Solved

Cisco ASA Question

Posted on 2009-06-29
2
641 Views
Last Modified: 2013-11-16
I have two Cisco ASA 5505s that I have setup a site-to-site VPN using the wizard. However, I cannot ping the remote side of the VPN from either side. For example, one side has a subnet of 192.168.1.0/24 and the other 192.168.2.0/24, but 192.168.2.102 cannot ping 192.168.1.1. However, 192.168.2.102 CAN ping 192.168.1.131 and all other 192.168.1.0/24 hosts, just not the actual ASA itself (the .1 address). The same problem exists in the opposite direction, too.

I have a third site that runs m0n0wall to the 192.168.2.0/24 site and it can ping 192.168.2.1 and I can ping it from 192.168.2.0/24 (it's 192.168.11.1).

Any thoughts? I've included the config of the 192.168.2.0/24 ASA. I've munged the private details and IP addresses, so some basic settings (SNMP, names, internal AAA servers, etc) are missing.
: Saved
:
ASA Version 8.0(2) 
!
hostname lake-asa
domain-name millsconsulting.local
enable password /HDQp0ws06zJk3F4 encrypted
names
name 1.1.1.1 lake_static
name 192.168.2.100 galadriel
name 192.168.2.101 gandalf
name 192.168.2.102 minas-tirith
name 192.168.2.103 Ra
name 192.168.2.104 Ra-WiFi
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address lake_static 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
object-group service ms-rdp tcp
 port-object eq 3389
object-group network grove_subnet
 network-object 192.168.1.0 255.255.255.0
object-group network lake_subnet
 network-object 192.168.2.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
 port-object eq imap4
 port-object eq pop3
 port-object eq smtp
object-group service http-81 tcp
 port-object eq 81
object-group service DM_INLINE_TCP_2 tcp
 port-object range www 81
 port-object eq ssh
object-group service BT tcp
 port-object eq 10245
object-group service BT2 tcp
 port-object eq 10246
object-group network VPN_Clients
 network-object 192.168.10.0 255.255.255.0
object-group network cboe_subnet
 network-object 192.168.11.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_5
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_6
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_7
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_8
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_9
 protocol-object ip
 protocol-object icmp
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any log disable inactive 
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_9 any 1.1.1.0 255.255.255.252 log disable 
access-list outside_access_in remark Galadriel services
access-list outside_access_in extended permit tcp any host lake_static object-group ms-rdp log disable 
access-list outside_access_in remark Gandalf services
access-list outside_access_in extended permit tcp any host lake_static object-group DM_INLINE_TCP_1 log disable 
access-list outside_access_in remark Minas-Tirith services
access-list outside_access_in extended permit tcp any host lake_static object-group DM_INLINE_TCP_2 log disable 
access-list outside_access_in extended permit icmp any host lake_static log disable 
access-list outside_access_in extended permit tcp any host lake_static object-group BT log disable 
access-list outside_access_in extended permit tcp any host lake_static object-group BT2 log disable 
access-list outside_1_cryptomap extended permit object-group DM_INLINE_PROTOCOL_8 object-group lake_subnet object-group grove_subnet 
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_2 object-group lake_subnet object-group grove_subnet 
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_3 any object-group VPN_Clients log disable 
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_4 object-group lake_subnet object-group cboe_subnet 
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_5 any object-group cboe_subnet 
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_7 any any log disable 
access-list RemoteUsers_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list outside_2_cryptomap extended permit object-group DM_INLINE_PROTOCOL_6 object-group lake_subnet object-group cboe_subnet 
pager lines 24
logging enable
logging asdm errors
mtu inside 1500
mtu outside 1500
ip local pool VPN 192.168.10.1-192.168.10.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 galadriel 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface www gandalf www netmask 255.255.255.255 
static (inside,outside) tcp interface 81 minas-tirith 81 netmask 255.255.255.255 
static (inside,outside) tcp interface https gandalf https netmask 255.255.255.255 
static (inside,outside) tcp interface 10245 Ra 10245 netmask 255.255.255.255 
static (inside,outside) tcp interface 10246 Ra-WiFi 10246 netmask 255.255.255.255 
access-group inside_access_in_1 in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server MCG-AD protocol radius
http server enable
http 192.168.2.0 255.255.255.0 inside
auth-prompt prompt Enter Your Domain User And Password 
auth-prompt accept Login Successful 
auth-prompt reject Login Failed 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 2.2.2.2 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 3.3.3.3 
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 3600
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 3600
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 3600
crypto isakmp policy 50
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.2.2-192.168.2.33 inside
!
dhcprelay server galadriel inside
 
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
 svc enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy RemoteUsers internal
group-policy RemoteUsers attributes
 wins-server value 192.168.2.100 192.168.2.101
 dns-server value 192.168.2.100 192.168.2.101
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemoteUsers_splitTunnelAcl
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN
 authentication-server-group MCG-AD
 authorization-server-group MCG-AD
 accounting-server-group MCG-AD
 default-group-policy RemoteUsers
 dhcp-server galadriel
 authorization-required
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key *
tunnel-group RemoteUsers type remote-access
tunnel-group RemoteUsers general-attributes
 address-pool VPN
 authentication-server-group MCG-AD
 authorization-server-group MCG-AD
 accounting-server-group MCG-AD
 default-group-policy RemoteUsers
 dhcp-server galadriel
tunnel-group RemoteUsers ipsec-attributes
 pre-shared-key *
tunnel-group RemoteUsers ppp-attributes
 authentication ms-chap-v2
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
 pre-shared-key *
prompt hostname context 
: end
asdm image disk0:/asdm-602.bin
no asdm history enable

Open in new window

0
Comment
Question by:drbill1
2 Comments
 
LVL 6

Accepted Solution

by:
djcapone earned 500 total points
ID: 24742621
Define the inside interface as a management interface.

management-access inside
0
 

Author Closing Comment

by:drbill1
ID: 31598226
Perfect, thanks!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question