Solved

Cisco ASA cannot ping across Site-to-Site VPN

Posted on 2008-10-21
14
4,774 Views
Last Modified: 2013-11-29
Hi Experts

I'd appreciate if you can help for this common scenario and issue.

Cisco ASA 5510 (192.168.1.0/24) and Cisco ASA 5505 (192.168.2.0/24) have been setup successfully and L2L VPN established. It has been working for months.

Recently, I realized that the ping is actually not working through ASA CLI. Meaning that telnet to Cisco ASA, I then ping some private IP address on remote site, like 192.168.2.51, or 52, or 53 or vice versa (192.168.1.51, 52, 53). it shown 0% successfully meaning fail to ping. It is only working if I use a computer, then ping remote IP.

Cisco ASA itself cannot ping across remote machine IP via L2L VPN. However, it can ping any local machine IP.

Any idea? Is it normal by design?
0
Comment
Question by:chekfu
  • 6
  • 3
  • 2
  • +2
14 Comments
 
LVL 7

Accepted Solution

by:
dmadole earned 500 total points
Comment Utility
Try configuring:

   management-access inside

On both units. This will make each unit respond to management traffic to the inside interface through the VPN tunnel.

0
 
LVL 1

Author Comment

by:chekfu
Comment Utility
Hi dmadole

Thanks for your reply.

I've just applied accordingly. Though it is now ping-able to both ASA from telnet, it is still not able to ping to remote machine IP.

Please advice.
0
 
LVL 7

Expert Comment

by:dmadole
Comment Utility
Are you using "ping inside"? Otherwise, the ping will be from the outside interface by default since that's where the routing table points, and the outside interface cannot talk through the tunnel.

   ping inside 192.168.1.1

Except whatever the appropriate remote inside interface address is.

Without seeing your configuration, I don't know what else might be wrong configuration-wise, you might also need to add:

   icmp permit any inside

At each end.
0
 
LVL 1

Author Comment

by:chekfu
Comment Utility
Hi dmadole
Thanks for your prompt reply.
due to some reason, I couldn't post it here. Sorry for any inconvenience caused.

below is the topology overview
{ PC_X 192.168.1.11 } == ASA1 == (()) L2L (()) == ASA2 == {PC_Y 192.168.2.51}

The following command has been applied on both ASAs
management-access inside
icmp permit any inside

In ASA1 console, I can now ping ASA2's IP which previously cannot. But then I cannot ping  PC_Y 192.168.2.51.
The log is shown:
       Denied ICMP type=0, code=0 from 192.168.2.51 on interface inside
       Denied ICMP type=0, from laddr 192.168.2.51 on interface inside to IP of ASA1: no matching session

In ASA2 console, I can now ping ASA1's IP which previously cannot. In addition, I can ping PC_X 192.168.1.11. So, it is no issue in ASA2 now except ASA1.

Any advice?
0
 
LVL 4

Expert Comment

by:yurisk
Comment Utility
Try issuing #debug icmp trace on each ASA and then pinging in both directions
To see in console also #terminal monitor
Have you checked encryption ACL ? It may be some specific IPs are in the encryption domain.
Do you have pings between  PCs  behind ASAs ?
0
 
LVL 1

Author Comment

by:chekfu
Comment Utility
Hi yurisk
Thanks for your input.

Yes as mentioned, it is working fine including PING from one machine to another machine.

It is only failed to ping from ASA to machines.
0
 
LVL 4

Expert Comment

by:yurisk
Comment Utility
THen access-lists defining traffic to be encrypted and ACLs on the interfaces allowing/denying traffic should be checked.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:chekfu
Comment Utility
Hi all
This is a running script I managed to get it.

ASA2 running-config:
Result of the command: "sh run"

: Saved
:
ASA Version 8.0(4)
!
hostname ASA2
domain-name tcf.com
enable password lP0dEAEUhfLyJIOT encrypted
passwd 2KFWpbNIdI.2KYOU encrypted
names
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address <public IP> 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone SGT 8
dns domain-lookup outside
dns server-group DefaultDNS
 name-server <public DNS server>
 domain-name tcf.com
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 <router ip> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
vpnclient server <ASA1 IP>
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup vpn password ********
vpnclient username vpnuser password ********
vpnclient enable
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:43a18f852344154c52446c2432c02de6
: end

ASA1 running-config:
Result of the command: "sh run"

: Saved
:
ASA Version 8.0(4)
!
hostname ASA1
enable password lP0dPwAUhfLyJIOT encrypted
passwd 2KFQnQvNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address <public IP>
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.249 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.10.1 255.255.255.0
 management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone SGT 8
dns domain-lookup inside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
 network-object 192.168.2.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any
access-list vpn_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound remark This access list is used to define the traffic that should pass through the tunnel.
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 <router IP> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.1.81
 key password
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.10.2-192.168.10.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy asjvpn internal
group-policy asjvpn attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn_splitTunnelAcl
 default-domain value tcf.com
 nem enable
username vpnuser password o0y6NrTeoO2Zt1Cq encrypted privilege 0
username vpnuser attributes
 vpn-group-policy vpn
tunnel-group asjvpn type remote-access
tunnel-group asjvpn general-attributes
 authentication-server-group RADIUS LOCAL
 default-group-policy vpn
 dhcp-server 192.168.1.81
tunnel-group asjvpn ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d30a73c0297a347edf52e1bbf6a72b31
: end

Please advice.

0
 

Expert Comment

by:sevenet
Comment Utility
have u tried packet tracer in asdm? I must say its quite helpful in defining problems if there are some missing lines in configuration
0
 
LVL 1

Author Comment

by:chekfu
Comment Utility
I just tried. It doesn't seem help.
0
 

Expert Comment

by:sevenet
Comment Utility
im no an expert but it seams that definition of the traffic to be encrypted is :

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound remark This access list is used to define the traffic that should pass through the tunnel.
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

and i dont understand why you have 192.168.0.0 255.255.255.0 network if you got 192.168.1.0 255.255.255.0 in topology u've described earlier
shouldn't be source defined as 192.168.1.0 ?
0
 

Expert Comment

by:sevenet
Comment Utility
and of course destination 192.168.2.0 255.255.255.0 - not 192.168.0.0 255.255.255.0
0
 
LVL 1

Author Comment

by:chekfu
Comment Utility
Yes, it typo error. it should be corrected as below:

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound remark This access list is used to define the traffic that should pass through the tunnel.
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
0
 

Expert Comment

by:Davgadaze
Comment Utility
Can someone helep .
I have the same issue . I can Ping Public Ip address of the Remote ASA , but i can not Ping inside Network

 From My [192.168.1.1]<ASA(A)>[aa.aa.aa.a]<=============site to site VPN===========>[bb.bb.bb.b]<ASA(B)>[192.168.2.1]
 ASA(A) can ping bb.bb.bb.b  ==Fine
 ASA(A) can not ping  192.168.2.1

Any Help please?
Thanks
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Understanding FTPS File transfer is a common requirement in most Enterprises. While there are numerous ways to get a file from Point A to Point B over a network, perhaps the most common method still in use is FTP – File Transfer Protocol. FTP is …
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now