Cannot ping inside interface via site-to-site VPN

kevinshkong11 — Tue, 12 Mar 2019 08:12:15 GMT

Hi ALL,

I have setup a site-to-site VPN between HQ and branch.

I am able to ping those segment behind Cisco ASA 5506-X (branch) from segment behind SonicWALL (HQ).

But cannot ping inside interface (192.168.101.2) in Cisco ASA.

Need your advise.

branch# sh run

hostname branch
enable password 0e53SZdxezxawxDG encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
name 192.168.14.0 Guest_Wifi description Guest Wifi
name 172.28.4.0 Office_Wifi description Office Wifi
name 172.16.4.0 Wifi_Mgmt description Wifi Mgmt
name 172.27.4.0 Xentry_Wifi description Xentry Wifi
name 172.16.1.0 HQ_Mgmt description HQ_Mgmt
name 10.12.1.0 Office_LAN description Office LAN
!
interface GigabitEthernet1/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1.100
description Unifi 50Mbps
vlan 100
nameif outside
security-level 0
ip address 175.140.195.166 255.255.255.0
!
interface GigabitEthernet1/1.101
vlan 101
nameif inside
security-level 100
ip address 192.168.101.2 255.255.255.252
!
interface GigabitEthernet1/2
description Guest
no nameif
security-level 0
no ip address
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa961-lfbff-k8.SPA
ftp mode passive
clock timezone MYT 8
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.3.96.0_24
subnet 10.3.96.0 255.255.255.0
object network Facing_FW
range 192.168.101.1 192.168.101.2
description Facing FW Segment
object network Office_LAN
subnet 10.12.1.0 255.255.255.0
description Branch Office LAN
object network Wifi_Mgmt
subnet 172.16.4.0 255.255.255.0
description Wifi Management Segment
object network Office_Wifi
subnet 172.28.4.0 255.255.255.0
description Office Wifi Segment
object network Server_Segment
subnet 10.1.1.0 255.255.255.0
description HQ Server Segment
object network HQ_2nd_Floor
subnet 10.3.66.0 255.255.255.0
description HQ 2nd Floor Users
object network NETWORK_OBJ_10.1.1.0_24
subnet 10.1.1.0 255.255.255.0
object network NETWORK_OBJ_10.12.1.0_24
subnet 10.12.1.0 255.255.255.0
object-group network Branch_Segment
description Local VPN Segment
network-object object Office_LAN
network-object object Office_Wifi
network-object object Wifi_Mgmt
network-object object Facing_FW
object-group network HQ_Segment
description HQ VPN Segment
network-object object HQ_2nd_Floor
network-object object Server_Segment
network-object 10.3.65.0 255.255.255.0

