WellingtonIS
asked on
ASA Tunnel
I a bit stumped. I had a working tunnel and all I did was add an extra ip address into the tunnel and not I can't ping anything. This is a snapshot of what I see. Any ideas?
ASA.png
ASA.png
you added an ip address to the ACL of the tunnel? or Where? If so, you need to make that change on both ends. Your crypto ACLs need to match exactly
ASKER
I added an IP address to the tunnel, to the ACL and the crypto. I'll send you what I have
object-group network VRADSOUTSIDE (208.50.x.x)
network-object 208.50.x.x 255.255.255.224
object-group network VRADLOCAL (Represents my IP addresses of my servers)
group-object PACSUSARAD-LOCAL (Represents my IP addresses of my servers)
access-list inside_nat0_outbound extended permit ip object-group VRADLOCAL object-group VRADSOUTSIDE
access-list inside_nat0_outbound_1 extended permit ip object-group VRADLOCAL object-group VRADSOUTSIDE
access-list outside_cryptomap_3 extended permit ip object-group VRADLOCAL 208.50.x.x 255.255.255.224
crypto map outside_map 7 match address outside_cryptomap_3
crypto map outside_map 7 set peer 74.117.x.x
tunnel-group 74.117.x.x type ipsec-l2l
tunnel-group 74.117.x.x ipsec-attributes
pre-shared-key *****
object-group network VRADSOUTSIDE (208.50.x.x)
network-object 208.50.x.x 255.255.255.224
object-group network VRADLOCAL (Represents my IP addresses of my servers)
group-object PACSUSARAD-LOCAL (Represents my IP addresses of my servers)
access-list inside_nat0_outbound extended permit ip object-group VRADLOCAL object-group VRADSOUTSIDE
access-list inside_nat0_outbound_1 extended permit ip object-group VRADLOCAL object-group VRADSOUTSIDE
access-list outside_cryptomap_3 extended permit ip object-group VRADLOCAL 208.50.x.x 255.255.255.224
crypto map outside_map 7 match address outside_cryptomap_3
crypto map outside_map 7 set peer 74.117.x.x
tunnel-group 74.117.x.x type ipsec-l2l
tunnel-group 74.117.x.x ipsec-attributes
pre-shared-key *****
did you made those changes on the other side of the tunnel as well? Also, you need to adjust your NAT for the new IPs
ASKER
You mean on the receiving end? I assume they did because they can ping me without a problem
Did you try clearing the tunnel? - clear crypto ipsec sa peer #####
I would also try doing a packettrace to see what is happening.
packet-tracer input inside icmp ####(IP of your inside host) 8 0 #### (ip of the host you are trying to reach) detailed
I would also try doing a packettrace to see what is happening.
packet-tracer input inside icmp ####(IP of your inside host) 8 0 #### (ip of the host you are trying to reach) detailed
also, paste these in:
sh crypto isa sa | b ####
sh crypto ipsec sa peer #
# = peer of the other end
sh crypto isa sa | b ####
sh crypto ipsec sa peer #
# = peer of the other end
ASKER
OK but what do the ## stand for?
the outside IP of the opposite end
this is the outside IP for the opposite end
sh crypto isa sa | b ####
sh crypto ipsec sa peer #
this is the INSIDE hosts
packet-tracer input inside icmp ####(your inside IP) 8 0 #### (other ends inside IP) detailed
sh crypto isa sa | b ####
sh crypto ipsec sa peer #
this is the INSIDE hosts
packet-tracer input inside icmp ####(your inside IP) 8 0 #### (other ends inside IP) detailed
ASKER
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside host 10.75.x.x outside 208.50x.x 255.255.255.224
NAT exempt
translate_hits = 356, untranslate_hits = 12
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 101 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 101 (204.28.x.x [Interface PAT])
translate_hits = 295292548, untranslate_hits = 172503393
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 101 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 101 (204.28.x.x [Interface PAT])
translate_hits = 295292548, untranslate_hits = 172503393
Additional Information:
Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside host 10.75.x.x outside 208.50x.x 255.255.255.224
NAT exempt
translate_hits = 356, untranslate_hits = 12
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 101 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 101 (204.28.x.x [Interface PAT])
translate_hits = 295292548, untranslate_hits = 172503393
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 101 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 101 (204.28.x.x [Interface PAT])
translate_hits = 295292548, untranslate_hits = 172503393
Additional Information:
Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Your ACLs do not much the other end. Contact the other end, have them send you the EXACT ACL that they have for this tunnel and mirror it exactly. Clear the tunnel after and it should come UP
ASKER
OK I will try just don't understand why they can ping me but I can't ping them.
if you clear the tunnel, it might not come up. you can try, then it will be down.
ASKER
I emailed them on the other side of the tunnel to try to figure out where this is happening. thanks. I'll let you know what I find out.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Will do thanks again.
ASKER
Thanks for you help! two things happened... 1st they closed the original Ip address they gave me to ping and didn't tell me - UGH! And 2 there was a slight error on their side. I couldn't of figured it out without your assistance.
you welcome