topic Re: Unable to ping via S2S VPN in Network Security

Unable to ping via S2S VPN

kamrannaseem1 — Thu, 07 Nov 2019 17:47:57 GMT

Hello,

We have a site to site VPN configured on cisco asa 5505, VPN is up and we can see TX and RX but we are unable to get any ping replies. We also tried RDP and other access to the remote end but no luck.

The strange thing is TX and RX are going up on the VPN but we cant get any ping etc replies from the remote end.

Please find attached asa config and wireshark traces.

any help will be much appreciated.

Many thanks.

Re: Unable to ping via S2S VPN

Sheraz.Salim — Thu, 07 Nov 2019 18:12:49 GMT

you have to change your nat.

CHANGE THIS
nat (inside,outside) source dynamic LocalVPNClients LocalVPN-NAT destination static RemoteVPNClients RemoteVPNClients
!
TO THIS
nat (inside,outside) source static LocalVPNClients LocalVPN-NAT destination static RemoteVPNClients RemoteVPNClients no-proxy-arp route-lookup
!

for PING
policy-map global_policy
class inspection_default
inspect icmp

inspect icmp-error

check this reference guide too.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html

I also noticed you have overlap of ip address in your network and remote network

object network ClientSubnet
subnet 192.168.0.0 255.255.248.0
!
object-group network LocalVPNClients
network-object object ClientSubnet
!
object-group network LocalVPN-NAT
network-object object 192.168.6.3
!
object-group network RemoteVPNClients
network-object object RemoteVPNClient1
network-object object RemoteVPNClient2
network-object object RemoteVPNClient3
network-object object RemoteVPNClient4
!
object network RemoteVPNClient1
host 129.1.3.12
object network RemoteVPNClient2
host 129.1.33.65
object network RemoteVPNClient3
host 129.1.155.61
object network 192.168.6.3
host 192.168.6.3
object network RemoteVPNClient4
host 129.1.3.11

could you also run this command and past the results.

show crypto ipsec sa peer 185.170.172.10

Re: Unable to ping via S2S VPN

kamrannaseem1 — Thu, 07 Nov 2019 18:56:06 GMT

Thanks sheraz for the quick response.

Problem is that we have to use many to one NAT. Basically the requirement is to NAT the subnet to single IP so shouldn't we use dynamic for that ?

I have changes the below but no luck. I haven't yet changed the NAT.

inspect icmp

inspect icmp-error

BAirASA# show crypto ipsec sa peer 185.170.172.10
peer address: 185.170.172.10
Crypto map tag: outside_map0, seq num: 1, local addr: 64.66.10.70

access-list outside_cryptomap_1 extended permit ip host 192.168.6.3 host 1 29.1.3.12
local ident (addr/mask/prot/port): (192.168.6.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (129.1.3.12/255.255.255.255/0/0)
current_peer: 185.170.172.10

#pkts encaps: 4479, #pkts encrypt: 4479, #pkts digest: 4479
#pkts decaps: 4466, #pkts decrypt: 4466, #pkts verify: 4466
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4479, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 64.66.10.70/0, remote crypto endpt.: 185.170.172.10/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: D4B437E8
current inbound spi : 41568E7D

inbound esp sas:
spi: 0x41568E7D (1096191613)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 282624, crypto-map: outside_map0
sa timing: remaining key lifetime (sec): 2634
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xD4B437E8 (3568580584)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 282624, crypto-map: outside_map0
sa timing: remaining key lifetime (sec): 2634
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Re: Unable to ping via S2S VPN

Sheraz.Salim — Thu, 07 Nov 2019 20:16:38 GMT

try this command

nat (inside,outside) source dynamic LocalVPNClients LocalVPN-NAT destination static RemoteVPNClients RemoteVPNClients no-proxy-arp route-lookup

Re: Unable to ping via S2S VPN

kamrannaseem1 — Thu, 07 Nov 2019 23:33:17 GMT

it doesn't take this command. Doesn't give me option for no-proxy-arp route-lookup.

Re: Unable to ping via S2S VPN

gerald.scott — Fri, 08 Nov 2019 00:56:22 GMT

I recommend trying the following things

1. run a packet tracer and see what step is failing

2. run debugs: debug cryp isa sa 127 and deb cryp ipsec sa 127 - while these are running, attempt ping across the tunnel and attach to output to this thread

Re: Unable to ping via S2S VPN

Sheraz.Salim — Fri, 08 Nov 2019 09:20:16 GMT

I had a thought on this. you need to define a subnet for you real traffic to mapped into mapped network.

you have single ip address in this object LocalVPN-NAT

create a subnet

object network LocalVPN-NAT

subnet 192.168.10.x 255.255.255.0

nat (inside,outside) source static LocalVPNClients LocalVPN-NAT destination static RemoteVPNClients RemoteVPNClients no-proxy-arp route-lookup

you also need to let the remote network Firewall to change the network to LocalVPN-NAT subnet 192.168.10.x 255.255.255.0

Re: Unable to ping via S2S VPN

kamrannaseem1 — Fri, 15 Nov 2019 15:22:34 GMT

Thanks every one, issue resolved, issue wasn't with the vpn, the issue was with the internal network.

Re: Unable to ping via S2S VPN

Sheraz.Salim — Fri, 15 Nov 2019 23:40:24 GMT

what was the issue? your site to site vpn working ?

could you please show your final working configuration