troubleshooting Question

Can only ping Inside router interface on Site to Site Tunnel

Avatar of bulldogsdad
bulldogsdadFlag for United States of America asked on
VPNInternet Protocol SecurityCisco
11 Comments1 Solution745 ViewsLast Modified:
Experts,

We have an established site to site vpn tunnel (Phase I and Phase II good) using a Cisco ASA 5510 at HQ and a Cisco ASA 5505 at the remote side. They are both running 8.21 code. The issue is i can only ping the inside interface of the routers at both sides. Our HQ has three remote sites, two of which are up and running perfectly, this third one is giving us an issue. I have looked at the programming too many times and would like a new set of experienced eyes to take a look and tell me what we did incorrectly.

As always, your assistance is very much appreciated!!

I have included the programming from the HQ and the remote side for review, labelled HQ and Sat). The local ip scheme for the Sat is 10.100.16.0 /24 and the locall IP scheme for the HQ is 10.8.0.0 /16.

Please let me know if you need anything else.

Thanks again!
Sat - Local IP 10.100.16.0 /24

access-list outside_cryptomap extended permit ip 10.100.16.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list SHM_Networks standard permit 10.100.16.0 255.255.255.0 
access-list SHM_Networks standard permit 10.9.16.0 255.255.255.0 
access-list SHM_Networks standard permit 10.8.0.0 255.255.0.0 
access-list SHM_Networks standard permit 10.10.16.0 255.255.255.0 
access-list SHM_Networks standard permit SH_Village 255.255.255.0 
access-list SHM_Networks standard permit Merrit_House 255.255.255.0 
access-list outside_access_in extended permit icmp any any 
access-list outside_1_cryptomap extended permit ip 10.100.16.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list inside_nat0_outbound extended permit ip 10.100.16.0 255.255.255.0 Merrit_House 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.100.16.0 255.255.255.0 SH_Village 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.100.16.0 255.255.255.0 10.10.16.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.100.16.0 255.255.255.0 10.9.16.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.100.16.0 255.255.255.0 10.8.0.0 255.255.0.0 
access-list inside_nat0_outbound extended permit ip 10.100.16.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list outside_3_cryptomap extended permit ip 10.100.16.0 255.255.255.0 10.10.16.0 255.255.255.0 
access-list Montreal_splitTunnelAcl standard permit 10.100.16.0 255.255.255.0 
access-list inside_access_in extended permit ip any any 
access-list inside_access_out extended permit ip any any 
access-list inside_nat0_outboundextended extended permit ip 10.100.16.0 255.255.255.0 10.8.0.0 255.255.0.0 
access-list outside_access_in_1 extended permit ip any any 
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in_1 in interface outside

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA 
ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs 
crypto map outside_map1 1 set peer xxx.xxx.xxx.xxx 
crypto map outside_map1 1 set transform-set ESP-3DES-SHA
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group Montreal type remote-access
tunnel-group Montreal general-attributes
 address-pool Montreal
 default-group-policy Montreal
tunnel-group Montreal ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group SHMontreal type remote-access
tunnel-group SHMontreal general-attributes
 address-pool SHMontrealVP
tunnel-group SHMontreal ipsec-attributes
 pre-shared-key *

HQ - Local Ip 10.8.0.0 /16

access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit tcp object-group ECI any object-group trusted-tcp 
access-list outside_access_in extended permit udp object-group ECI any object-group trusted-udp 
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq https 
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq smtp 
access-list outside_access_in extended permit icmp any host xxx.xxx.xxx.xxx inactive 
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx object-group Active_Sync 
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 10.8.0.0 255.255.0.0 inactive 
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_2 10.8.0.0 255.255.0.0 inactive 
access-list dmz_access_in extended permit tcp host 10.8.200.50 host 10.8.16.222 eq smtp 
access-list dmz_access_in extended permit tcp host xxx.xxx.xxx.xxx object-group Active_Sync host 10.8.16.222 object-group Active_Sync inactive 
access-list dmz_access_in remark citrix
access-list dmz_access_in extended permit tcp host 10.8.200.51 host 10.8.16.224 object-group DM_INLINE_TCP_1 
access-list dmz_access_in extended permit tcp host 10.8.200.50 host 10.8.16.221 eq ftp 
access-list dmz_access_in extended deny ip any 10.8.0.0 255.255.0.0 
access-list dmz_access_in extended permit ip any any 
access-list stonehengeny.com_splitTunnelAcl standard permit 10.9.17.0 255.255.255.0 
access-list stonehengeny.com_splitTunnelAcl standard permit 10.8.200.0 255.255.255.0 
access-list stonehengeny.com_splitTunnelAcl standard permit 10.8.16.0 255.255.255.0 
access-list stonehengeny.com_splitTunnelAcl standard permit 10.10.16.0 255.255.255.0 
access-list stonehengeny.com_splitTunnelAcl standard permit 10.9.16.0 255.255.255.0 
access-list stonehengeny.com_splitTunnelAcl standard permit 10.100.2.0 255.255.255.0 
access-list stonehengeny.com_splitTunnelAcl standard permit host Voicemail_Server 
access-list stonehengeny.com_splitTunnelAcl standard permit 10.100.1.0 255.255.255.0 
access-list stonehengeny.com_splitTunnelAcl standard permit SHMSatellites 255.255.255.0 
access-list stonehengeny.com_splitTunnelAcl standard permit SHMSatellites2 255.255.255.0 
access-list stonehengeny.com_splitTunnelAcl standard permit 10.10.17.0 255.255.255.0 
access-list stonehengeny.com_splitTunnelAcl remark SH_Montreal
access-list stonehengeny.com_splitTunnelAcl standard permit 10.100.16.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_6 10.8.85.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.0.0 192.143.100.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.0.0 192.168.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.0.0 192.166.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.0.0 192.168.250.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.0.0 192.142.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.0.0 192.168.200.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.100.2.0 255.255.255.0 10.9.16.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.100.1.0 255.255.255.0 10.9.16.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.100.2.0 255.255.255.0 10.10.16.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.100.1.0 255.255.255.0 10.10.16.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.0.0 10.10.16.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_3 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.0.0 10.100.16.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.8.0.0 255.255.0.0 10.8.85.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 10.8.86.0 255.255.255.128 
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.8.0.0 255.255.0.0 
access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_5 10.9.16.0 255.255.255.0 
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 10.10.16.0 255.255.255.0 
access-list outside_4_cryptomap extended permit ip 10.8.0.0 255.255.0.0 192.168.250.0 255.255.255.0 
access-list outside_5_cryptomap extended permit ip 10.8.0.0 255.255.0.0 192.168.0.0 255.255.255.0 
access-list outside_6_cryptomap extended permit ip 10.8.0.0 255.255.0.0 192.166.0.0 255.255.255.0 
access-list ritz-fw_splitTunnelAcl standard permit 10.8.0.0 255.255.0.0 
access-list ritz-fw_splitTunnelAcl standard permit 10.9.16.0 255.255.255.0 
access-list GuestWireless_access_in extended permit ip 10.8.85.0 255.255.255.0 10.8.0.0 255.255.0.0 inactive 
access-list GuestWireless_access_in extended deny ip any 10.8.0.0 255.255.0.0 
access-list GuestWireless_access_in extended permit ip any any 
access-list dmz_nat0_outbound remark Allow Ritz Users Access to Barracuda
access-list dmz_nat0_outbound extended permit ip 10.8.200.0 255.255.255.0 10.10.16.0 255.255.255.0 
access-list dmz_nat0_outbound remark Allow Olivia Users Access to Barracuda
access-list dmz_nat0_outbound extended permit ip 10.8.200.0 255.255.255.0 10.9.16.0 255.255.255.0 
access-list dmz_nat0_outbound extended permit ip 10.8.200.0 255.255.255.0 10.8.85.0 255.255.255.0 
access-list dmz_nat0_outbound extended permit ip 10.8.200.0 255.255.255.0 192.143.100.0 255.255.255.0 
access-list dmz_nat0_outbound extended permit ip 10.8.200.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list dmz_nat0_outbound extended permit ip 10.8.200.0 255.255.255.0 192.166.0.0 255.255.255.0 
access-list dmz_nat0_outbound extended permit ip 10.8.200.0 255.255.255.0 192.168.250.0 255.255.255.0 
access-list dmz_nat0_outbound extended permit ip 10.8.200.0 255.255.255.0 192.142.1.0 255.255.255.0 
access-list dmz_nat0_outbound extended permit ip 10.8.200.0 255.255.255.0 192.168.200.0 255.255.255.0 
access-list outside_cryptomap_2 extended permit ip 10.8.0.0 255.255.0.0 10.100.16.0 255.255.255.0 
access-list inside_access_in extended permit udp 10.8.0.0 255.255.0.0 any object-group DM_INLINE_UDP_1 
global (outside) 101 interface
global (outside) 1 xxx.xxx.xxx.xxx netmask 255.255.255.255
global (outside) 102 xxx.xxx.xxx.xxx netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.8.18.0 255.255.255.0
nat (inside) 101 SHMSatellites 255.255.255.0
nat (inside) 101 10.100.1.0 255.255.255.0
nat (inside) 101 10.100.2.0 255.255.255.0
nat (inside) 101 10.8.0.0 255.255.0.0
nat (GuestWireless) 102 10.8.202.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 101 10.8.200.0 255.255.255.0
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer xxx.xxx.xxx.xxx 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs 
crypto map outside_map 2 set peer xxx.xxx.xxx.xxx 
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set pfs 
crypto map outside_map 3 set peer 1.1.1.1 
crypto map outside_map 3 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs 
crypto map outside_map 4 set peer xxx.xxx.xxx.xxx 
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set pfs 
crypto map outside_map 5 set peer xxx.xxx.xxx.xxx 
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 6 match address outside_6_cryptomap
crypto map outside_map 6 set pfs 
crypto map outside_map 6 set peer xxx.xxx.xxx.xxx 
crypto map outside_map 6 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map GuestWireless_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map GuestWireless_map interface GuestWireless
crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map dmz_map interface dmz
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 fqdn fw-stonehenge
 subject-name CN=fw-stonehenge
 no client-types
 crl configure
crypto isakmp enable outside
crypto isakmp enable GuestWireless
crypto isakmp enable dmz
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000 
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_Pool
 authentication-server-group DC1
 default-group-policy stonehengeny.com
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group stonehengeny.com type remote-access
tunnel-group stonehengeny.com general-attributes
 address-pool VPN_Pool
 authentication-server-group DC1
 default-group-policy stonehengeny.com
tunnel-group stonehengeny.com ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group owa type remote-access
tunnel-group owa general-attributes
 default-group-policy owa
tunnel-group SHMobile type remote-access
tunnel-group SHMobile general-attributes
 address-pool VPN_Pool
 default-group-policy stonehengeny.com
 authorization-required
tunnel-group SHMobile ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
tunnel-group ritz-fw type remote-access
tunnel-group ritz-fw general-attributes
 address-pool VPN_Pool
 default-group-policy ritz-fw
tunnel-group ritz-fw ipsec-attributes
 pre-shared-key *
tunnel-group Mobility type remote-access
tunnel-group Mobility general-attributes
 address-pool VPN_Pool
 authentication-server-group DC1 LOCAL
 default-group-policy stonehengeny.com
tunnel-group Mobility webvpn-attributes
 group-alias Mobility enable
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key *
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 11 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 11 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros