I've been beating my head against a wall with this issue lately, and I'm hoping someone here might be able to point out the small detail I'm missing. Basically, I'm having trouble getting some subnets to route correctly over the tunnel. I don't believe the tunnel itself is the problem since I can consistently get, for example, 172.30.88.0/24 to communicate with 172.30.36.0/22, but not 192.168.0.0/24 with the same 172.30.36.0/22 subnet. Before I go too in-depth, here's a couple diagrams and troubleshooting tools I've ran so far. http://ift.tt/2k75lJt
ASA A
LEX_Local object-group includes all 172.30.x.x subnets off of the core layer 3 switch. ELA_Remote object-group includes 172.30.88.0/24 and 192.168.0.0/24.
access-list NebraskaLink_cryptomap extended permit ip object-group LEX_Local object-group ELA_Remote
Matches the ACL to the cryptomap.
crypto map NebraskaLink_map 1 match address NebraskaLink_cryptomap
Identity NAT statement. NATs source IPs to the same destination IPs, effectively by-passing NAT.
nat (LAN,NebraskaLink) source static LEX_Local LEX_Local destination static ELA_Remote ELA_Remote
Command showing VPN identity NAT as the first policy of section one.
Lex-ASA5585# sh nat detail Manual NAT Policies (Section 1) 1 (LAN) to (NebraskaLink) source static LEX_Local LEX_Local destination static ELA_Remote ELA_Remote no-proxy-arp route-lookup translate_hits = 919179, untranslate_hits = 923927 Source - Origin: 172.30.60.0/22, 172.30.56.0/22, 172.30.36.0/22, 172.30.52.0/22 172.30.0.0/21, 172.30.16.0/22, 172.30.20.0/22, 172.30.24.0/22 172.30.80.0/21, 172.30.8.0/21, Translated: 172.30.60.0/22, 172.30.56.0/22, 172.30.36.0/22, 172.30.52.0/22 172.30.0.0/21, 172.30.16.0/22, 172.30.20.0/22, 172.30.24.0/22 172.30.80.0/21, 172.30.8.0/21 Destination - Origin: 192.168.0.0/24, 172.30.88.0/24, Translated: 192.168.0.0/24, 172.30.88.0/24
ASA B
access-list outside_1_cryptomap extended permit ip object-group ELA_Local object-group LEX_Remote crypto map outside_map0 1 match address outside_1_cryptomap nat (inside,outside) source static ELA_Local ELA_Local destination static LEX_Remote LEX_Remote LexELA# sh nat detail Manual NAT Policies (Section 1) 1 (inside) to (outside) source static ELA_Local ELA_Local destination static LEX_Remote LEX_Remote no-proxy-arp route-lookup translate_hits = 21170, untranslate_hits = 21221 Source - Origin: 172.30.88.0/24, 192.168.0.0/24, Translated: 172.30.88.0/24, 192.168.0.0/24 Destination - Origin: NET-LEX-HS/21, NET-LEX-Morton/22, NET-LEX-Pershing/22, NET-LEX-Sandoz/22 NET-LEX-CO/22, NET-LEX-District/22, NET-LEX-Bryan/22, NET-LEX-AltEd/22 NET-LEX-MS/21, NET-LEX-Voice/21, Translated: NET-LEX-HS/21, NET-LEX-Morton/22, NET-LEX-Pershing/22, NET-LEX-Sandoz/22 NET-LEX-CO/22, NET-LEX-District/22, NET-LEX-Bryan/22, NET-LEX-AltEd/22 NET-LEX-MS/21, NET-LEX-Voice/21
The only other thing I could think of that would be blocking this traffic is an overlapping subnet with a management interface somewhere, but I triple checked all the routers on the network to no avail. I appreciate any help that any of you are able to offer!
No comments:
Post a Comment