05-02-2019 01:31 PM - edited 05-03-2019 03:31 AM
So I have a setup whereby I have Cisco ASA 5505 and it has 2 Site to Site VPN's and then an RA VPN running and a switch coming off it for the on-premises network.
ASA runs on IP 10.101.0.1 255.0.0.0
S2S one runs on Network 10.1.0.0 255.255.0.0 (AWS EU-West-2)
S2S two run on Network 10.2.0.0 255.255.0.0 (AWS EU-West-1)
RA VPN that has several clients connection on network 10.101.2.0 255.255.255.0
The on-premises network runs on 10.101.1.0 255.255.0.0
All devices Baring the ASA it's self is able to talk through the Networks correctly
So RA Client to S2S one works, RA client to on-premises works, vice versa all the networks work correctly for devices connected to the ASA just not the ASA.
The problem I'm having is I need the ASA to talk to devices via the S2S VPN's but when it tried to do that it sends but the receiving EC2 instance is being given the ASA's public IP not it's 10.101.0.1 IP I'm assuming that's because the nat rules are not being applied to the ASA it's self when.
So to test this I do ping outside 10.1.18.109 and it hits the EC2 server however the source IP is set to my public IP this means the EC2 can't respond because it's responding to the public IP and not the internal IP of the ASA 10.101.0.1 how do I set this up?
If I do ping inside 10.1.18.109 it just failed a never gets routed to the AWS network. and because of this if anything ping 10.101.0.1 via a VPN they never get a response because the ASA tried to respond to the public IP address
Solved! Go to Solution.
05-05-2019 07:08 AM
In general it is expected behavior for the ASA that you can not ping the inside interface address when the ping is coming from outside. There is an exception to that rule when the ping is coming from VPN. Add the command management-access inside and let us know if the behavior changes.
HTH
Rick
05-02-2019 01:50 PM
The ASA's Currently running config
: Saved : ASA Version 9.1(1) ! hostname vpn domain-name *removed* enable password *removed* encrypted passwd *removed* encrypted names ip local pool OutOfOfficePool 10.101.2.1-10.101.2.254 mask 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 10.101.0.1 255.0.0.0 ! interface Vlan2 nameif outside security-level 0 ip address y.y.y.y 255.255.255.248 ! ftp mode passive dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 10.1.18.109 name-server 1.1.1.1 name-server 8.8.8.8 name-server 8.8.4.4 domain-name beaconsoft.ltd same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network inside subnet 10.0.0.0 255.0.0.0 object network inside-subnet subnet 10.0.0.0 255.0.0.0 object network obj-SrcNet subnet 0.0.0.0 0.0.0.0 object network obj-amzn-lon subnet 10.1.0.0 255.255.0.0 object network obj-amzn-ire subnet 10.2.0.0 255.255.0.0 object network NETWORK_OBJ_10.101.2.0_24 subnet 10.101.2.0 255.255.255.0 object network inoffice subnet 10.101.1.0 255.255.255.0 object network outoffice subnet 10.101.2.0 255.255.255.0 object network 10.X.X.X range 10.2.0.0 10.2.255.255 object network ASA-network subnet 10.101.0.0 255.255.255.0 object network ASA host 10.101.0.1 description Cisco ASA object network ASAGatewayAddress host y.y.y.y access-list outside_acl extended permit ip host 35.177.42.137 host y.y.y.y access-list outside_acl extended permit ip host 52.56.51.249 host y.y.y.y access-list outside_acl extended permit ip host 52.17.198.135 host y.y.y.y access-list outside_acl extended permit ip host 54.72.63.159 host y.y.y.y access-list acl-amzn-lon extended permit ip any4 10.1.0.0 255.255.0.0 access-list IRELAND-135 extended permit ip host 52.17.198.135 host y.y.y.y access-list IRELAND-159 extended permit ip host 54.72.63.159 host y.y.y.y access-list IRELAND-LOCAL extended permit ip any4 10.2.0.0 255.255.0.0 access-list outside_access_in extended permit ip host 35.177.42.137 host y.y.y.y access-list outside_access_in extended permit ip host 52.56.51.249 host y.y.y.y access-list acl-amzn extended permit ip any4 10.1.0.0 255.255.0.0 access-list amzn-filter extended permit ip 10.1.0.0 255.255.0.0 10.0.0.0 255.0.0.0 access-list ireland-filter extended permit ip 10.2.0.0 255.255.0.0 10.0.0.0 255.0.0.0 access-list outside_cryptomap_2 extended permit ip any4 10.2.0.0 255.255.0.0 access-list outside_cryptomap_2 extended permit ip any4 10.1.0.0 255.255.0.0 access-list outside_cryptomap_3 extended permit ip any4 10.2.0.0 255.255.0.0 access-list outside_cryptomap_1 extended permit ip any4 10.1.0.0 255.255.0.0 access-list tcp_bypass extended permit tcp 10.101.1.0 255.255.255.0 10.101.2.0 255.255.255.0 access-list tcp_bypass extended permit tcp 10.1.0.0 255.255.0.0 10.101.2.0 255.255.255.0 access-list tcp_bypass extended permit tcp 10.101.2.0 255.255.255.0 10.1.0.0 255.255.0.0 access-list tcp_bypass extended permit tcp 10.2.0.0 255.255.0.0 10.101.2.0 255.255.255.0 access-list tcp_bypass extended permit tcp 10.101.2.0 255.255.255.0 10.2.0.0 255.255.0.0 access-list inside_access_in extended permit ip any any access-list acl-outside extended permit icmp any any echo access-list acl-inside extended permit icmp any any echo access-list global_mpc extended permit ip any any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static obj-SrcNet obj-SrcNet destination static obj-amzn-ire obj-amzn-ire route-lookup nat (inside,outside) source static obj-SrcNet obj-SrcNet destination static obj-amzn-lon obj-amzn-lon route-lookup nat (inside,outside) source static any any destination static NETWORK_OBJ_10.101.2.0_24 NETWORK_OBJ_10.101.2.0_24 no-proxy-arp route-lookup nat (inside,outside) source static ASAGatewayAddress ASA destination static obj-amzn-lon obj-amzn-lon ! object network obj_any nat (inside,outside) dynamic interface ! nat (inside,outside) after-auto source dynamic any interface access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 109.239.111.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server LDAP_SRV_GRP protocol ldap aaa-server LDAP_SRV_GRP (inside) host 10.1.18.109 ldap-base-dn dc=beaconsoft, dc=ltd ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn cn=Administrator, cn=Users, dc=beaconsoft, dc=ltd server-type microsoft user-identity default-domain LOCAL http server enable http 10.0.0.0 255.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart sysopt connection tcpmss 1379 sla monitor 1 type echo protocol ipIcmpEcho 10.1.0.1 interface outside frequency 5 sla monitor schedule 1 life forever start-time now sla monitor 2 type echo protocol ipIcmpEcho 10.2.0.1 interface outside frequency 5 sla monitor schedule 2 life forever start-time now sla monitor 5 type echo protocol ipIcmpEcho 8.8.8.8 interface outside frequency 5 sla monitor schedule 5 life forever start-time now crypto ipsec ikev1 transform-set transform-amzn-lon esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set transform-amzn-ire esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec ikev1 transform-set transfrom-amzn esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set transfrom-amzn1 esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set transform-amzn1 esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set transform-ireland esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS mode transport crypto ipsec ikev1 transform-set APPLE_CLIENT esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set APPLE_CLIENT mode transport crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec security-association replay window-size 128 crypto ipsec security-association pmtu-aging infinite crypto ipsec df-bit clear-df outside crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES128-SHA1_TRANS crypto dynamic-map DYN_OUTSIDE 10000 set reverse-route crypto map amazon_lon_map 1 match address acl-amzn-lon crypto map amazon_lon_map 1 set pfs crypto map amazon_lon_map 1 set peer 35.177.42.137 52.56.51.249 crypto map amazon_lon_map 1 set ikev1 transform-set transform-amzn-lon crypto map amazon_lon_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map amazon_lon_map 1 set security-association lifetime seconds 3600 crypto map amazon_lon_map 2 match address outside_cryptomap_2 crypto map amazon_lon_map 2 set pfs crypto map amazon_lon_map 2 set peer 52.17.198.135 54.72.63.159 crypto map amazon_lon_map 2 set ikev1 transform-set transform-ireland crypto map amazon_lon_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map MAP_OUTSIDE 1 match address outside_cryptomap_1 crypto map MAP_OUTSIDE 1 set pfs crypto map MAP_OUTSIDE 1 set peer 35.177.42.137 52.56.51.249 crypto map MAP_OUTSIDE 1 set ikev1 transform-set transfrom-amzn crypto map MAP_OUTSIDE 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map MAP_OUTSIDE 1 set security-association lifetime seconds 3600 crypto map MAP_OUTSIDE 1 set reverse-route crypto map MAP_OUTSIDE 2 match address outside_cryptomap_3 crypto map MAP_OUTSIDE 2 set pfs crypto map MAP_OUTSIDE 2 set peer 52.17.198.135 54.72.63.159 crypto map MAP_OUTSIDE 2 set ikev1 transform-set transform-ireland crypto map MAP_OUTSIDE 2 set security-association lifetime seconds 3600 crypto map MAP_OUTSIDE 2 set reverse-route crypto map MAP_OUTSIDE 10000 ipsec-isakmp dynamic DYN_OUTSIDE crypto map MAP_OUTSIDE interface outside crypto ca trustpoint _SmartCallHome_ServerCA crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=ciscoasa keypair OutOfOfficeKeyPair proxy-ldc-issuer crl configure crypto ca trustpoint ASDM_TrustPoint1 enrollment terminal subject-name CN=leeds.internal.beaconsoft.ltd,O=Beaconsoft Limited,C=UK keypair OutOfOfficeKeyPair crl configure crypto ca trustpoint ASDM_TrustPoint2 enrollment terminal crl configure crypto ca trustpoint ASDM_TrustPoint3 enrollment terminal no validation-usage crl configure crypto ca trustpool policy crypto ca certificate chain _SmartCallHome_ServerCA certificate ca 6ecc7aa5a7032009b8cebcf4e952d491 *remvoed* quit crypto ca certificate chain ASDM_TrustPoint0 certificate 7f301c5c *remvoed* quit crypto ca certificate chain ASDM_TrustPoint2 certificate ca 7303eb3fb5255bb0498dbbad4387fc24 *remvoed* quit crypto ca certificate chain ASDM_TrustPoint3 certificate ca 7303eb3fb5255bb0498dbbad4387fc24 *remvoed* quit crypto isakmp identity address crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev1 enable outside crypto ikev1 policy 201 authentication pre-share encryption aes hash sha group 2 lifetime 28800 crypto ikev1 policy 1000 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 2000 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 3000 authentication pre-share encryption aes hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 vpn-sessiondb max-other-vpn-limit 10 vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2 dhcpd dns 10.1.18.109 8.8.8.8 dhcpd domain leeds.internal.beaconsoft.ltd dhcpd auto_config outside dhcpd option 3 ip 10.101.0.1 y.y.y.y dhcpd option 6 ip 10.1.13.58 8.8.8.8 ! dhcpd address 10.101.1.1-10.101.1.254 inside dhcpd dns 10.1.18.109 8.8.8.8 interface inside dhcpd domain leeds.internal.beaconsoft.ltd interface inside dhcpd option 3 ip 10.101.0.1 interface inside dhcpd option 6 ip 10.1.13.58 8.8.8.8 interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn enable outside group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes dns-server value 8.8.8.8 8.8.4.4 vpn-tunnel-protocol l2tp-ipsec default-domain value leeds.internal.beaconsoft.ltd group-policy OutOfOffice internal group-policy OutOfOffice attributes dns-server value 10.1.18.109 1.1.1.1 vpn-tunnel-protocol ikev1 l2tp-ipsec