asked on

Can't Ping/SSH/Http to Cisco ASA from across VPN link

I have a strange problem that I can't figure out. I have a site to site VPN set up between an ASA and a PIX. The PIX is at the main office (192.168.0.0/24), and the ASA is a new addition at a remote office (192.168.6.0/24).
I can access hosts across the VPN without any problems. I can browse to remote web servers, ssh, everything. The one thing that won't work is any sort of communication between the PIX network, and the inside interface of the ASA. From the 192.168.0.0/24 network I can't ping, ssh, or https to 192.168.6.1.
I have ssh/https enabled for any host inside or outside(for testing, anyway). And ping should all be working as well. I can ping 192.168.6.1 from the 192.168.6.0/24 network, as well as ping/ssh/https to the outside interface from the internet.

Here's what shows up in the log on the ASA when I try to SSH to it from the PIX network:

Built inbound TCP connection 10901 for outside:192.168.0.11/15885 (192.168.0.11/15885) to identity:192.168.6.1/22 (192.168.6.1/22)
Teardown TCP connection 10901 for outside:192.168.0.11/15885 to identity:192.168.6.1/22 duration 0:00:00 bytes 0 TCP Reset by appliance

I can't figure out why this is being such a pain. Here's some of the relevant config from the ASA.

If I need to provide more info, please let me know. Thanks!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list 101 extended permit icmp any any echo 
access-list 101 extended permit icmp any any echo-reply 
access-list 101 extended permit icmp any any unreachable 
access-list 101 extended permit icmp any any time-exceeded 
access-list 101 extended permit icmp any any source-quench 
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface inside
access-group 101 out interface inside
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer xxx.xxx.xxx.xxx 
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options

Open in new window

ASKER CERTIFIED SOLUTION

Les Moore

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

swrighthm

ASKER

Wow, I feel like a retard now. I've configured plenty of ASA's and never remember having to specify that. I guess I took it for granted.
Thanks for the help