Skip to main content

Help with VPN Dropping traffic

More
13 years 3 weeks ago #36468 by JamieP
Hi Guys,

i hope someone can help me here as im running out of ideas.

Our setup for site to site VPNS is we have a pair of ASA's at our main site, and then each remote site has a 1801 router.

The remote sites have an ACL to permit traffic to the UK.

Initally the remote routers all had different ACL's, and i wanted to standardize them, so i created the following ACL

[code:1]ip access-list extended VPN_PERMIT_UK
permit ip any 10.0.0.0 0.255.255.255
end[/code:1]

The theory being all of our internal networks fall within 10.0.0.0/8 - However some remote sites cannot access certain subnets within that 10.0.0.0/8, so im really not sure why that is, but i created more specific rules;

[code:1]ip access-list extended VPN_PERMIT_UK
1 permit ip any 10.20.0.0 0.0.255.255
2 permit ip any 10.21.0.0 0.0.255.255
3 permit ip any 10.22.0.0 0.0.255.255
4 permit ip any 10.25.0.0 0.0.255.255
5 permit ip any 10.60.0.0 0.0.0.255
6 permit ip any 10.61.0.0 0.0.0.255
7 permit ip any 10.99.1.0 0.0.0.255
8 permit ip any 10.250.0.0 0.0.255.255
9 permit ip any 10.32.0.0 0.0.0.255
10 permit ip any 10.0.0.0 0.255.255.255[/code:1]

and still some subnets dont work, so i finally appented the original ACL rules to the end of my new ones to get the following;

[code:1]Extended IP access list VPN_PERMIT_UK
1 permit ip any 10.20.0.0 0.0.255.255
2 permit ip any 10.21.0.0 0.0.255.255 (22 matches)
3 permit ip any 10.22.0.0 0.0.255.255
4 permit ip any 10.25.0.0 0.0.255.255 (19 matches)
5 permit ip any 10.60.0.0 0.0.0.255
6 permit ip any 10.61.0.0 0.0.0.255
7 permit ip any 10.99.1.0 0.0.0.255
8 permit ip any 10.250.0.0 0.0.255.255 (6 matches)
9 permit ip any 10.32.0.0 0.0.0.255
10 permit ip any 10.0.0.0 0.255.255.255
100 permit ip 10.36.0.0 0.0.0.255 10.0.0.0 0.255.255.255
110 permit ip 10.36.0.0 0.0.0.255 10.20.0.0 0.0.255.255
120 permit ip 10.36.0.0 0.0.0.255 10.21.0.0 0.0.255.255
130 permit ip 10.36.0.0 0.0.0.255 10.22.0.0 0.0.255.255 (583 matches)
140 permit ip 10.36.0.0 0.0.0.255 10.25.0.0 0.0.255.255
150 permit ip 10.36.0.0 0.0.0.255 10.60.0.0 0.0.0.255
160 permit ip 10.36.0.0 0.0.0.255 10.61.0.0 0.0.0.255
170 permit ip 10.36.0.0 0.0.0.255 10.99.1.0 0.0.0.255
180 permit ip 10.36.0.0 0.0.0.255 10.250.0.0 0.0.255.255
190 permit ip 10.36.0.0 0.0.0.255 10.250.11.0 0.0.0.255
200 permit ip 10.36.0.0 0.0.0.255 10.32.0.0 0.0.0.255
210 permit icmp 10.36.0.0 0.0.0.255 10.0.0.0 0.255.255.255[/code:1]

I've reset the counters with the above rules, so you can see which ones are getting triggered
can anyone explain why rules 130 would get triggered rather than 3? and can anyone explain why 130 would be triggered rather than 100???

Any Help would be greatly appreciated

Jamie Parks
Network Engineer, UK
More
13 years 3 weeks ago #36478 by Chris
JamieP,

It sounds like a subnetting issue, however it would greatly help if we could have a rough network diagram and the configuration (without the sensitive information) of your HQ ASA/Router and one remote site where the problem exists. This will allow everyone to have a much better idea about your setup and problems your experiencing.

Thanks,

Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Time to create page: 0.145 seconds