drbill1
asked on
Cisco ASA Question
I have two Cisco ASA 5505s that I have setup a site-to-site VPN using the wizard. However, I cannot ping the remote side of the VPN from either side. For example, one side has a subnet of 192.168.1.0/24 and the other 192.168.2.0/24, but 192.168.2.102 cannot ping 192.168.1.1. However, 192.168.2.102 CAN ping 192.168.1.131 and all other 192.168.1.0/24 hosts, just not the actual ASA itself (the .1 address). The same problem exists in the opposite direction, too.
I have a third site that runs m0n0wall to the 192.168.2.0/24 site and it can ping 192.168.2.1 and I can ping it from 192.168.2.0/24 (it's 192.168.11.1).
Any thoughts? I've included the config of the 192.168.2.0/24 ASA. I've munged the private details and IP addresses, so some basic settings (SNMP, names, internal AAA servers, etc) are missing.
I have a third site that runs m0n0wall to the 192.168.2.0/24 site and it can ping 192.168.2.1 and I can ping it from 192.168.2.0/24 (it's 192.168.11.1).
Any thoughts? I've included the config of the 192.168.2.0/24 ASA. I've munged the private details and IP addresses, so some basic settings (SNMP, names, internal AAA servers, etc) are missing.
: Saved
:
ASA Version 8.0(2)
!
hostname lake-asa
domain-name millsconsulting.local
enable password /HDQp0ws06zJk3F4 encrypted
names
name 1.1.1.1 lake_static
name 192.168.2.100 galadriel
name 192.168.2.101 gandalf
name 192.168.2.102 minas-tirith
name 192.168.2.103 Ra
name 192.168.2.104 Ra-WiFi
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address lake_static 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group service ms-rdp tcp
port-object eq 3389
object-group network grove_subnet
network-object 192.168.1.0 255.255.255.0
object-group network lake_subnet
network-object 192.168.2.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq imap4
port-object eq pop3
port-object eq smtp
object-group service http-81 tcp
port-object eq 81
object-group service DM_INLINE_TCP_2 tcp
port-object range www 81
port-object eq ssh
object-group service BT tcp
port-object eq 10245
object-group service BT2 tcp
port-object eq 10246
object-group network VPN_Clients
network-object 192.168.10.0 255.255.255.0
object-group network cboe_subnet
network-object 192.168.11.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_7
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_8
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_9
protocol-object ip
protocol-object icmp
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any log disable inactive
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_9 any 1.1.1.0 255.255.255.252 log disable
access-list outside_access_in remark Galadriel services
access-list outside_access_in extended permit tcp any host lake_static object-group ms-rdp log disable
access-list outside_access_in remark Gandalf services
access-list outside_access_in extended permit tcp any host lake_static object-group DM_INLINE_TCP_1 log disable
access-list outside_access_in remark Minas-Tirith services
access-list outside_access_in extended permit tcp any host lake_static object-group DM_INLINE_TCP_2 log disable
access-list outside_access_in extended permit icmp any host lake_static log disable
access-list outside_access_in extended permit tcp any host lake_static object-group BT log disable
access-list outside_access_in extended permit tcp any host lake_static object-group BT2 log disable
access-list outside_1_cryptomap extended permit object-group DM_INLINE_PROTOCOL_8 object-group lake_subnet object-group grove_subnet
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_2 object-group lake_subnet object-group grove_subnet
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_3 any object-group VPN_Clients log disable
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_4 object-group lake_subnet object-group cboe_subnet
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_5 any object-group cboe_subnet
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_7 any any log disable
access-list RemoteUsers_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list outside_2_cryptomap extended permit object-group DM_INLINE_PROTOCOL_6 object-group lake_subnet object-group cboe_subnet
pager lines 24
logging enable
logging asdm errors
mtu inside 1500
mtu outside 1500
ip local pool VPN 192.168.10.1-192.168.10.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 galadriel 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www gandalf www netmask 255.255.255.255
static (inside,outside) tcp interface 81 minas-tirith 81 netmask 255.255.255.255
static (inside,outside) tcp interface https gandalf https netmask 255.255.255.255
static (inside,outside) tcp interface 10245 Ra 10245 netmask 255.255.255.255
static (inside,outside) tcp interface 10246 Ra-WiFi 10246 netmask 255.255.255.255
access-group inside_access_in_1 in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server MCG-AD protocol radius
http server enable
http 192.168.2.0 255.255.255.0 inside
auth-prompt prompt Enter Your Domain User And Password
auth-prompt accept Login Successful
auth-prompt reject Login Failed
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 2.2.2.2
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 3.3.3.3
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 3600
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 3600
crypto isakmp policy 50
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.2.2-192.168.2.33 inside
!
dhcprelay server galadriel inside
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
!
service-policy global_policy global
ssl trust-point ASDM_TrustPoint0 outside
webvpn
svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy RemoteUsers internal
group-policy RemoteUsers attributes
wins-server value 192.168.2.100 192.168.2.101
dns-server value 192.168.2.100 192.168.2.101
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteUsers_splitTunnelAcl
tunnel-group DefaultRAGroup general-attributes
address-pool VPN
authentication-server-group MCG-AD
authorization-server-group MCG-AD
accounting-server-group MCG-AD
default-group-policy RemoteUsers
dhcp-server galadriel
authorization-required
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *
tunnel-group RemoteUsers type remote-access
tunnel-group RemoteUsers general-attributes
address-pool VPN
authentication-server-group MCG-AD
authorization-server-group MCG-AD
accounting-server-group MCG-AD
default-group-policy RemoteUsers
dhcp-server galadriel
tunnel-group RemoteUsers ipsec-attributes
pre-shared-key *
tunnel-group RemoteUsers ppp-attributes
authentication ms-chap-v2
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
pre-shared-key *
prompt hostname context
: end
asdm image disk0:/asdm-602.bin
no asdm history enable
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER