I have two locations that have a site-to-site ipsec vpn configuration setup. The lan on one side is 192.168.30.x. The lan on the other side is 192.168.16.x with a subnet attached via a cisco 3560 switch that is 192.168.2.x. All locations on both the 192.168.30.x and 192.168.16.x lans can ping, rdp, etc., with no issues. The problem is that the 192.168.2.x and the 192.168.30.x subnets cannot see each other (cannot ping, rdp, etc.). I am using a ASA-5510 on the 192.168.16.x side and a TZ-215 on the 192.168.30.x side.
Below is the ASA-5510 configuration on the 192.168.16.x side which has the subnet 192.168.2.x attached via the Cisco 3560 switch.
ASA Version 8.2(5)48
!
hostname ***-**-*****
domain-name **********.com
enable password **************** encrypted
passwd **************** encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.16.42 255.255.255.252
!
interface Ethernet0/1
description Credit Solutions connection
nameif outside
security-level 0
ip address 97.64.134.142 255.255.255.252
!
interface Ethernet0/2
description Internet Connection (and VOIP)
nameif internet
security-level 0
ip address 63.229.183.186 255.255.255.248
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
speed 100
duplex full
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa825-48-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name **********.com
same-security-traffic permit intra-interface
object-group network telesoft_in_nonvoip
network-object 69.176.73.0 255.255.255.224
network-object 69.176.73.32 255.255.255.224
object-group network telesoft_in_voip
network-object 172.25.0.0 255.255.0.0
object-group service telesoft_in_voip_tcpudp tcp-udp
port-object eq sip
port-object eq www
object-group service telesoft_in_nonvoip_udp udp
port-object eq tftp
object-group service telesoft_in_nonvoip_tcp tcp
port-object eq ftp
object-group service telesoft_in_voip_udp udp
port-object range 16384 32776
object-group network inside_voip
network-object 10.255.18.208 255.255.255.240
object-group network test-access
network-object host 184.98.74.30
network-object host 4.2.2.2
object-group network RFC1918
network-object 192.168.0.0 255.255.0.0
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
object-group network VoIP
description Telesphere Ranges
network-object 63.229.183.184 255.255.255.248
network-object 69.176.73.0 255.255.255.192
access-list internet-side extended permit ip 162.42.243.208 255.255.255.240 63.229.183.184 255.255.255.248
access-list internet-side extended deny ip any host 10.255.18.209
access-list internet-side extended permit tcp object-group telesoft_in_nonvoip 10.255.18.208 255.255.255.240 object-group telesoft_in_nonvoip_tcp
access-list internet-side extended permit udp object-group telesoft_in_nonvoip 10.255.18.208 255.255.255.240 object-group telesoft_in_nonvoip_udp
access-list internet-side extended permit tcp object-group telesoft_in_voip object-group inside_voip object-group telesoft_in_voip_tcpudp
access-list internet-side extended permit udp object-group telesoft_in_voip object-group inside_voip object-group telesoft_in_voip_tcpudp
access-list internet-side extended permit udp object-group telesoft_in_voip object-group inside_voip object-group telesoft_in_voip_udp
access-list internet-side extended permit icmp any any echo-reply
access-list internet-side extended permit icmp any any time-exceeded
access-list nonat extended permit ip object-group RFC1918 object-group RFC1918
access-list nonat extended permit ip object-group RFC1918 object-group VoIP
access-list nonat extended permit ip 192.168.16.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list inside extended permit icmp any any
access-list inside extended permit ip any any
access-list outside extended permit icmp any any
access-list vpn_tunnel_phxnap extended permit ip 192.168.16.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list vpn_tunnel_phxnap extended permit ip 192.168.2.0 255.255.255.0 192.168.30.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 16384
logging monitor debugging
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu internet 1500
mtu management 1500
ip local pool NogalesTest 192.168.16.28-192.168.16.29 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (management) 1 0.0.0.0 0.0.0.0
static (inside,outside) 192.168.2.0 192.168.6.0 netmask 255.255.255.0
access-group inside in interface inside
access-group outside in interface outside
access-group internet-side in interface internet
route outside 0.0.0.0 0.0.0.0 97.64.134.141 1
route outside 4.2.2.2 255.255.255.255 97.64.134.141 1
route outside 10.10.0.0 255.255.0.0 192.168.7.2 1
route inside 10.255.18.208 255.255.255.240 192.168.16.41 1
route internet 65.243.39.0 255.255.255.0 63.229.183.185 1
route internet 69.176.73.0 255.255.255.224 63.229.183.185 1
route internet 69.176.73.32 255.255.255.224 63.229.183.185 1
route internet 162.42.243.208 255.255.255.240 63.229.183.185 1
route internet 172.25.0.0 255.255.0.0 63.229.183.185 1
route outside 184.98.74.30 255.255.255.255 173.16.104.1 1
route outside 184.164.128.134 255.255.255.255 97.64.134.141 1
route inside 192.168.0.0 255.255.0.0 192.168.16.41 1
route inside 192.168.2.0 255.255.255.0 192.168.16.41 1
route inside 192.168.4.0 255.255.255.0 192.168.16.41 1
route inside 192.168.17.0 255.255.255.0 192.168.16.41 1
route outside 192.168.30.0 255.255.255.0 184.164.128.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.16.0 255.255.255.192 inside
http 192.168.1.0 255.255.255.0 management
http 192.168.0.73 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside-map 2 match address vpn_tunnel_phxnap
crypto map outside-map 2 set peer 184.164.128.134
crypto map outside-map 2 set transform-set ESP-3DES-SHA
crypto map outside-map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.16.0 255.255.255.192 inside
ssh 184.98.74.30 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.14 192.168.0.7
default-domain value *********.com
username asaadmin password **************** encrypted
username admin password **************** encrypted
username jmartin password **************** encrypted privilege 0
tunnel-group 184.164.128.134 type ipsec-l2l
tunnel-group 184.164.128.134 ipsec-attributes
pre-shared-key ****************
isakmp keepalive threshold 10 retry 3
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect rsh
inspect sunrpc
inspect xdmcp
inspect tftp
inspect dns
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:***********************
: end
Best Answer
Check your
static (inside,outside) 192.168.2.0 192.168.6.0 netmask 255.255.255.0
line. I haven't used pre 8.4 NAT statements, but this may be applying to the traffic as your VPN traffic's interface will be the outside interface.If this NAT is being applied, then your ACLs may need to be changed to match the corrected addressing.