ASA Site To Site VPN Issue

Posted on 2009-04-17
Last Modified: 2012-05-06
Hello All,

So I have a site to site vpn going between an ASA and an 800 series router. After the a connection is made and I try to ping/browse something from a workstation behind the 800 to a server behind the ASA and I get the following on the ASA logs&

Deny inbound icmp src inside: dst inside: (type 0, code 0)

I get this for just not icmp&.so in looking at the config I am not sure what I have overlooked.

Traffic from the 800 is

Thanks All!
: Saved


ASA Version 8.0(4) 


hostname <blah>

domain-name <blah>

enable password <blah>

passwd <blah> encrypted




interface Vlan1

 nameif inside

 security-level 100

 ip address 


interface Vlan2

 nameif outside

 security-level 0

 ip address x.x.x.64 


interface Ethernet0/0

 switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


boot system disk0:/asa804-k8.bin

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS


 domain-name <blah>

object-group protocol DM_INLINE_PROTOCOL_1

 protocol-object ip

 protocol-object icmp

 protocol-object udp

 protocol-object tcp

object-group network Inside_Networks


access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 object-group Inside_Networks 

access-list inside_nat0_outbound extended permit ip 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-61551.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101

route outside x.x.x.1 1

route inside x.x.x.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL 

aaa authentication http console LOCAL 

aaa authentication serial console LOCAL 

aaa authentication ssh console LOCAL 

aaa authentication telnet console LOCAL 

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map soho1 1 match address outside_cryptomap

crypto dynamic-map soho1 1 set transform-set ESP-3DES-SHA

crypto dynamic-map soho1 1 set security-association lifetime seconds 28800

crypto dynamic-map soho1 1 set security-association lifetime kilobytes 4608000

crypto map outside_map0 1 ipsec-isakmp dynamic soho1

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 5

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 10

 authentication pre-share

 encryption des

 hash sha

 group 2

 lifetime 86400

telnet timeout 5

ssh inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username <blah> password <blah> encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

 pre-shared-key *

tunnel-group soho1 type ipsec-l2l

tunnel-group soho1 ipsec-attributes

 pre-shared-key *


class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny  

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip  

  inspect xdmcp 


service-policy global_policy global

prompt hostname context 


: end

asdm image disk0:/asdm-61551.bin

no asdm history enable

Open in new window

Question by:dehmerl
    LVL 15

    Accepted Solution

    I think you may have a problem with the below although logically it still works and in the NAT exempt statement I have seen it work just fine but not sure if that translates to it working in the crypto map

    object-group network Inside_Networks

    access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 object-group Inside_Networks

    As the Inside_Networks address actually overlaps the destination address of

    Also this route actually changes the direction of all internal network traffic including what may need to go over the VPN? Is this intended?

    route inside x.x.x.254 1


    Author Comment

    we have taken the and sliced the 10.10.220.x/ so we can setup several of these routers at homes, etc...

    so we have several internal nets that follow the pattern of 10.10.x.0/ this is why i have the route inside x.x.x.254 1 - i could break this down to the diffrent networks...

    I will give this a quick change and see...

    Author Closing Comment

    I think route inside x.x.x.254 1 was the issue -- I just changed the route on the ASA side to a single /24 network to do a test and bam it worked!


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
    Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now