Link to home
Start Free TrialLog in
Avatar of WellingtonIS
WellingtonIS

asked on

ASA Tunnel

I a bit stumped.  I had a working tunnel and all I did was add an extra ip address into the tunnel and not I can't ping anything.  This is a snapshot of what I see. Any ideas?
ASA.png
Avatar of Shark Attack
Shark Attack

you added an ip address to the ACL of the tunnel? or Where? If so, you need to make that change on both ends. Your crypto ACLs need to match exactly
Avatar of WellingtonIS

ASKER

I added an IP address to the tunnel, to the ACL and the crypto.  I'll send you what I have
object-group network VRADSOUTSIDE (208.50.x.x)
 network-object 208.50.x.x 255.255.255.224
object-group network VRADLOCAL (Represents my IP addresses of my servers)
 group-object PACSUSARAD-LOCAL (Represents my IP addresses of my servers)
access-list inside_nat0_outbound extended permit ip object-group VRADLOCAL object-group VRADSOUTSIDE
access-list inside_nat0_outbound_1 extended permit ip object-group VRADLOCAL object-group VRADSOUTSIDE
access-list outside_cryptomap_3 extended permit ip object-group VRADLOCAL 208.50.x.x 255.255.255.224
crypto map outside_map 7 match address outside_cryptomap_3
crypto map outside_map 7 set peer 74.117.x.x  
tunnel-group 74.117.x.x type ipsec-l2l
tunnel-group 74.117.x.x ipsec-attributes
 pre-shared-key *****
did you made those changes on the other side of the tunnel as well? Also, you need to adjust your NAT for the new IPs
You mean on the receiving end?  I assume they did because they can ping me without a problem
Did you try clearing the tunnel? - clear crypto ipsec sa peer #####

I would also try doing a packettrace to see what is happening.

packet-tracer input inside icmp ####(IP of your inside host) 8 0 #### (ip of the host you are trying to reach) detailed
also, paste these in:


sh crypto isa sa | b ####
sh crypto ipsec sa peer #

# = peer of the other end
OK but what do the ## stand for?
the outside IP of the opposite end
this is the outside IP for the opposite end
sh crypto isa sa | b ####
sh crypto ipsec sa peer #

this is the INSIDE hosts
packet-tracer input inside icmp ####(your inside IP) 8 0 #### (other ends inside IP) detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip inside host 10.75.x.x outside 208.50x.x 255.255.255.224
    NAT exempt
    translate_hits = 356, untranslate_hits = 12
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 101 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 101 (204.28.x.x [Interface PAT])
    translate_hits = 295292548, untranslate_hits = 172503393
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 101 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 101 (204.28.x.x [Interface PAT])
    translate_hits = 295292548, untranslate_hits = 172503393
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Your ACLs do not much the other end. Contact the other end, have them send you the EXACT ACL that they have for this tunnel and mirror it exactly. Clear the tunnel after and it should come UP
OK I will try  just don't understand why they can ping me but I can't ping them.
if you clear the tunnel, it might not come up. you can try, then it will be down.
I emailed them on the other side of the tunnel to try to figure out where this is happening.  thanks. I'll let you know what I find out.
ASKER CERTIFIED SOLUTION
Avatar of Shark Attack
Shark Attack

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Will do thanks again.
Thanks for you help!  two things happened... 1st they closed the original Ip address they gave me to ping and didn't tell me - UGH!  And 2 there was a slight error on their side.  I couldn't of figured it out without your assistance.
you welcome