Solved

ASA 5505 to ASA 5510 only passing one way traffic

Posted on 2011-03-07
7
1,038 Views
Last Modified: 2012-05-11
We have a cisco asa 5510 that we were able to configure lan to lan vpn tunnels to outside ASA 5505's.  However we can't ping across to the remote LANs.  Also, the status in ASDM shows traffic only RX not TX (see attached pic)

Any ideas?>


PMCTMPASA01# sh crypto isakmp sa

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 184.191.141.90
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: 68.98.222.214
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE asa5510 asa5510
0
Comment
Question by:corpdsinc
  • 4
  • 3
7 Comments
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 35063045
You probably need a static route for the remote LAN that goes out your outside interface.

Alternately, you may need to exempt the traffic from any NAT rules that you have.

Can you provide the running configuration?
0
 
LVL 1

Author Comment

by:corpdsinc
ID: 35063147
Have done the nat exempt.  static routes don't help either

asdm image disk0:/asdm512.bin
asdm location 10.0.11.0 255.255.255.0 Reuters
asdm location 10.0.20.0 255.255.255.0 Reuters
asdm location 10.0.25.0 255.255.255.0 Reuters
asdm location 10.100.0.0 255.255.255.0 Reuters
asdm location 67.91.84.x 255.255.255.255 Reuters
asdm location 67.91.84.x 255.255.255.255 Reuters
asdm location 192.168.0.0 255.255.255.0 Reuters
asdm location 192.168.10.0 255.255.255.0 Reuters
asdm location 192.168.150.0 255.255.255.0 Reuters
asdm location 192.168.158.0 255.255.255.0 Reuters
asdm location 10.0.0.50 255.255.255.255 inside
asdm location 10.0.0.35 255.255.255.255 inside
asdm location 10.0.0.62 255.255.255.255 inside
asdm location 184.191.135.x 255.255.255.255 Reuters
asdm location 10.0.0.15 255.255.255.255 inside
asdm location 10.0.0.16 255.255.255.255 inside
asdm location 184.191.x.x 255.255.255.255 COX
asdm location 98.174.x 255.255.255.255 inside
asdm location 10.0.21.0 255.255.255.0 COX
no asdm history enable
: Saved
:
ASA Version 7.1(2)
!
hostname PMCTMPASA01
domain-name peoplesmortgage.net
enable password OsjPKXgWE5.N6im0 encrypted
no names
name 10.0.0.8 PMCTS01
name 10.0.25.0 Legacy_Gil
name 10.0.20.0 Legacy_Phx
!
interface Ethernet0/0
 description Access for the Reuters computer.
 nameif Reuters
 security-level 100
 ip address 192.168.10.1 255.255.255.224
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/2
 description COX ISP 98.174.232.7
 nameif COX
 security-level 0
 ip address 98.174.232.7 255.255.255.240
!
interface Management0/0
 shutdown
 nameif Management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd OsjPKXgWE5.N6im0 encrypted
ftp mode passive
clock timezone MST -7
dns server-group DefaultDNS
 domain-name peoplesmortgage.net
object-group service MAIL tcp
 port-object eq www
 port-object eq https
 port-object eq pop3
 port-object eq smtp
access-list Outside_nat0_inbound extended permit ip 10.0.0.0 255.255.255.0 10.100.0.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.158.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.25.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.30.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.100.0.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.21.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ipsectraffic extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list ipsectraffic extended permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0
access-list ipsectraffic extended permit ip 10.0.0.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list Outside_cryptomap_81 extended permit ip 10.0.0.0 255.255.255.0 10.100.0.0 255.255.255.0
access-list 101 extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list toSPR extended permit ip 10.0.0.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list vpnlist extended permit ip 10.0.0.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list Outside_cryptomap_61 extended permit ip 10.0.0.0 255.255.255.0 10.0.30.0 255.255.255.0
access-list COX_nat0_inbound extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 inactive
access-list Outside_cryptomap_121 extended permit ip 10.0.0.0 255.255.255.0 10.0.21.0 255.255.255.0
access-list COX_access_in extended permit icmp any any

access-list COX_cryptomap_141_1 extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 30
logging enable
logging buffer-size 8192
logging buffered informational
logging trap notifications
logging asdm informational
logging queue 8192
mtu Reuters 1472
mtu inside 1472
mtu COX 1500
mtu Management 1500
ip local pool swim 10.0.11.1-10.0.11.250
ip local pool pptp-pool 192.168.158.1-192.168.158.50
ip verify reverse-path interface Reuters
icmp permit host 74.206.96.172 Reuters
icmp permit host 10.0.0.6 inside
icmp permit any COX
asdm image disk0:/asdm512.bin
no asdm history enable
arp timeout 14400
global (COX) 10 interface
nat (Reuters) 0 access-list Outside_nat0_inbound outside
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0
nat (COX) 0 access-list COX_nat0_inbound outside
nat (Management) 10 0.0.0.0 0.0.0.0
static (inside,COX) tcp 174.79.x.x www 10.0.0.6 www netmask 255.255.255.255
static (inside,COX) tcp 184.191.x.x www 10.0.0.16 www netmask 255.255.255.255
static (inside,COX) tcp 174.79.x.x smtp 10.0.0.6 smtp netmask 255.255.255.255
static (inside,COX) tcp 184.191.x.x smtp 10.0.0.16 smtp netmask 255.255.255.255
static (inside,COX) tcp 174.79.x ident 10.0.0.6 ident netmask 255.255.255.255
static (inside,COX) tcp 174.79x pop3 10.0.0.6 pop3 netmask 255.255.255.255
static (inside,COX) udp 174.79.xsnmp 10.0.0.6 snmp netmask 255.255.255.255
static (inside,COX) tcp 174.79.x 3399 10.0.0.99 3389 netmask 255.255.255.255
static (inside,COX) tcp 174.79.x 3396 10.0.0.96 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3395 10.0.0.95 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3394 10.0.0.94 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3393 10.0.0.93 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3392 10.0.0.92 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3391 10.0.0.91 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3390 10.0.0.90 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3398 10.0.0.98 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3397 10.0.0.97 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3388 10.0.0.35 3389 netmask 255.255.255.255
static (inside,COX) tcp 174.79.x 3333 10.0.0.7 3389 netmask 255.255.255.255
static (inside,COX) tcp 174.79.x https 10.0.0.6 https netmask 255.255.255.255
static (inside,COX) tcp 174.79.x 3389 10.0.0.6 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x https 10.0.0.15 https netmask 255.255.255.255
static (inside,COX) tcp 184.1915x www 10.0.0.15 www netmask 255.255.255.255
static (inside,COX) tcp 174.79.x 3389 10.0.0.15 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3389 10.0.0.16 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x https 10.0.0.16 https netmask 255.255.255.255
static (Reuters,COX) 174.79.x 192.168.10.10 netmask 255.255.255.255
access-group COX_access_in in interface COX
route COX 4.2.2.2 255.255.255.255 98.174.x
route COX 0.0.0.0 0.0.0.0 98.174.x
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server authme protocol radius
group-policy rtpvpn internal
group-policy rtpvpn attributes
 vpn-idle-timeout 50
username admin password fusSSOF8zyiGyWCw encrypted privilege 15
username user1it1noc password lrTYKCzbbxVGu9u3 encrypted privilege 15
username cdsi password XeltccmFWmjatpCE encrypted
http server enable
http 10.0.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 COX
snmp-server host inside 10.0.0.6 community Changer
snmp-server host inside 10.0.0.7 community Changer
snmp-server host Reuters 74.206.96.172 community Changer
snmp-server location Tempe, Arizona
no snmp-server contact
snmp-server community Changer
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ciscotest esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map dyna 1 set transform-set strong
crypto dynamic-map dyna 1 set security-association lifetime seconds 28800
crypto map rtpmap 81 match address Outside_cryptomap_81
crypto map rtpmap 81 set peer 74.206.x.x
crypto map rtpmap 81 set transform-set ESP-DES-MD5 ESP-DES-SHA
crypto map rtpmap 121 match address Outside_cryptomap_121
crypto map rtpmap 121 set pfs group1
crypto map rtpmap 121 set peer 184.191.x.x
crypto map rtpmap 121 set transform-set ESP-DES-MD5
crypto map rtpmap 141 match address COX_cryptomap_141_1
crypto map rtpmap 141 set peer 68.98.x.x
crypto map rtpmap 141 set transform-set ESP-DES-MD5
crypto map rtpmap interface COX
isakmp identity address
isakmp enable inside
isakmp enable COX
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 28800
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash md5
isakmp policy 11 group 1
isakmp policy 11 lifetime 1000
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash md5
isakmp policy 15 group 1
isakmp policy 15 lifetime 3600
isakmp policy 16 authentication pre-share
isakmp policy 16 encryption des
isakmp policy 16 hash md5
isakmp policy 16 group 2
isakmp policy 16 lifetime 3600
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal  20
tunnel-group rtpvpn type ipsec-ra
tunnel-group rtpvpn general-attributes
 default-group-policy rtpvpn
tunnel-group rtpvpn ipsec-attributes
 pre-shared-key *
tunnel-group 74.206.x type ipsec-l2l
tunnel-group 74.206.x ipsec-attributes
 pre-shared-key *
tunnel-group 68.98.x.x type ipsec-l2l
tunnel-group 68.98.x.x ipsec-attributes
 pre-shared-key *
tunnel-group 184.191.x.x type ipsec-l2l
tunnel-group 184.191.x ipsec-attributes
 pre-shared-key *
telnet 74.206.x 255.255.255.255 Reuters
telnet 0.0.0.0 0.0.0.0 Reuters
telnet 10.100.0.0 255.255.255.0 inside
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 15
ssh 171.68.225.x 255.255.255.255 Reuters
ssh 171.69.88.x 255.255.255.255 Reuters
ssh 0.0.0.0 0.0.0.0 Reuters
ssh 10.0.0.6 255.255.255.255 inside
ssh 10.0.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 COX
ssh timeout 30
console timeout 0
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
webvpn
 enable Reuters
 url-list peoples "Email" http://10.0.0.6/exchange 1
smtp-server 10.0.0.6
Cryptochecksum:db87ec641ec3366132023a58eeeab27a
: end

