2

this is my setup

Current Setup

I already have a working L2L VPN between the sites

I added the 10.10.0.0/24 to the object-groups that defines the internal network on the 1615 ASA And as a remote subnet on the 1604 ASA

im not seing the 10.10.0.1 from the 1604 side, Also i added the sysopt connection permit-vpn on both sides

Any ideas?

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
Malinda
  • 29
  • 4
  • What's the tunnel policy access list look like? Does the new subnet show up in `show crypto ipsec sa`'s remote and local networks? – Shane Madden Dec 23 '15 at 17:39
  • Hey Thanks for the reply Subnet is not showing up under the Ipsec SA Here is the config files for both sides 1615 - https://dl.dropboxusercontent.com/s/5cpmzeafnp0bgny/1615.txt 1614 - https://dl.dropboxusercontent.com/s/bc8cexsq3hlx9la/1604.txt – Malinda Dec 23 '15 at 17:58
  • So the 1604 location has a DHCP address, that's why it's dynamic on the 1615 side? The `outside_1_cryptomap_1604` ACL looks unused. Can you run `packet-tracer input inside tcp 192.168.5.1 1024 10.10.0.1 5061 detailed` on the 1604 side and provide the output? – Shane Madden Dec 23 '15 at 18:51
  • I initiated a ping to 10.10.0.1 and ran the packet trace and it passes through | results - https://dl.dropboxusercontent.com/s/hd99w9gvehlaa5h/packetTrace_1604.txt | Ipsec sa - https://dl.dropboxusercontent.com/s/ybwhcmgufvclyug/1604_ipsecSA.txt?dl=0 – Malinda Dec 23 '15 at 20:30
  • Packet trace from the 1615 side - https://dl.dropboxusercontent.com/s/r2wnid5orlyrs6p/packetTrace_1615.txt – Malinda Dec 23 '15 at 20:31
  • Those look good - what's the ipsec sa list look like on the 1615 side? (the packet trace on the 1615 side showing deny is no concern, as there's no way of telling packet-tracer "evaluate as if this would be coming through this VPN tunnel"; it'll always deny that traffic coming from the internet) – Shane Madden Dec 23 '15 at 23:11
  • 1615 IPsec SA - https://dl.dropboxusercontent.com/s/mx8xtb9k80dqf71/1615_IpsecSA.txt | BTW thanks a lot for the checking on this – Malinda Dec 24 '15 at 00:51
  • Hmm, so the ipsec sa won't build on the 1615 side - try just clearing the tunnels to 1604 altogether and letting them rebuild? Then check if the ipsec sa output on 1615 has changed at all right after a ping attempt from 1604. Might be something odd going on with the dynamic map.. – Shane Madden Dec 24 '15 at 00:57
  • Progress..I cleared the SA and let the ASA rebuild the sa. now the 10.10.0.0/24 shows up as a local ident | 1615_ipsecSA_output - https://dl.dropboxusercontent.com/s/dfy8baminvr1eve/1615_IpsecSA_2.txt | unfortunatly still cant get to 10.10.0.1 from the 1604 side – Malinda Dec 24 '15 at 15:32
  • I have the voice VLAN setup as a interface on the 1615 ASA. do i need a no nat statement for that voice interface ? – Malinda Dec 24 '15 at 15:56

1 Answers1

1

You got it, the missing nat rule is exactly the problem - I saw that the NO-NAT ACL had 10.10.0.0/24 to 192.168.5.0/24 allowed, but I missed that you only had a nat 0 setup for the inside interface, where the voice traffic isn't going.

Add a nat (voiceVlan) 0 access-list NO-NAT configuration to allow the traffic through.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251