RE: Weird IP connectivity problem from Joseph L. Brunner on 2010-06-19 (Ccielab archives 06/2010)

From: Joseph L. Brunner <joe_at_affirmedsystems.com>
Date: Sat, 19 Jun 2010 01:15:15 -0400

I'm in the mood for end-to-end, so let's do my 60 second attempt at a solution;

1. Check routes for 204 and 205 on all corp internal routers behind asa if asa not corp side, and while we're at
Check the whole 172.19.2.192 255.255.255.240 network

;do /32's exist? Any overlap? Routed in wrong direction? Probably not this...
;does /29 appear in routing table of internal routers towards ASA inside interface?

2. Check no-nat list on ASA

; make sure whole subnet is in no-nat (don't do one-off's host no-nat's pretty stupid :)

Access-list no-nat permit ip 10.0.0.0 255.0.0.0 172.19.2.192 255.255.255.240

3. Check 851w for

1. ip settings on lan interface for the f0/0, etc. to be 255.255.255.240
2. correct dhcp settings (if it's the dhcp server)
3. router nat settings are not natting ipsec traffic; if 204 & 205 have static IP's they need a route-map at the end as such (probably this)

"ip nat inside source static 172.19.2.204 65.11.11.1 route-map bypassnatforstatics extendable"

ip access-list extended bypassnat
Deny ip host 172.19.2.204 10.0.0.0 0.255.255.255
Deny ip host 172.19.2.205 10.0.0.0 0.255.255.255
Permit ip 172.19.2.192 0.0.0.15 any

Route-map bypassnatforstatics permit 10
Match ip address bypassnat

4. Finally, Check 204 & 205 hosts for

1. windows firewall (allowing ping? Why not just disable it for testing?)
2. other firewall software, mcaffe? Etc.
3. bad masks on these hosts? Perhaps they have .248?

LOL

Much to learn have you young padawan. Now, back to Exchange 2010

-Joe

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Jian Gu
Sent: Friday, June 18, 2010 8:50 PM
To: Cisco certification
Subject: Weird IP connectivity problem

Hi, all,

I have a weird situation I need your help, I have corp ASA5520 acting
as ezvpn server and a home C851W acting as ezvpn client, C851W has a
network 172.19.2.192/28 behind it, with host 172.19.2.193,
172.19.2.194, 172.19.2.204 and 172.19.2.205, from corp I can ping
172.19.2.193 and 194, but not 204 and 205, from C851W, I can ping all
4 IP addresses. I checked ASA IPsec SA, security association between
10.0.0.0/8 (corp) and 172.19.2.192/28 (C851W) are created correctly,
so it can not be that ASA does not know where to send the packets. In
fact, we have a bunch of other C851Ws deployed and there are no
problems with other C851Ws.

What could be wrong?

Thanks,
Jian

Blogs and organic groups at http://www.ccie.net
Received on Sat Jun 19 2010 - 01:15:15 ART

This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 09:11:37 ART