0
 
LVL 28

Expert Comment

by:asavener
ID: 35063505
What about internal routing?  Do your internal machines use this device as the next-hop for the 192.168.0.0/24 network?

Try this command in a command prompt on a Windows machine:

route add 192.168.0.0 mask 255.255.255.0 10.0.0.1

(On Windows 7 or 2008 you will need to elevate privileges before this will run successfully.)

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:corpdsinc
ID: 35063533
Tried that.  But it still can't get to the other side...  i know .205 is  a live host (pingable)

Z:\>route add 192.168.0.0 mask 255.255.255.0 10.0.0.1

Z:\>ping 192.168.0.205

Pinging 192.168.0.205 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.0.205:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Z:\>tracert 192.168.0.205

Tracing route to 192.168.0.205 over a maximum of 30 hops

  1     *        *        *     Request timed out.
  2     *
0
 
LVL 1

Author Comment

by:corpdsinc
ID: 35064716
also,  i noticed when i ping one of the remote sites ie 192.168.0.205  the logs show 106010: Deny inbound protocol 50src Remote IP x.x.x.x dst Local int ip xx.x..x
0
 
LVL 28

Expert Comment

by:asavener
ID: 35070138
Yes, ICMP filtering is handled kind of funny on the ASA.  If there is some service that's available on the remote end, you should try just connecting to it.

ASA/PIX/FWSM: Handling ICMP Pings and Traceroute

Internet Control Message Protocol (ICMP) pings and traceroute on the PIX Firewall are handled differently based on the version of PIX and ASA code.

Inbound ICMP through the PIX/ASA is denied by default. Outbound ICMP is permitted, but the incoming reply is denied by default.


Follow the link for detailed instructions on allowing ICMP to work through the ASA.
0
 
LVL 1

Author Comment

by:corpdsinc
ID: 35111368
We reloaded the config.  works now.  thanks for the help
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now