Site to Site VPN Cisco ASA and Cisco Router

Hello Experts,
I have configured  Site to Site IPSec VPN between our Cisco ASA and Cisco Router. The VPN is up but I cannot ping the devices each other from both sites. I dont know what's wrong with the configuration I have Remote Access VPN configured on our ASA for Cisco Anyconnect and Cisco VPN Client


Router Configuration

hostname Router
!

!
!
ip cef
!
!
!
username admin privilege 15 password 0 come$takeit
!
!
crypto isakmp policy 2
 encr aes
 authentication pre-share
crypto isakmp key cisco123 address 1.1.1.1
!
!
crypto ipsec transform-set test esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to1.1.1.1
 set peer 1.1.1.1
 set transform-set test
 match address 100
!
archive
 log config
  hidekeys
!
!
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 0/35
  pppoe-client dial-pool-number 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 ip address 192.168.16.8 255.255.252.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer1
 ip address negotiated
 ip access-group 101 out
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication pap chap callin
 ppp chap hostname **************
 ppp chap password 7 ************************
 ppp pap sent-username ********************************
 ppp ipcp dns request
 ppp ipcp wins request
 crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.16.0 0.0.3.255 10.1.2.0 0.0.0.255
access-list 101 remark SDM_ACL Category=19
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.16.0 0.0.3.255 10.1.2.0 0.0.0.255
access-list 101 permit ip 192.168.16.0 0.0.3.255 any
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 login local
!
scheduler max-task-time 5000
end


ASA Configuration

      access-list Outside_1_cryptomap line 1 extended permit ip 10.1.2.0 255.255.255.0 192.168.16.0 255.255.252.0
      tunnel-group 2.2.2.2 type ipsec-l2l
      tunnel-group 2.2.2.2 ipsec-attributes
        pre-shared-key **********
        isakmp keepalive threshold 10 retry 2
      crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
      crypto map Outside_map 1 match address Outside_1_cryptomap
      crypto map Outside_map 1 set  peer  2.2.2.2
      crypto map Outside_map 1 set  transform-set  ESP-AES-128-SHA


Any help please?

Thanks
LVL 3
cciedreamerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lisaraoCommented:
Security Appliance license must be enabled for Data Encryption Standard (DES) encryption

Check if you have ASDM Configured on ASA interface

else download and install cisco asmd

Once its installed you have plenty of ways to configure.

check this and reply back
0
cciedreamerAuthor Commented:
I have no idea what you are talking about

I have problem pinging the sites.
0
Pete LongTechnical ConsultantCommented:
>>I have no idea what you are talking about

<grin>

Don't forget that ping is disabled on the ASA unless you have enabled ICMP in the inspection map

I'm quite weak on the router IOS (sorry)

Try to bring up the tunnel, then on the ASA issue a show cry isa command to see if phase 1 has esablished.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

AkinsdNetwork AdministratorCommented:
Check if the "interesting traffic" (the 2 networks communicating) are exempted from NAT

Run a capture on the ASA and see if you see traffic on the inside and outside interface. If you see, both, then the traffic is not passing through the tunnel. You should only see traffic on the inside.

The tunnel formation is one thing (between 2 end points), while the traffic passing through the tunnel is another.
0
anoopkmrCommented:
few things we have to check

a) do you have NAT enabled on the ASA  , if so  exempt the VPN  traffic from the NAT  and try the connectivity
b) check the  routing on both side Lan devices are proper ..  both side devices should have proper gateway to reach each other LAN  .
c)  only ping is not working :  inspect icmp in ASA  and try
d) enable Nat-traversal on ASA  and try :  crypto isakmp nat-trav 60
c) remove the access-list 101 from router dialer interface and try

even after doing all workaround still facing issues, kindly show the output of
show crypto isakmp sa  and show crypto ipsec sa  from router and ASA
0
mannyfernandezCommented:
PeteLong is correct, if you do not have 'inspect icmp' it will not keep state.

you can also try a packet-tracer from the ASA.

packet tracer inside icmp %ASA-side-IP-of-any-host% 0 8 %ROUTER-side-IP-of-any-host% detailed

Open in new window


this will give you a glimpse as to the phases the packet is going.  If you do not see the "VPN" phase in the packet, they crypto-map should be reviewed, if you see the "NAT" phase and it is NAT to the outside, then you are missing a "NAT exempt or NONAT rule" (differs from version 8.2 and below and 8.3 and above.

Legacy:

access-list nonat extended permit ip %ASA-Networks% %Router-Networks%
nat (inside) 0 access-list nonat

Open in new window


Current:
nat (inside,outside) source static %ASA-Networks% %ASA-Networks% destination static  %Router-Networks% %Router-Networks%

Open in new window


Another thing to look at is
sh crypto ipsec sa 

Open in new window


look for decrypt and encrypt if they are not growing while you ping, something is up.  If you see encrypt but no decrypt, look at the other side and/or routing.


do a packet capture on the ASA side to see if you see the packets existing the inside interface:

access-l capture extended permit ip %Router-Networks% %ASA-Networks% 

capture cap1 access-l capture interface inside

sh cap cap1

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.