access-list inside_access_in extended permit ip any any
access-list outside_cryptomap extended permit ip object-group Branch_Segment object-group HQ_Segment
pager lines 24
logging enable
logging timestamp
logging buffer-size 512000
logging console informational
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu guest 1500
mtu outside2 1492
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Branch_Segment Branch_Segment destination static HQ_Segment HQ_Segment no-proxy-arp route-lookup
nat (inside,outside) source dynamic any interface
route outside 0.0.0.0 0.0.0.0 175.140.195.165 1
route inside Office_LAN 255.255.255.0 192.168.101.1 1
route inside Wifi_Mgmt 255.255.255.0 192.168.101.1 1
route inside Xentry_Wifi 255.255.255.0 192.168.101.1 1
route inside Office_Wifi 255.255.255.0 192.168.101.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http Office_LAN 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 175.140.233.162 210.20.180.26
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.101.2,CN=ccbcherasfw
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
enrollment self
fqdn none
subject-name CN=192.168.101.2,CN=ccbcherasfw
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_2
enrollment self
fqdn none
subject-name CN=192.168.101.2,CN=ccbcherasfw
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 0e69bd57
    308202d8 308201c0 a0030201 0202040e 69bd5730 0d06092a 864886f7 0d010105
    0500302e 31143012 06035504 03130b63 63626368 65726173 66773116 30140603
    55040313 0d313932 2e313638 2e313031 2e32301e 170d3136 30383235 30333036
    35395a17 0d323630 38323330 33303635 395a302e 31143012 06035504 03130b63
    63626368 65726173 66773116 30140603 55040313 0d313932 2e313638 2e313031
    2e323082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282
    01010097 6a3ba16e 512af40c f7b38862 fc9ffa01 26d5eacd e2357e73 26fe31e0
    997a3efa 75cbc816 431cb475 3b04b72b d086b154 d4d61c79 5cb5d870 dd6834cd
    5f315471 43a47f05 f8f89fb8 27e50b90 ef86769a 1cea217c 98ade46f 98b817af
    4281fc5e c9a2ba31 a67a28b3 f3d19220 fa7132cf 4c01d5f3 dda2d856 a2f2c8b6
    9d7dea22 5c4fe371 2f5b473b 2a8809af 952ea8e9 a0d81fe7 03515ef7 a5d4ae54
    2545a7e2 330c45fb eb6c4752 9b4b6733 20290a39 c9ea5c6f a44a5d7b 55c4a067
    8bdfae7b 318e7672 1d788f73 910b8b1d 3523f633 e0b3642f ee5e652a 09400413
    00b62c79 a4dbd70d bc7a1020 930b14bb 954f69a3 d3337772 43ad9d56 d41bf3f3
    fc2fc102 03010001 300d0609 2a864886 f70d0101 05050003 82010100 53a07cda
    db8fa823 bbd23c7f 5696a785 66156510 84befb60 f1e03b02 2dd702ca 9b829f1a
    5c8e3cd9 6bf0109f 99637c7f 48e075fb a7658fc4 88b0d48f ebba6cb6 5d6dfcbc
    4aca5697 43587ff5 6a1db1ed f5e84298 be5c52d7 83ab0319 f35be837 2c2aa1ca
    70cd5303 582ad585 d1e6e106 d003c014 982bdf9f b0b4bd05 e7734584 75bafbc8
    31c1c36e 9aaa7dd7 88cb6da1 418ef816 47ca3f4f 75bbf823 8742669c d3e43068
    b2655c75 f4ec9fea 4e238b02 7108af54 dedd7b33 f06a0757 84c4d413 dc9e5f2f
    66bf2c36 a8e7b082 adcb65f2 a038115a cd09eecd 2a87c577 a013fd9c 0f094e81
    a5521f72 9a18d683 62a5bdd5 a3d0864a aa8c6f80 6da96f41 2fd69164
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_1
certificate 0f69bd57
    308202d8 308201c0 a0030201 0202040f 69bd5730 0d06092a 864886f7 0d010105
    0500302e 31143012 06035504 03130b63 63626368 65726173 66773116 30140603
    55040313 0d313932 2e313638 2e313031 2e32301e 170d3136 30383235 30343234
    33375a17 0d323630 38323330 34323433 375a302e 31143012 06035504 03130b63
    63626368 65726173 66773116 30140603 55040313 0d313932 2e313638 2e313031
    2e323082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282
    01010097 6a3ba16e 512af40c f7b38862 fc9ffa01 26d5eacd e2357e73 26fe31e0
    997a3efa 75cbc816 431cb475 3b04b72b d086b154 d4d61c79 5cb5d870 dd6834cd
    5f315471 43a47f05 f8f89fb8 27e50b90 ef86769a 1cea217c 98ade46f 98b817af
    4281fc5e c9a2ba31 a67a28b3 f3d19220 fa7132cf 4c01d5f3 dda2d856 a2f2c8b6
    9d7dea22 5c4fe371 2f5b473b 2a8809af 952ea8e9 a0d81fe7 03515ef7 a5d4ae54
    2545a7e2 330c45fb eb6c4752 9b4b6733 20290a39 c9ea5c6f a44a5d7b 55c4a067
    8bdfae7b 318e7672 1d788f73 910b8b1d 3523f633 e0b3642f ee5e652a 09400413
    00b62c79 a4dbd70d bc7a1020 930b14bb 954f69a3 d3337772 43ad9d56 d41bf3f3
    fc2fc102 03010001 300d0609 2a864886 f70d0101 05050003 82010100 4c55dd09
    f9f7a6eb 54ae5ae2 c28c7e11 93dec140 abc0c9a9 710b2ae3 d0e1ea9f eada312b
    59618735 07188e0f 0cd64c02 acf22f99 cb768fd6 0fcb0215 4d1be479 668ddd59
    7a9bc35f d971b1a8 179fd353 fb4ef5e2 5e07c2b3 37eceb28 dac9fdcb 3190a81a
    15c90c37 4127f4eb ee818636 949b0c46 968076bd 16aa79b9 fce97a6d bcbdf1da
    6a71ddc0 8021ecdc b8f4359c 0d4a61bd a33515bc ecf9a489 b110a73f 0756bc4b
    f8719ae7 2a540f79 6865cddf 45beee12 aeba78f5 7c836432 38e95dc2 5ce94e92
    37f1faca 7a0d34e5 bc119c21 e72b0fe7 a45e7dcc dd19afe3 2a33cce8 af11806b
    fd6503df eb7e624c 5fbd599e e86b2715 8e5058fe 1e20d7de a912327b
quit

crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_2
certificate 1069bd57
    308202d8 308201c0 a0030201 02020410 69bd5730 0d06092a 864886f7 0d010105
    0500302e 31143012 06035504 03130b63 63626368 65726173 66773116 30140603
    55040313 0d313932 2e313638 2e313031 2e32301e 170d3136 30383235 30343538
    30315a17 0d323630 38323330 34353830 315a302e 31143012 06035504 03130b63
    63626368 65726173 66773116 30140603 55040313 0d313932 2e313638 2e313031
    2e323082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282
    01010097 6a3ba16e 512af40c f7b38862 fc9ffa01 26d5eacd e2357e73 26fe31e0
    997a3efa 75cbc816 431cb475 3b04b72b d086b154 d4d61c79 5cb5d870 dd6834cd
    5f315471 43a47f05 f8f89fb8 27e50b90 ef86769a 1cea217c 98ade46f 98b817af
    4281fc5e c9a2ba31 a67a28b3 f3d19220 fa7132cf 4c01d5f3 dda2d856 a2f2c8b6
    9d7dea22 5c4fe371 2f5b473b 2a8809af 952ea8e9 a0d81fe7 03515ef7 a5d4ae54
    2545a7e2 330c45fb eb6c4752 9b4b6733 20290a39 c9ea5c6f a44a5d7b 55c4a067
    8bdfae7b 318e7672 1d788f73 910b8b1d 3523f633 e0b3642f ee5e652a 09400413
    00b62c79 a4dbd70d bc7a1020 930b14bb 954f69a3 d3337772 43ad9d56 d41bf3f3
    fc2fc102 03010001 300d0609 2a864886 f70d0101 05050003 82010100 93665a10
    ad512846 01f32086 65ca8325 79bee6f6 54490e20 286efc0e 9b4104e6 38f7e430
    16906354 39efd45a 72ebad1f ddd611ef 100b1612 0b596afe c87bcc9a b9e44ecc
    17e7783e b5d05836 4dbe3a7e 489b29ff 86322c0d 0c8c1254 6f750dba 7a224b3f
    2ca41e02 5d68c7b9 9a9f845a a781bdd7 a22ed9a4 3aa636e1 00c2c2dd 09595d12
    740923df 9127f8e8 8f36899a 2fbaa82c 92393fb0 ab9d99cf d6aa44cb d443793f
    7b9d0700 10b2f116 8df3392a e4eabf92 7d3bd574 273ec214 f4622f70 28074a87
    91556f0a 50774ddd 2c1ffe28 5b46f1fb bd99ea0c 8c7ba7c9 7ff1b51d 052b677b
    e434fe6b 2cb83ba0 71fd487c 0ed2ae36 e3c145e1 14cac8bb 64fba468
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 160
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

management-access inside
!
ntp server 10.12.1.2 prefer
ssl trust-point ASDM_Launcher_Access_TrustPoint_2 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_2 inside vpnlb-ip
group-policy GroupPolicy_175.140.233.162 internal
group-policy GroupPolicy_175.140.233.162 attributes
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy
username misadminservice password 6Pee0pMhMPokimu4 encrypted privilege 15
tunnel-group 175.140.233.162 type ipsec-l2l
tunnel-group 175.140.233.162 general-attributes
default-group-policy GroupPolicy_175.140.233.162
tunnel-group 175.140.233.162 ipsec-attributes

ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6f54aa67bb50471b8738a96120735e26
: end

Thank you.

Regards,

Kevin

Hi Kevin,

Terence Payet — Tue, 30 Aug 2016 10:10:59 GMT

Hi Kevin,

Please add the route-lookup command at the end of your NAT statement as per below:

nat (inside,outside) source static Branch_Segment Branch_Segment destination static HQ_Segment HQ_Segment route-lookup

http://packetpushers.net/understanding-when-a-cisco-asa-nat-rule-can-override-the-asa-routing-table/

HTH.

Please rate helpful post.

Regards,

Terence

Hi Terrence,

kevinshkong11 — Tue, 30 Aug 2016 10:31:36 GMT

Hi Terrence,

Already added previously.

nat (inside,outside) source static Branch_Segment Branch_Segment destination static HQ_Segment HQ_Segment no-proxy-arp route-lookup

Thank you.

topic Hi Kevin, in Network Security

Cannot ping inside interface via site-to-site VPN

Hi Kevin,

Hi Terrence,