Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1764
Views
0
Helpful
17
Replies

ASA problem with IPSEC VPN data not passing

rupam_chakra1983
Level 1
Level 1

‎04-23-2010 09:27 AM - edited ‎03-11-2019 10:36 AM

Hi

I am facing a starnge problem .

I have attached the diagram that i could make best.

Now problem is that:

I can ping from 172.16.15.0 > 10.10.16.0/24( all the IP address)

I can ping from 172.16.15.0(any ip) > 10.10.16.22 ( single ip pass )

I can ping from 172.16.15.0(any ip) > 10.10.16.X ( all other ip except .22 fails )

I tried extended ping from router interface ip : 10.10.16.254 ( secondary ) to 172.16.15.0 ( all ip) and it is success.

The configuration and ACL ( Both side) seems to be ok, VPN Tunnel is also up thats why the data is passing and pinging.

Also we found that there are ACL hits in the router, But there is no ACL hits in the ASA ,also there is no duplicate ACL so there is no chance of hitting any other ACL.

Also single inteface in the router has been used for LAN as well as WAN and WAN connectivity is via wireless(ISP)

Plz find the config as below , As i can't share all the config and VPN details i am partially sharing the required one.

Router:
------------------ show version ------------------

Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T10                                             , RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 14-Sep-09 12:48 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

SUZSOUTH-BGHALLI_WTG-TATANET uptime is 1 hour, 29 minutes
System returned to ROM by power-on
System image file is "flash:c1841-advipservicesk9-mz.124-15.T10.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 1841 (revision 7.0) with 236544K/25600K bytes of memory.
Processor board ID FHK135270VD
2 FastEthernet interfaces
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

interface FastEthernet0/1
ip address 10.10.16.254 255.255.255.0 secondary
ip address 10.100.134.2 255.255.255.0 secondary
ip address 121.243.2.154 255.255.255.252
duplex auto
speed auto
crypto map Outside-Map

ip route 0.0.0.0 0.0.0.0 121.243.2.153

ip access-list extended Site_B_map
permit ip 10.10.16.0 0.0.0.255 10.101.150.0 0.0.0.255
permit ip 10.10.16.0 0.0.0.255 172.16.15.0 0.0.0.255


====================================================================
ASA:

interface GigabitEthernet0/0
description ### WAN Interface ###
nameif Outside
security-level 0
ip address 122.184.59.100 255.255.255.224 standby 122.184.59.101
!
interface GigabitEthernet0/1
description ### LAN Interface ###
nameif Inside
security-level 100
ip address 10.102.3.15 255.255.255.0 standby 10.102.3.14

interface GigabitEthernet0/2
description LAN/STATE Failover Interface
!
interface GigabitEthernet0/3
nameif Outside-Backup
security-level 0
ip address 121.242.42.4 255.255.255.192
!

access-list ASA-Site-B-ACL extended permit ip 172.16.15.0 255.255.255.0 10.10.16.0 255.255.255.0                                 
access-list ASA-Site-B-ACL extended permit ip 10.11.150.0 255.255.255.0 10.10.16.0 255.255.255.0

access-list ASA-Site-B-ACL extended permit ip 10.101.150.0 255.255.255.0 10.10.16.0 255.255.255.0

Route:
route Outside 0.0.0.0 0.0.0.0 122.184.59.97 1 track 1
route Outside 0.0.0.0 0.0.0.254 122.184.59.97 1


ASA Version: 7.2(4)

Any help is appreciated

Thanks

Rupam

Labels:
Preview file
14 KB
0 Helpful
17 Replies 17

skint
Level 1
Level 1
In response to rupam_chakra1983

‎04-26-2010 07:51 AM

Try it from CLI, you can see if the action if VPN encrypt or VPN drop.  You should also see an increment on your interesting traffic ACL.

-skint

0 Helpful

rupam_chakra1983
Level 1
Level 1
In response to skint

‎04-27-2010 07:51 AM

Hi

Thanks to all of you for sharing your ideas.

It seems that the packet for some of the remote device are nt reaching the remote router interface,

It may be a problem and we are planning to test the same.

Also at the remote end my router has oly one inetrface configured for LAN and WAn and Lan ip i have given as seondary and wan ip as primary to same interface.

.22 is a end host connected to the common switch where router and wireless device is connceted.

.22 is able to ping but the other ip cann't able to ping (.21,.23 etc)those are some power rating device, But from the Router LAN interface was able to ping the device the de the

0 Helpful

rupam_chakra1983
Level 1
Level 1
In response to rupam_chakra1983

‎05-06-2010 01:55 AM

Will disabling proxy arp in the router(remote) side help in this case

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card