Can only ping Inside router interface on Site to Site Tunnel

Experts,

We have an established site to site vpn tunnel (Phase I and Phase II good) using a Cisco ASA 5510 at HQ and a Cisco ASA 5505 at the remote side. They are both running 8.21 code. The issue is i can only ping the inside interface of the routers at both sides. Our HQ has three remote sites, two of which are up and running perfectly, this third one is giving us an issue. I have looked at the programming too many times and would like a new set of experienced eyes to take a look and tell me what we did incorrectly.

As always, your assistance is very much appreciated!!

I have included the programming from the HQ and the remote side for review, labelled HQ and Sat). The local ip scheme for the Sat is 10.100.16.0 /24 and the locall IP scheme for the HQ is 10.8.0.0 /16.

Please let me know if you need anything else.

Thanks again!
Sat - Local IP 10.100.16.0 /24

access-list outside_cryptomap extended permit ip 10.100.16.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list SHM_Networks standard permit 10.100.16.0 255.255.255.0 
access-list SHM_Networks standard permit 10.9.16.0 255.255.255.0 
access-list SHM_Networks standard permit 10.8.0.0 255.255.0.0 
access-list SHM_Networks standard permit 10.10.16.0 255.255.255.0 
access-list SHM_Networks standard permit SH_Village 255.255.255.0 
access-list SHM_Networks standard permit Merrit_House 255.255.255.0 
access-list outside_access_in extended permit icmp any any 
access-list outside_1_cryptomap extended permit ip 10.100.16.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list inside_nat0_outbound extended permit ip 10.100.16.0 255.255.255.0 Merrit_House 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.100.16.0 255.255.255.0 SH_Village 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.100.16.0 255.255.255.0 10.10.16.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.100.16.0 255.255.255.0 10.9.16.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.100.16.0 255.255.255.0 10.8.0.0 255.255.0.0 
access-list inside_nat0_outbound extended permit ip 10.100.16.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list outside_3_cryptomap extended permit ip 10.100.16.0 255.255.255.0 10.10.16.0 255.255.255.0 
access-list Montreal_splitTunnelAcl standard permit 10.100.16.0 255.255.255.0 
access-list inside_access_in extended permit ip any any 
access-list inside_access_out extended permit ip any any 
access-list inside_nat0_outboundextended extended permit ip 10.100.16.0 255.255.255.0 10.8.0.0 255.255.0.0 
access-list outside_access_in_1 extended permit ip any any 
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in_1 in interface outside

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA 
ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs 
crypto map outside_map1 1 set peer xxx.xxx.xxx.xxx 
crypto map outside_map1 1 set transform-set ESP-3DES-SHA
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group Montreal type remote-access
tunnel-group Montreal general-attributes
 address-pool Montreal
 default-group-policy Montreal
tunnel-group Montreal ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group SHMontreal type remote-access
tunnel-group SHMontreal general-attributes
 address-pool SHMontrealVP
tunnel-group SHMontreal ipsec-attributes
 pre-shared-key *

HQ - Local Ip 10.8.0.0 /16

access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit tcp object-group ECI any object-group trusted-tcp 
access-list outside_access_in extended permit udp object-group ECI any object-group trusted-udp 
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq https 
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq smtp 
access-list outside_access_in extended permit icmp any host xxx.xxx.xxx.xxx inactive 
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx object-group Active_Sync 
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 10.8.0.0 255.255.0.0 inactive 
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_2 10.8.0.0 255.255.0.0 inactive 
access-list dmz_access_in extended permit tcp host 10.8.200.50 host 10.8.16.222 eq smtp 
access-list dmz_access_in extended permit tcp host xxx.xxx.xxx.xxx object-group Active_Sync host 10.8.16.222 object-group Active_Sync inactive 
access-list dmz_access_in remark citrix
access-list dmz_access_in extended permit tcp host 10.8.200.51 host 10.8.16.224 object-group DM_INLINE_TCP_1 
access-list dmz_access_in extended permit tcp host 10.8.200.50 host 10.8.16.221 eq ftp 
access-list dmz_access_in extended deny ip any 10.8.0.0 255.255.0.0 
access-list dmz_access_in extended permit ip any any 
access-list stonehengeny.com_splitTunnelAcl standard permit 10.9.17.0 255.255.255.0 
access-list stonehengeny.com_splitTunnelAcl standard permit 10.8.200.0 255.255.255.0 
access-list stonehengeny.com_splitTunnelAcl standard permit 10.8.16.0 255.255.255.0 
access-list stonehengeny.com_splitTunnelAcl standard permit 10.10.16.0 255.255.255.0 
access-list stonehengeny.com_splitTunnelAcl standard permit 10.9.16.0 255.255.255.0 
access-list stonehengeny.com_splitTunnelAcl standard permit 10.100.2.0 255.255.255.0 
access-list stonehengeny.com_splitTunnelAcl standard permit host Voicemail_Server 
access-list stonehengeny.com_splitTunnelAcl standard permit 10.100.1.0 255.255.255.0 
access-list stonehengeny.com_splitTunnelAcl standard permit SHMSatellites 255.255.255.0 
access-list stonehengeny.com_splitTunnelAcl standard permit SHMSatellites2 255.255.255.0 
access-list stonehengeny.com_splitTunnelAcl standard permit 10.10.17.0 255.255.255.0 
access-list stonehengeny.com_splitTunnelAcl remark SH_Montreal
access-list stonehengeny.com_splitTunnelAcl standard permit 10.100.16.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_6 10.8.85.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.0.0 192.143.100.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.0.0 192.168.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.0.0 192.166.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.0.0 192.168.250.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.0.0 192.142.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.0.0 192.168.200.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.100.2.0 255.255.255.0 10.9.16.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.100.1.0 255.255.255.0 10.9.16.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.100.2.0 255.255.255.0 10.10.16.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.100.1.0 255.255.255.0 10.10.16.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.0.0 10.10.16.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_3 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.0.0 10.100.16.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.0.0 10.8.85.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 10.8.86.0 255.255.255.128 
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.8.0.0 255.255.0.0 
access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_5 10.9.16.0 255.255.255.0 
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 10.10.16.0 255.255.255.0 
access-list outside_4_cryptomap extended permit ip 10.8.0.0 255.255.0.0 192.168.250.0 255.255.255.0 
access-list outside_5_cryptomap extended permit ip 10.8.0.0 255.255.0.0 192.168.0.0 255.255.255.0 
access-list outside_6_cryptomap extended permit ip 10.8.0.0 255.255.0.0 192.166.0.0 255.255.255.0 
access-list ritz-fw_splitTunnelAcl standard permit 10.8.0.0 255.255.0.0 
access-list ritz-fw_splitTunnelAcl standard permit 10.9.16.0 255.255.255.0 
access-list GuestWireless_access_in extended permit ip 10.8.85.0 255.255.255.0 10.8.0.0 255.255.0.0 inactive 
access-list GuestWireless_access_in extended deny ip any 10.8.0.0 255.255.0.0 
access-list GuestWireless_access_in extended permit ip any any 
access-list dmz_nat0_outbound remark Allow Ritz Users Access to Barracuda
access-list dmz_nat0_outbound extended permit ip 10.8.200.0 255.255.255.0 10.10.16.0 255.255.255.0 
access-list dmz_nat0_outbound remark Allow Olivia Users Access to Barracuda
access-list dmz_nat0_outbound extended permit ip 10.8.200.0 255.255.255.0 10.9.16.0 255.255.255.0 
access-list dmz_nat0_outbound extended permit ip 10.8.200.0 255.255.255.0 10.8.85.0 255.255.255.0 
access-list dmz_nat0_outbound extended permit ip 10.8.200.0 255.255.255.0 192.143.100.0 255.255.255.0 
access-list dmz_nat0_outbound extended permit ip 10.8.200.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list dmz_nat0_outbound extended permit ip 10.8.200.0 255.255.255.0 192.166.0.0 255.255.255.0 
access-list dmz_nat0_outbound extended permit ip 10.8.200.0 255.255.255.0 192.168.250.0 255.255.255.0 
access-list dmz_nat0_outbound extended permit ip 10.8.200.0 255.255.255.0 192.142.1.0 255.255.255.0 
access-list dmz_nat0_outbound extended permit ip 10.8.200.0 255.255.255.0 192.168.200.0 255.255.255.0 
access-list outside_cryptomap_2 extended permit ip 10.8.0.0 255.255.0.0 10.100.16.0 255.255.255.0 
access-list inside_access_in extended permit udp 10.8.0.0 255.255.0.0 any object-group DM_INLINE_UDP_1 
global (outside) 101 interface
global (outside) 1 xxx.xxx.xxx.xxx netmask 255.255.255.255
global (outside) 102 xxx.xxx.xxx.xxx netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.8.18.0 255.255.255.0
nat (inside) 101 SHMSatellites 255.255.255.0
nat (inside) 101 10.100.1.0 255.255.255.0
nat (inside) 101 10.100.2.0 255.255.255.0
nat (inside) 101 10.8.0.0 255.255.0.0
nat (GuestWireless) 102 10.8.202.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 101 10.8.200.0 255.255.255.0
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer xxx.xxx.xxx.xxx 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs 
crypto map outside_map 2 set peer xxx.xxx.xxx.xxx 
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set pfs 
crypto map outside_map 3 set peer 1.1.1.1 
crypto map outside_map 3 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs 
crypto map outside_map 4 set peer xxx.xxx.xxx.xxx 
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set pfs 
crypto map outside_map 5 set peer xxx.xxx.xxx.xxx 
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 6 match address outside_6_cryptomap
crypto map outside_map 6 set pfs 
crypto map outside_map 6 set peer xxx.xxx.xxx.xxx 
crypto map outside_map 6 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map GuestWireless_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map GuestWireless_map interface GuestWireless
crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map dmz_map interface dmz
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 fqdn fw-stonehenge
 subject-name CN=fw-stonehenge
 no client-types
 crl configure
crypto isakmp enable outside
crypto isakmp enable GuestWireless
crypto isakmp enable dmz
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000 
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_Pool
 authentication-server-group DC1
 default-group-policy stonehengeny.com
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group stonehengeny.com type remote-access
tunnel-group stonehengeny.com general-attributes
 address-pool VPN_Pool
 authentication-server-group DC1
 default-group-policy stonehengeny.com
tunnel-group stonehengeny.com ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group owa type remote-access
tunnel-group owa general-attributes
 default-group-policy owa
tunnel-group SHMobile type remote-access
tunnel-group SHMobile general-attributes
 address-pool VPN_Pool
 default-group-policy stonehengeny.com
 authorization-required
tunnel-group SHMobile ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
tunnel-group ritz-fw type remote-access
tunnel-group ritz-fw general-attributes
 address-pool VPN_Pool
 default-group-policy ritz-fw
tunnel-group ritz-fw ipsec-attributes
 pre-shared-key *
tunnel-group Mobility type remote-access
tunnel-group Mobility general-attributes
 address-pool VPN_Pool
 authentication-server-group DC1 LOCAL
 default-group-policy stonehengeny.com
tunnel-group Mobility webvpn-attributes
 group-alias Mobility enable
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key *

Open in new window

bulldogsdadAsked:
Who is Participating?
 
bulldogsdadAuthor Commented:
Hey....thanks for sticking with this..it is really appreciated.
 I think this is what you need - crypto map outside_map 3 is the Montreal connection in the HQ ASA
Thanks again and Happy new Year to you!!
 
0
 
Ken BooneNetwork ConsultantCommented:
When you say "The issue is i can only ping the inside interface of the routers at both sides. "  Do you mean the inside interface of the ASAs or are you talking about other routers?
0
 
bulldogsdadAuthor Commented:
My apologies...the ASA's ...there are no other routers other than the circuit carriers routers.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Ken BooneNetwork ConsultantCommented:
This is normal as the inside interface by default won't accept un-encrypted traffic coming from the outside to hit it.  So for instance if setup properly you can ssh from the other side to the inside of the one, but you can't telnet.  You can also https to it as well.  Can you do that?
0
 
bulldogsdadAuthor Commented:
I understand what you are saying but, I can ping the inside interface from each side of the tunnel (10.8.16.254 to 10.100.16.254) i can not ping anything past the router on either side.
So for example from a work station on the HQ side (10.8.16.101) i can ping the inside interface of the ASA (10.100.16.254) however i can not ping a node on the remote side (10.100.16.2).
 
0
 
periferralCommented:
do you know which cryptomap is being matched?
to me, it looks like depending on which cryptomap is matched, the appropriate access-list is matched and that does not have the tunnel information. Or does not have a matching nat/acl.
0
 
periferralCommented:
also, you have not included the object groups so it is hard to say if you acess-lists are accurate.

for example on the sat side, i see this
access-list outside_cryptomap extended permit ip 10.100.16.0 255.255.255.0 object-group DM_INLINE_NETWORK_1


But i dont see the definition of the object group DM_INLINE_NETWORK_1

same on the other side.
0
 
bulldogsdadAuthor Commented:
I have attached the full configs for the HQ (888) and the Sat (Montreal)
Thanks for pointing that out!

888-ASA1.txt
Montreal-ASA1.txt
0
 
periferralCommented:
i looked through the montreal side and everything looks okay.
the hq site.. i need to know which crypto map is being matched. since the peer is XXX'd out, i need to follow which access-lists are being matched
0
 
periferralCommented:
hey. not sure what happened. But I posted a reply that never made it.

I looked at crypto map 3 and it looked like this

crypto map outside_map 3 set peer 1.1.1.1


I was wondering why the peer was set to 1.1.1.1 rather than the remote side ip addr
0
 
periferralCommented:
i'm just curious but you seem to have accepted your own comment as a solution.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.