Cisco ASA private networks not talking over VPN (routing issue)

[derjuden]

Hello I have an older ASA5520 in CA that has a L2L VPN to a Juniper SRX in NC.  I am trying to get my network on vlan 10 labeled dmz1 in the 10.0.4.0/24 network to talk to a network in NC 10.34.0.0/16 but I can't seem to get them to talk.  I have a network in CA that can reach 10.34.0.0/16 in NC without a problem already.  I have allowed the networks to talk in my ACL in the ASA and the Security settings in the SRX.  Also there is another network 172.18.5.0/24 in NC that 10.0.4.0/24 can reach.   

What I think is the problem is the routing.

when I look at show route dmz1 10.34.9.109 (the specific host my systems people are trying to reach)

I get this.





CiscoASA# show route dmz1 10.34.9.109

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
......
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is (public address) to network 0.0.0.0

C 10.0.4.0 255.255.255.0 is directly connected, dmz1

CiscoASA#

When I do show route to 172.18.5.231 another host that they can reach I get this.



CiscoASA# show route dmz1 172.18.5.231

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
...
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is public IP to network 0.0.0.0

CiscoASA#



Also from my inside network that can reach 10.34.0.0/16 I get this



CiscoASA# show route inside 10.34.9.109

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
......
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is public IP to network 0.0.0.0

CiscoASA#



It appears the ASA thinks its route to 10.34.0.0/16 from dmz1 is through dmz1.  I looked for any routes for dmz1 or 10.34.0.0/16 and I found none in the configuration.  I'm at a bit of loss as to how to get this to work.  Verison is 8.2(5)

[deanwebb]

Wow, a 5520 on 8.2(5) really takes me back...

Can you show the full output of a show route command? Feel free to blot out IP addresses that you can't share on the Internet.

[derjuden]

Found my problem today.  So working with my colleage we did a

sh ipsec sa peer

remote IP to see if the 10.0.4.x hosts were attempting to talk to 10.34.0.0 and we could see packets coming into the ASA but nto leave it.  So Looking at this https://community.cisco.com/t5/vpn/vpn-can-decap-but-no-encaps/td-p/3205450 it seems there was a problem with the ACL Here were the two ACLs in questions

access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip host 10.0.4.11 10.34.0.0 255.255.0.0
access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip 172.20.1.0 255.255.255.0 10.34.0.0 255.255.0.0
access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip 172.16.20.0 255.255.255.0 172.18.5.0 255.255.255.0
access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip 172.20.1.0 255.255.255.0 172.18.5.0 255.255.255.0
access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip host 10.0.4.11 172.18.5.0 255.255.255.0
access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip host 10.0.4.100 172.18.5.0 255.255.255.0
access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip host 10.0.4.100 10.34.0.0 255.255.0.0
access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip host 10.0.4.22 10.34.0.0 255.255.0.0
access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip host 10.0.4.22 172.18.5.0 255.255.255.0
access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip 172.16.20.0 255.255.255.0 10.34.0.0 255.255.0.0

access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 172.18.5.0 255.255.255.0
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 object-group obj-testvpn-remote-hosts
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 172.16.201.0 255.255.255.0
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 172.16.200.0 255.255.255.0
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 172.16.106.0 255.255.255.0
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 10.111.0.0 255.255.255.0
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 10.111.1.0 255.255.255.0
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 172.31.0.0 255.255.255.0
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 172.16.205.0 255.255.255.0
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 172.16.204.0 255.255.255.0
access-list noNat-dmz1 extended permit ip host 10.0.4.11 10.12.0.0 255.255.0.0
access-list noNat-dmz1 extended permit ip host 10.0.4.11 10.38.0.0 255.255.0.0
access-list noNat-dmz1 extended permit ip host 10.0.4.11 10.39.0.0 255.255.0.0
access-list noNat-dmz1 extended permit ip host 10.0.3.6 10.39.0.0 255.255.0.0
access-list noNat-dmz1 extended permit ip host 10.0.4.100 object-group DDC_TEST_CABS
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 10.37.0.0 255.255.0.0
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 10.112.0.0 255.255.255.0



it was setup right in acl-NOCAR-CORP-cust-manage-vpn but in the noNat-dmz1 it was not.  It was missing a permit from 10.0.4.x to 10.34.0.0added that rule and the problem was fixed.


And yes the version is old and we plan on replace it.  I have a lot of gear to replace this year. 

[deanwebb]

There we go, if it's not routing, it's the ACL to define interesting traffic.

Are you planning on replacing with another Cisco or with another vendor?