip object-group CNetworks 192.168.131.0 255.255.255.0 

access-list outside_cryptomap_70 extended permit ip object-group CNetworks 192.168.131.0 255.255.255.0 

global (outside) 1 x.x.x.x
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside10) 1 10.10.191.0 255.255.255.0
nat (GuestWIFI) 1 172.1.16.0 255.255.255.0

Open in new window





5505 Config:


object-group network CNetworks
 network-object 10.10.191.0 255.255.255.0
 network-object 192.168.1.0 255.255.255.0


access-list nonat extended permit ip 192.168.131.0 255.255.255.0 object-group CNetworks 

access-list outside_cryptomap_30 extended permit ip 192.168.131.0 255.255.255.0 object-group CNetworks 



global (outside) 1 interface
global (dmz) 3 interface
nat (WAN2) 0 access-list WAN2_nat0_outbound
nat (dmz) 1 Widecase_Beacon 255.255.255.255
nat (dmz) 3 172.16.100.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0

Open in new window




When I try to connect to the 5510(10.10.191.0/24) network from the 5505(192.168.131.0/24) I receive the following in the 5510 log:

10.10.191.202      23      No translation group found for tcp src outside:192.168.131.10/2326 dst inside10:10.10.191.202/23


Any help is much appreciated!
0
mydarkpassenger
Asked:
mydarkpassenger
  • 6
  • 6
2 Solutions
 
Ernie BeekCommented:
Do you also have access list on the outside? Check those as wel.
0
 
mydarkpassengerAuthor Commented:
Not sure what you mean by on the outside. I do have access lists setup for other services that i am allowing through the firewall such as smtp and ssh.
0
 
Ernie BeekCommented:
Discard that comment for now (overlooked the error).

Is the new network behind the inside interface of the 5505 or behind one of the other interfaces?
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
mydarkpassengerAuthor Commented:
It is behind the inside interface of the 5510
0
 
Ernie BeekCommented:
Ok, did you issue a 'clear xlate' after applying the changes?
0
 
mydarkpassengerAuthor Commented:
no but i dropped the tunnel and reconnected. but the issue still stands. I will try that command though.
0
 
Ernie BeekCommented:
After further reading, what is that inside10 interface in the 5510?
0
 
mydarkpassengerAuthor Commented:
that is the interface connected to the 10.10.191.0/24 network. The 10.10.191.0/24 is on the 5510 not the 5505.
0
 
Ernie BeekCommented:
Ah, think we're getting there. You don't have a nat exempt on that interface.
Try adding:

object-group network CNetworks2
 network-object 10.10.191.0 255.255.255.0
access-list nonat2 extended permit ip object-group CNetworks2 192.168.131.0 255.255.255.0
nat (inside10) 0 access-list nonat2


On the 5510.
0
 
mydarkpassengerAuthor Commented:
Awesome it looks like that is what I was missing. Thanks a lot! Points awarded to you
0
 
mydarkpassengerAuthor Commented:
excellent help
0
 
Ernie BeekCommented:
Glad I could help :)

Thx for the points.
0

Featured Post

How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now