05-08-2015 09:41 AM - edited 03-11-2019 10:54 PM
Hello,
I am currently trying to configure a Site-to-Site VPN tunnel and have seemed to stumbled into a problem. I appear to only be able to communicate in 1 direction, my 10.1.1.x clients are able to ping clients on the 192.168.135.x network; however, the 192.168.135.x clients are not able to ping clients on the 10.1.1.x network.
Topology
10.1.1.x/24 inside(ASA1)outside ===VPN===outside(ASA2)inside 192.168.135.x/24
I'm not sure which all outputs will be valuable to you to assist so let me know if I'm missing anything.
ASA1
ciscoasa(config)# sh run nat
nat (inside,outside) source static local-nets local-nets destination static vpn-nets vpn-nets no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
ciscoasa# sh run route
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
crypto ipsec ikev1 transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set triplesha esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set aes256sha esp-aes-256 esp-sha-hmac
crypto map vpnmap 120 match address outbound
crypto map vpnmap 120 set peer X.X.X.X
crypto map vpnmap 120 set ikev1 transform-set triplesha
crypto map vpnmap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
ASA2
PT-Hold-ASA5505# sh run nat
nat (inside,outside) source static local-nets local-nets destination static vpn-nets vpn-nets no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
PT-Hold-ASA5505# sh run route
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
crypto map vpnmap 120 match address robASA
crypto map vpnmap 120 set peer X.X.X.X
crypto map vpnmap 120 set ikev1 transform-set aes256sha triplesha
crypto map vpnmap 255 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Thank you for any help you have to offer, I'm not very familiar with ASA's
Solved! Go to Solution.
05-11-2015 06:13 AM
05-11-2015 06:25 AM
Please follow this now:
1. clear crypto ikev1 sa <peer_address> on both ASA.
2. clear crypto ipsec sa peer <peer address> on both ASA
3. initiate a ping from pc (192.168.135.60) to pc (10.1.1.5). let it complete for 5 requests.
4. show crypto isakmp sa on ASA2 and ASA1 and paste output here.
5. show crypto ipsec sa on ASA2 and ASA1 paste output here.
It'll be gud if you paste output to a txt file and attach.
05-11-2015 06:44 AM
Alright I have done this, the pings still come out the same way, here is the output.
05-11-2015 06:53 AM
Looks good from both ASA's . I hope you didn't ping from ASA1 to ASA2 after clearing sa. Do not initiate ping from ASA1 side.
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
Just to make sure, please repeat steps 1 & 2 above and ping again from pc (192.168.135.60) to pc (10.1.1.5). let it complete for exactly 10 requests.
repeat steps 4 and 5 above.
Also please check if pc (10.1.1.5). has local firewall blocking the ping.
05-11-2015 07:27 AM
Okay I did as you said, no pings from ASA1 or anything behind ASA1. After clearing both ASA's of ikev1 and ipsec I went on the 10.1.1.5 PC and initiated ping 192.168.135.60 -n 10. Here are the results of the show after that.
I'm completely at a loss, I hope something makes sense to you! Also I have disabled all firewalls on the 10.1.1.5 Pc.
05-11-2015 07:48 AM
ok, so from this output, it looks like packets go from ASA2 to ASA1 but reply is not coming back.
there could be 2 reasons:
1. pc is not sending ping-reply back.
2. ASA1 is not able to send ping -reply to ASA2.
Follow this:
On ASA1:
capture cap1 interface inside match ip host 10.1.1.5 host 192.168.135.60
now initiate ping from pc (192.168.135.60) to pc (10.1.1.5).
on ASA1:
show capture cap1
this way we can find out if ping-reply is coming back to ASA1 from pc or not.
05-11-2015 07:58 AM
Use this instead:
On ASA1:
access-list cap-acl permit icmp host 10.1.1.5 host 192.168.135.60
access-list cap-acl permit icmp host 192.168.135.60 host 10.1.1.5
capture cap1 interface inside access-list cap-acl
now initiate ping from pc (192.168.135.60) to pc (10.1.1.5).
on ASA1:
show capture cap1
This is better.
05-11-2015 08:06 AM
Uhh it just started working, I think maybe turning the firewall off completely on the PC fixed it but I pinged too soon after? Here is the output from the sh capture
ciscoasa(config)# sh capture cap1
18 packets captured
1: 06:04:57.685602 802.1Q vlan#1 P0 192.168.135.60 > 10.1.1.5: icmp: echo request
2: 06:04:57.686274 802.1Q vlan#1 P0 10.1.1.5 > 192.168.135.60: icmp: echo reply
3: 06:04:58.683360 802.1Q vlan#1 P0 192.168.135.60 > 10.1.1.5: icmp: echo request
4: 06:04:58.683665 802.1Q vlan#1 P0 10.1.1.5 > 192.168.135.60: icmp: echo reply
5: 06:04:59.681620 802.1Q vlan#1 P0 192.168.135.60 > 10.1.1.5: icmp: echo request
6: 06:04:59.682124 802.1Q vlan#1 P0 10.1.1.5 > 192.168.135.60: icmp: echo reply
7: 06:05:00.681559 802.1Q vlan#1 P0 192.168.135.60 > 10.1.1.5: icmp: echo request
8: 06:05:00.682169 802.1Q vlan#1 P0 10.1.1.5 > 192.168.135.60: icmp: echo reply
9: 06:05:01.679789 802.1Q vlan#1 P0 192.168.135.60 > 10.1.1.5: icmp: echo request
10: 06:05:01.680430 802.1Q vlan#1 P0 10.1.1.5 > 192.168.135.60: icmp: echo reply
11: 06:05:02.677790 802.1Q vlan#1 P0 192.168.135.60 > 10.1.1.5: icmp: echo request
12: 06:05:02.678248 802.1Q vlan#1 P0 10.1.1.5 > 192.168.135.60: icmp: echo reply
13: 06:05:03.677104 802.1Q vlan#1 P0 192.168.135.60 > 10.1.1.5: icmp: echo request
14: 06:05:03.677714 802.1Q vlan#1 P0 10.1.1.5 > 192.168.135.60: icmp: echo reply
15: 06:05:04.674144 802.1Q vlan#1 P0 192.168.135.60 > 10.1.1.5: icmp: echo request
16: 06:05:04.674785 802.1Q vlan#1 P0 10.1.1.5 > 192.168.135.60: icmp: echo reply
17: 06:05:05.672618 802.1Q vlan#1 P0 192.168.135.60 > 10.1.1.5: icmp: echo request
18: 06:05:05.673228 802.1Q vlan#1 P0 10.1.1.5 > 192.168.135.60: icmp: echo reply
18 packets shown
ciscoasa(config)#
I think you nailed it my friend!
05-11-2015 08:13 AM
windows firewall does it always.
Anyways, glad that it worked now.
:)
05-11-2015 08:49 AM
Rohit,
Is there a way to send a private message, I was curious if I could pick your brain about something but isn't directly related to this exact thread topic.
Thanks again for helping me fix this!
05-11-2015 09:25 AM
Sure.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide