Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1628
Views
0
Helpful
8
Replies

ASA deny icmp

Tero Kaira
Level 1
Level 1

‎08-12-2014 12:25 AM - edited ‎03-11-2019 09:37 PM

Hello,

 

I have two ASA-sites, Site A and Site B. ASA type is 5512-X. In Site A there is a router behind ASA which I try to ping.

 

When I try to ping from Site B (192.168.11.11 laptop) to Site A Cisco router's management address (192.168.100.1)

 

Site B ASA tells that

 

"the ASA deny inbound icmp src 192.168.11.11 ip address destination management 192.168.100.1."

 

Here is Site B ACL's, is there some errors or missing something? How ACL and NAT should be configured that traffic between these two LAN would success?

 

access-list outside_cryptomap extended permit object-group DM_INLINE_SERVICE_1 object site-SiteB object-group DM_INLINE_NETWORK_1
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_2 object site-SiteB

nat (inside,outside) source static site-SiteB site-SiteB destination static SiteA SiteA no-proxy-arp route-lookup inactive
access-group outside_access_in in interface outside

 

Thnx for help.

 

 

Labels:
0 Helpful
8 Replies 8

SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎08-12-2014 03:20 AM

Hi ,

 Share both side ASA config .Thank you 

0 Helpful

nkarthikeyan
Level 7
Level 7

‎08-12-2014 08:32 AM

Hi,

 

Please do not use service based acl for your crypto map.... make it as ip protocol... if you are running site to site vpn...

site a:

access-list outside_cryptomap extended permit ip <object_sitea> <object_siteb>

site b:

access-list outside_cryptomap extended permit ip <object_siteb> <object_sitea>

 

your no-nat statement is perfect @ one end..... which you have pasted..... check for your site to site lan phase 1 and phase 2 comes up or not.....

 

if you have the direct connectivity, then your scenario will be different.....

 

Regards

Karthik

0 Helpful

Tero Kaira
Level 1
Level 1
In response to nkarthikeyan

‎08-12-2014 01:48 PM

OK, I will add those ACL's and see what happens.

 

Yes, I have configured site to site VPN. There is Ipsec up, VPN-led lights.

 

But VPN statistics shows only IKEv1. I can' see IKEv2 nowhere else. Is there configuration error of VPN-tunnel because i can't see any IKEv2 phase?

 

BR,

Terno

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Tero Kaira

‎08-12-2014 08:31 PM

Hi,

 

Can you share sh isakmp sa and sh crypto ipsec sa outputs?

isakmp is for phase 1 and ipsec is for phase 2.

if needed i can give you the sample configurations of site to site.

Regards

Karthik

0 Helpful

Tero Kaira
Level 1
Level 1
In response to nkarthikeyan

‎08-19-2014 05:21 AM

OK, here...

It seems that tunnel between my LAN-to-LAN network 11.0 <-> 20.0 works?

But I would like to use my management network 100.0 at Site A and also at Site B.

 

How this should be configured that from Site B (management address 100.5) can have management access to Site A (100.1) through this tunnel?

 

Address 100.1 is located behind SiteA ASA and address 100.5 is located behind SiteB ASA.

 

ASA01# show isakmp sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.0.1.2
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs

 

ASA01# show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 10.0.1.1

      access-list outside_cryptomap extended permit icmp 192.168.20.0 255.255.255.0 192.168.11.0 255.255.255.0
      local ident (addr/mask/prot): (192.168.20.0/255.255.255.0/1)
      remote ident (addr/mask/prot): (192.168.11.0/255.255.255.0/1)
      current_peer: 10.0.1.2

      #pkts encaps: 9218, #pkts encrypt: 9218, #pkts digest: 9218
      #pkts decaps: 9218, #pkts decrypt: 9218, #pkts verify: 9218
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 9218, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.0.1.1/0, remote crypto endpt.: 10.0.1.2/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: A9B7358F
      current inbound spi : 41511E3F

    inbound esp sas:
      spi: 0x41511E3F (1095835199)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 1945600, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914987/9138)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xA9B7358F (2847356303)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 1945600, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914987/9138)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

 

BR,

 

Terno

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Tero Kaira

‎08-19-2014 05:39 AM

Hi,

 

You have to NAT those management subnets @ both ends to a different ip and that has to be added in crypto ACL's.... since you have an overlapping networks at both ends... mean the same subnet @ management.... and you have enable firewall management access through vpn tunnel....

 

Management-access <interface> -- This will enable management traffic over a vpn tunnel......

 

Regards

Karthik

0 Helpful

Tero Kaira
Level 1
Level 1
In response to nkarthikeyan

‎08-20-2014 05:21 AM

Hi Karthik,

I configured static NAT to both sites. Do I need add any static routes for new networks (221.0 and 222.0) after I have configured static NAT?

 

Here is my NAT -configuration, can you please check is it right? After this configuration I was still unable to get management connection to work...

 

Here is Site A:

object network management

subnet 192.168.100.0

object network SiteA-NAT

subnet 192.168.221.0 255.255.255.0

object network SiteB-NAT

subnet 192.168.222.0 255.255.255.0

nat(management,outside) source static management SiteA-NAT destination static SiteB-NAT SiteB-NAT

access-list l2l extended permit ip object SiteA-NAT object SiteB-NAT

 

is that command nat (management,outside) right or should it be nat (inside,outside)?

 

 

Here is Site B:

object network management

subnet 192.168.100.0

object network SiteB-NAT

subnet 192.168.222.0 255.255.255.0

object network SiteA-NAT

subnet 192.168.221.0 255.255.255.0

nat(management,outside) source static management SiteB-NAT destination static SiteA-NAT SiteA-NAT

access-list l2l extended permit ip object SiteB-NAT object SiteA-NAT

 

Thank you again for help,

BR, Terno

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Tero Kaira

‎08-20-2014 05:45 AM

Hi,

 

Your configs should be okay...... if you use (inside,outside) in NAT, then you can provide managemnt access for inside interface ip.... thru vpn tunnel.... if not then your configs should be okay....

Management-access <interface> command is very much needed to allow access thru VPN tunnel....

 

Also ACL and ssh commands should allow the same....

 

Regards

Karthik

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card