VPN Problem

[funkbass81]

having a problem with one site-to-site VPN. my site has 2 subnets which go over this tunnel to the other site. the problem i'm having is that only one of the subnets are able to send and receive traffic while the other one can't. also, for some reason the other site's internal subnet is showing in my routing table as an outside network. attached is the config of my ASA.





right now the tunnel is up, heres what the routing table looks like.


C 192.168.134.0 255.255.255.0 is directly connected, inside
C x is directly connected, outside
O 172.16.134.0 255.255.255.248 [110/11] via 192.168.134.2, 23:07:05, inside
O 172.16.1.0 255.255.255.0 [110/11] via 192.168.134.2, 23:07:05, inside
S 172.21.221.0 255.255.255.0 [1/0] via 65.223.214.49, outside
C 127.0.0.0 255.255.0.0 is directly connected, cplane
S* 0.0.0.0 0.0.0.0 [1/0] via x , outside

any help is appreciated.



edited because of own stupidity

 

[narzy]

you are now going to want to change all of the passwords on that device and rebuild the crypto keys since you've posted them basically in plain text on to the internet and have given us your external ip address. And if you've used those passwords on any other devices/accounts it's be a good idea to change them as well...

Never EVER post a running config file without scrubbbing user information / passwords / network information that could be used to identify the network.

 

[funkbass81]

the username x part? thats not a valid username

 

[RadiclDreamer]

Originally posted by: funkbass81
the username x part? thats not a valid username

It doesnt matter, as a precaution I would advise changing it as well. Half of your security info has been made public. The chance is small but real that someone could do damage with it

 

[funkbass81]

i realized that, so i did change that info as well as the keys.

 

[narzy]

enable password sC9...encrypted

Management Console password
passwd 2KF...encrypted

username x password U46...encrypted privilege 15
although the UN is not known I do know the pass, it is much easier to capture a username then a password...

I know a lot about how your internal network is configured, what your firewall is logging, what it is inspecting (and more importantly what it is not...)
how you encrypt traffic and at least 1 key

I also know 1 external address
S 172.21.221.0 255.255.255.0 [1/0] via 65.X.X.X, outside

Originally posted by: funkbass81
i realized that, so i did change that info as well as the keys.

good man ...

and I don't think it was stupidity more then just simple oversight, you have trust in this community and that is a great thing, sometimes we just need to watch each others back .

As for you VPN problem, I have no clue, way over my head...I've never set up a VPN, not quite sure how they work, and use Himachi right now for my VPN needs.

how far can the second subnet get? what type of logging have you done? sounds like a misconfigured route somewhere...but again I don't really know where to start on this one.


other cisco guru's?!??! HEALP!!!!

 

[funkbass81]

the second subnet (the 172 thats being seen as an outside route) gets added to the tunnel, but no traffic goes over it. if i look at the ipsec counters for that tunnel, the only number that increments are the number of packets decapsulated and decrypted. the remote side cant ping anything on the second subnet here (local).

 

[funkbass81]

when i look at the ipsec counters for this tunnel, it shows that its only decapsulating/decrypting packets, and not encrypting them for the other site. i'm stumped. checked crypto maps, transform sets, ike policies, and they all match the other side. any help is appreciated.

 

[BornStar]

I can't see the config but have you set up your second subnet not to NAT over the VPN? Also, in my experience (fairly limited) VPNs show up as being outside, they just bypass the access lists.

edit: You still have a public IP in your routes.