Cisco ASA site-to-site VPN issue with adding second subnet in one site

I have an existing IPsec VPN connection from a ASA 5510 to and ASA 5505. Everything is working properly between sites. I am adding a second subnet that I won't accessible on the 5510 side.

Currently the networks are:

5510:     (working) 192.168.1.0/24
(addition - not working) 10.10.191.0/24

5505:     192.168.131.0/24

I need for devices from the 192.168.131.0/24 network to access devices on the 10.10.191.0/24 network. Currently all devices on 192.168.131.0/24 can access all devices on 192.168.1.0/24



 
5510 Config:

object-group network CNetworks
 network-object 10.10.191.0 255.255.255.0
 network-object 192.168.1.0 255.255.255.0

access-list nonat extended permit ip object-group CNetworks 192.168.131.0 255.255.255.0 

access-list outside_cryptomap_70 extended permit ip object-group CNetworks 192.168.131.0 255.255.255.0 

global (outside) 1 x.x.x.x
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside10) 1 10.10.191.0 255.255.255.0
nat (GuestWIFI) 1 172.1.16.0 255.255.255.0

Open in new window





5505 Config:


object-group network CNetworks
 network-object 10.10.191.0 255.255.255.0
 network-object 192.168.1.0 255.255.255.0


access-list nonat extended permit ip 192.168.131.0 255.255.255.0 object-group CNetworks 

access-list outside_cryptomap_30 extended permit ip 192.168.131.0 255.255.255.0 object-group CNetworks 



global (outside) 1 interface
global (dmz) 3 interface
nat (WAN2) 0 access-list WAN2_nat0_outbound
nat (dmz) 1 Widecase_Beacon 255.255.255.255
nat (dmz) 3 172.16.100.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0

Open in new window




When I try to connect to the 5510(10.10.191.0/24) network from the 5505(192.168.131.0/24) I receive the following in the 5510 log:

10.10.191.202      23      No translation group found for tcp src outside:192.168.131.10/2326 dst inside10:10.10.191.202/23


Any help is much appreciated!
LVL 1
mydarkpassengerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ernie BeekExpertCommented:
Do you also have access list on the outside? Check those as wel.
mydarkpassengerAuthor Commented:
Not sure what you mean by on the outside. I do have access lists setup for other services that i am allowing through the firewall such as smtp and ssh.
Ernie BeekExpertCommented:
Discard that comment for now (overlooked the error).

Is the new network behind the inside interface of the 5505 or behind one of the other interfaces?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

mydarkpassengerAuthor Commented:
It is behind the inside interface of the 5510
Ernie BeekExpertCommented:
Ok, did you issue a 'clear xlate' after applying the changes?
mydarkpassengerAuthor Commented:
no but i dropped the tunnel and reconnected. but the issue still stands. I will try that command though.
Ernie BeekExpertCommented:
After further reading, what is that inside10 interface in the 5510?
mydarkpassengerAuthor Commented:
that is the interface connected to the 10.10.191.0/24 network. The 10.10.191.0/24 is on the 5510 not the 5505.
Ernie BeekExpertCommented:
Ah, think we're getting there. You don't have a nat exempt on that interface.
Try adding:

object-group network CNetworks2
 network-object 10.10.191.0 255.255.255.0
access-list nonat2 extended permit ip object-group CNetworks2 192.168.131.0 255.255.255.0
nat (inside10) 0 access-list nonat2


On the 5510.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mydarkpassengerAuthor Commented:
Awesome it looks like that is what I was missing. Thanks a lot! Points awarded to you
mydarkpassengerAuthor Commented:
excellent help
Ernie BeekExpertCommented:
Glad I could help :)

Thx for the points.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.