can't ping remote networks via GRE tunnels between cisco routers

na26 · ‎08-12-2013

Hello,

i've installed two ASA in two offices, all works well but from ASA inside interface i cant' ping my remote networks.

The two sites are connected with GRE/IPsec tunnels. From routers i can ping my remote networks (both sides).

I've looked in the forum and seems someone has solved with "route-lookup" as option in the NAT line but i already have this enabled.

For example:

NAT:

nat (inside,outside) source static obj-LAN obj-LAN destination static obj-REMOTE-net obj-REMOTE-net no-proxy-arp route-lookup

ACL:

access-list ACL-OUTSIDE extended permit ip object obj-REMOTE-net any

Routes are received by an eigrp process:

D 192.168.2.0 255.255.255.0

[90/14057472] via 194.194.194.1, 0:06:04, outside

From all hosts behind inside interface i can ping my remote networks.

Thanks all for help.

Kind regards,

Nicola

Julio Carvajal · ‎08-12-2013

Hello,

Are you trying to do it like this :

ping inside x.x.x.x.

If that's the case it's not going to work as the ASA is sending the traffic via the inside interface not being sourced from it. This is a commom missconception.

Check my blog at http:laguiadelnetworking.com for further IT information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

na26 · ‎08-12-2013

Hello,

i'm trying simply:

ping ip_remote

Thanks,

N.

Julio Carvajal · ‎08-12-2013

Hello,

Can you add

management-access inside asa

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

na26 · ‎08-12-2013

nothing changed. if i try to trace the packet this is the results:

packet-tracer input inside-g tcp 192.168.1.42 80 192.168.2.31 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.2.0 255.255.255.0 outside

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside-g,outside) source static obj-LAN-G obj-LAN-G destination static obj-LAN-BO obj-LAN-BO no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface outside

Untranslate 192.168.2.31/80 to 192.168.2.31/80

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside-g

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Julio Carvajal · ‎08-12-2013

Hello,

Expected Behavior, don't use the ASA interface IP address for Packet-tracer tests.

Again how are you trying to test this?

If you do a ping ip_remote it will try to use the interface closest to the destination. is the interface closest to the destination the inside interface?

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

na26 · ‎08-12-2013

yes, a simple diagram is

host1-LAN1--insideASA1outside--ROUTER1------GREtunnel------ROUTER2--outsideASA2inside---LAN2-host2

If i ping host2 from host1 all it's ok.

If i ping host1 from host2 all it's ok.

If i ping host2 from ROUTER1 all it's ok.

If i ping host1 from ROUTER2 all it's ok.

If i ping host2 from ASA1 not works.

If i ping host1 from ASA2 not works.

Thanks

Julio Carvajal · ‎08-12-2013

Hello,

Facts

Okey so it's not a problem with ICMP through the ASA,
The packet is being generated on the ASA.

Is traffic over the GRE tunnel including the outside subnets of both ASAs?

Can you ping from ASA1 ASA 2?

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

na26 · ‎08-12-2013

Hello,

no from ASA1 i can't ping ASA2 and vice versa and yes outside subnet are routed over GRE tunnel.

Thanks!

Julio Carvajal · ‎08-12-2013

Hello,

If they can communicate with each other via the outside interface then there should be an issue on the network in between (GRE tunnel)

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Andrew Phirsov · ‎08-13-2013

It would be better to have your addressing scheme and see what you're trying to ping from where. In your packet tracer it looks like you're trying to ping from the asa's inside interface wich won't work. Have you tried to ping just from ASA1 to ASA2? Do both ASA know that traffic to another ASA should go through corresponding ISR? are those ISRs default gateways for each ASA?

na26 · ‎08-13-2013

I hope that the jpg attached can clarify my network.

- ISRs are the default gateway for both ASA.

- If i ping ASA2 outside interface from ASA1 all it's ok, same from ASA2 to ASA1

- If i ping a host on 192.168.2.0/24 from router1 it works

- If i ping a host on 192.168.1.0/24 from router2 it works

- If i ping a host on 192.168.3.0/24 from router2 it works

- If i ping a host on 192.168.2.0/24 from 192.168.1.0 subnet it works

- If i ping a host on 192.168.2.0/24 from 192.168.3.0 subnet it works

- If i ping a host on 192.168.1.0/24 from 192.168.2.0 subnet it works

- If i ping a host on 192.168.3.0/24 from 192.168.2.0 subnet it works

- If i ping a host on 192.168.2.0/24 from ASA1 NOT works

- If i ping a host on 192.168.1.0/24 from ASA2 NOT works

- If i ping a host on 192.168.3.0/24 from ASA2 NOT works

ASA1 routing table:

D 192.168.2.0 255.255.255.0

[90/14057472] via 1.1.1.1, 0:50:28, outside

D 6.6.6.1 255.255.255.248

[90/14054912] via 1.1.1.1, 0:50:28, outside

ASA2 routing table:

D 192.168.1.0 255.255.255.0

[90/14057472] via 6.6.6.1, 0:01:21, outside

D 1.1.1.0 255.255.255.0

[90/14054912] via 6.6.6.1, 0:01:21, outside

D 192.168.3.0 255.255.255.0

[90/14057472] via 6.6.6.1, 0:01:21, outside

Thanks,

N.

Andrew Phirsov · ‎08-13-2013

To my understanding there might be two things:

1. ASAs are not the default gateways for their LANs and host, say on site B (where ASA2 sits) doesn't know the route back towards ASA1, when replying to the ICMP.

2. Or in the same situation, ASA2 doesn't allow returning ICMP traffic back from the host towards ASA1 outside IP, due to the ACL configuration.

Another thing, is that some NAT rules might be configured on either ASA with no nat exemption for communication between some LAN and oposite ASA's outside IP.

I don't really think that you've got one of those things, but to me there should be nothing else preventing this communication having environment that you've got (with all those pings between subnets and ASA's working fine).

na26 · ‎08-13-2013

ASAs are the default gw for respective LANs. For the point 2 if i trace the packets i can see that their are blocked

packet-tracer input inside-g tcp 192.168.1.42 80 192.168.2.31 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.2.0 255.255.255.0 outside

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside-g,outside) source static obj-LAN-G obj-LAN-G destination static obj-LAN-BO obj-LAN-BO no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface outside

Untranslate 192.168.2.31/80 to 192.168.2.31/80

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside-g

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

192.168.1.42 is the ASA1 inside IP address. But i've an explicit ACL that permits ALL traffic from 192.168.1.0/24.

I've also tried to add an ACL for the specific IP for inside interface but with no results.