default-domain value leeds.internal.beaconsoft.ltd group-policy ireland-filter internal group-policy ireland-filter attributes vpn-filter value ireland-filter vpn-tunnel-protocol ikev1 group-policy filter1 internal group-policy filter1 attributes vpn-filter value amzn-filter vpn-tunnel-protocol ikev1 ikev2 group-policy filter internal group-policy filter attributes vpn-filter value acl-amzn username Mike password PN42Bm7XE5a8EJwkq1mGPQ== nt-encrypted username Mike attributes vpn-group-policy OutOfOffice vpn-tunnel-protocol ikev1 l2tp-ipsec service-type remote-access username Joseph password mS0EAg3qPCemqmgrSSzfvQ== nt-encrypted username Joseph attributes vpn-group-policy OutOfOffice vpn-tunnel-protocol ikev1 l2tp-ipsec service-type remote-access username Stewart password FyZPWbn6t6h5inknkHKzug== nt-encrypted privilege 15 username Stewart attributes vpn-group-policy OutOfOffice vpn-tunnel-protocol ikev1 l2tp-ipsec username Nigel password 3Pieca+TQZEgQPeWMS9mtA== nt-encrypted username Nigel attributes vpn-group-policy OutOfOffice vpn-tunnel-protocol ikev1 l2tp-ipsec service-type remote-access username Fletch password PBh4TET9xODSoUCJeBPhqA== nt-encrypted username Fletch attributes vpn-group-policy OutOfOffice vpn-tunnel-protocol ikev1 l2tp-ipsec service-type remote-access username Martin password nwCUkCGVNa4sPj+wYoOGxg== nt-encrypted privilege 0 username Martin attributes vpn-group-policy OutOfOffice vpn-tunnel-protocol ikev1 l2tp-ipsec tunnel-group DefaultRAGroup general-attributes address-pool OutOfOfficePool default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes ikev1 pre-shared-key ***** tunnel-group DefaultRAGroup ppp-attributes authentication pap authentication ms-chap-v2 tunnel-group 35.177.42.137 type ipsec-l2l tunnel-group 35.177.42.137 general-attributes default-group-policy filter1 tunnel-group 35.177.42.137 ipsec-attributes ikev1 pre-shared-key ***** isakmp keepalive threshold 10 retry 10 tunnel-group 52.56.51.249 type ipsec-l2l tunnel-group 52.56.51.249 general-attributes default-group-policy filter1 tunnel-group 52.56.51.249 ipsec-attributes ikev1 pre-shared-key ***** isakmp keepalive threshold 10 retry 10 tunnel-group OutOfOffice type remote-access tunnel-group OutOfOffice general-attributes address-pool OutOfOfficePool authentication-server-group LDAP_SRV_GRP LOCAL default-group-policy OutOfOffice tunnel-group OutOfOffice ipsec-attributes ikev1 pre-shared-key ***** ikev1 trust-point ASDM_TrustPoint0 tunnel-group OutOfOffice ppp-attributes authentication ms-chap-v2 tunnel-group 52.17.198.135 type ipsec-l2l tunnel-group 52.17.198.135 general-attributes default-group-policy ireland-filter tunnel-group 52.17.198.135 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group 54.72.63.159 type ipsec-l2l tunnel-group 54.72.63.159 general-attributes default-group-policy ireland-filter tunnel-group 54.72.63.159 ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match access-list global_mpc match default-inspection-traffic class-map tcp_bypass match access-list tcp_bypass ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp policy-map tcp_bypass_policy class tcp_bypass set connection advanced-options tcp-state-bypass ! service-policy global_policy global service-policy tcp_bypass_policy interface inside prompt hostname context no call-home reporting anonymous Cryptochecksum:cd0f6db30d4f6f8bc09edf95ade0618f : end
05-05-2019 07:08 AM
In general it is expected behavior for the ASA that you can not ping the inside interface address when the ping is coming from outside. There is an exception to that rule when the ping is coming from VPN. Add the command management-access inside and let us know if the behavior changes.
HTH
Rick
05-06-2019 08:32 AM
I am glad that my explanation was helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide