03-26-2015 05:31 AM - edited 03-11-2019 10:42 PM
I have a remote site I'm trying to setup monitoring on and I can't get the inside interface to respond to a ping or SNMP requests. I have tried everything I can find in the forums and on the web but this location will not cooperate. I have full access to the ASA and to the inside network behind it. IPSEC VPN tunnel is working perfectly. I see the ping requests in the log on the ASA. I turned on ICMP debugging and only see the echo request.. never an echo reply. Below is a partial configuration. If you need any more information, let me know.
names
name 192.168.0.0 Domain
name 1.1.1.2 MCCC_Outside
name 172.31.10.0 VLAN10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.23.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
boot system disk0:/asa847-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name mtcomp.org
object network obj-192.168.23.0
subnet 192.168.23.0 255.255.255.0
object network Domain
subnet 192.168.0.0 255.255.0.0
object network 172.31.0.0
subnet 172.31.0.0 255.255.0.0
access-list outside_1_cryptomap extended permit ip 192.168.23.0 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.23.0 255.255.255.0 object Domain
access-list inside_nat0_outbound extended permit ip 192.168.23.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.23.0 255.255.255.0 object Domain
access-list Outside_NAT0_inbound extended permit ip object Domain 192.168.23.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.23.0 255.255.255.0 any
access-list inside_access_in extended permit ip any 192.168.23.0 255.255.255.0 inactive
no pager
logging enable
logging timestamp
logging buffered debugging
logging trap informational
logging asdm informational
logging device-id hostname
logging host inside 192.168.x.x 17/1514
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static obj-192.168.23.0 obj-192.168.23.0 destination static Domain Domain no-proxy-arp route-lookup
route outside MCCC_Outside 255.255.255.255 1.1.1.1 1
route outside 172.31.0.0 255.255.0.0 192.168.1.1 1
route outside VLAN10 255.255.255.0 MCCC_Outside 1
route outside Domain 255.255.0.0 192.168.1.1 1
route outside 192.168.1.0 255.255.255.0 MCCC_Outside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.81 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.23.0 255.255.255.0 inside
snmp-server host inside 172.x.x.x community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer MCCC_Outside
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
management-access inside
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
policy-map global-policy
!
service-policy global_policy global
prompt hostname context
03-26-2015 06:04 AM
Hi,
Configuration looks good to me.
Are you facing the same issue with the Telnet , SSH , ASDM traffic as well ?
Try to change this NAT :-
nat (inside,any) source static obj-192.168.23.0 obj-192.168.23.0 destination static Domain Domain no-proxy-arp route-lookup
TO:-
nat (inside,outside) source static obj-192.168.23.0 obj-192.168.23.0 destination static Domain Domain no-proxy-arp route-lookup
See if that helps.
Thanks and Regards,
Vibhor Amrodia
03-26-2015 06:15 AM
I tried that and it didn't change anything. I have full access to the ASA via ASDM, and SSH. I can ping anything on the inside except the inside interface itself. I can also ping back from that location to the rest of my network.
03-27-2015 08:45 AM
Hi,
Apply these captures and see if you see any icmp packets in the captures after you test:-
capture asp type asp-drop all
Thanks and Regards,
Vibhor Amrodia
03-27-2015 08:56 AM
None of the entries appear to be related to the ping. I was running a constant ping and there were 85 entries in the cap. They were all for UDP port 50 and none for the IP I was ping from. Example.
50: 11:39:42.959255 802.1Q vlan#1 P0 192.168.23.xx.137 > 192.168.23.255.137:
udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
51: 11:40:03.524692 802.1Q vlan#1 P0 192.168.23.xx.137 > 192.168.23.255.137:
udp 50
52: 11:40:04.287491 802.1Q vlan#1 P0 192.168.23.xx.137 > 192.168.23.255.137:
udp 50
53: 11:40:05.051892 802.1Q vlan#1 P0 192.168.23.xx.137 > 192.168.23.255.137:
udp 50
54: 11:40:08.252474 802.1Q vlan#1 P0 192.168.23.xx.137 > 192.168.23.255.137:
udp 50
03-27-2015 09:46 AM
Here is more info:
I ran this PCAP - capture capin interface inside match ip host 192.168.1.81 any
and then pinged a workstation on the inside from this host. I got these results.
199: 12:27:33.719292 802.1Q vlan#1 P0 192.168.1.81 > 192.168.23.16: icmp: echo
request
200: 12:27:33.719552 802.1Q vlan#1 P0 192.168.23.16 > 192.168.1.81: icmp: echo
reply
But when I pinged the inside interface from the same computer nothing showed in the PCAP. What am I missing?
05-29-2015 03:33 PM
There is a bug introduced in 8.4(2) and above that prevents management traffic (ping, ssh, snmp etc) from a vpn tunnel to the interface defined in "management-access intf". See the release notes for 8.4(2) for a complete discussion.
Add the key-word route-lookup to the nat 0 statement with the subnet that overlaps the IP of the management interface. So in your case:
access-list inside_nat0_outbound extended permit ip 192.168.23.0 255.255.255.0 192.168.1.0 255.255.255.0 route-lookup
That should fix it.
03-26-2015 06:19 AM
I forgot to mention the ASA is running 8.4(7).
03-27-2015 03:07 PM
Hi,
First of all let me clarify your trial.
Where is your monitoring server?
Is it behind inside or outside interface (please share ip adress)?
From config it seems, it can be reach via outside interface. Then you have to make snmp check on outside interface, not on inside (cannot make a snmp/ping check on inside interface with request comming through outside inteface - it simply won't work).
From the first check of routing table, I would suggest:
delete : route outside MCCC_Outside 255.255.255.255 1.1.1.1 1 - doesn't make a sense route host address, when it's directly connected network (and more, route 1.1.1.2 to 1.1.1.1, when 1.1.1.1 is vlan2 interface)
change : route outside 172.31.0.0 255.255.0.0 192.168.1.1 1; route outside Domain 255.255.0.0 192.168.1.1 1 - you should consider route it to 1.1.1.2 (if this is your next hop address at WAN).
route outside VLAN10 255.255.255.0 MCCC_Outside 1 - why?
I would use default route to somewhere at 1.1.1.0/24 range - next hop (router).
HTH,
Pavel
03-30-2015 07:18 AM
Monitoring server is on the central site end of the VPN tunnel in the 172.31.10.0 vlan. What do you mean by "make snmp check on outside interface"? Also, I thought the purpose of the command Management-interface inside was to allow pings and snmp to the inside interface across the tunnel?
As far as the routes go, I changed the actual live IPs for the 2 outside interfaces to 1.1.1.1 and 1.1.1.2, sorry for the confusion. I don't see how it would be a routing issue since I can ping anything on the inside from either end of the tunnel? I don't mind changing anything for testing though because I really need this to work.
05-31-2015 01:02 PM
You don't have a tunnel-group configured for the site2site vpn. Did you leave this config out or have you not configured it? Is the VPN tunnel up? Do you see encrypted traffic?
show crypto isa sa
show crypto ipsec sa
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide