cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2359
Views
0
Helpful
13
Replies

can't ping remote networks via GRE tunnels between cisco routers

na26
Level 1
Level 1

Hello,

i've installed two ASA in two offices, all works well but from ASA inside interface i cant' ping my remote networks.

The two sites are connected with GRE/IPsec tunnels. From routers i can ping my remote networks (both sides).

I've looked in the forum and seems someone has solved with "route-lookup" as option in the NAT line but i already have this enabled.

For example:

NAT:

nat (inside,outside) source static obj-LAN obj-LAN destination static obj-REMOTE-net obj-REMOTE-net no-proxy-arp route-lookup

ACL:

access-list ACL-OUTSIDE extended permit ip object obj-REMOTE-net any

Routes are received by an eigrp process:

D    192.168.2.0 255.255.255.0

           [90/14057472] via 194.194.194.1, 0:06:04, outside

From all hosts behind inside interface i can ping my remote networks.

Thanks all for help.

Kind regards,

Nicola

13 Replies 13

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

Are you trying to do it like this :

ping inside x.x.x.x.

If that's the case it's not going to work as the ASA is sending the traffic via the inside interface not being sourced from it. This is a commom missconception.

Check my blog at http:laguiadelnetworking.com for further IT information.


Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello,

i'm trying simply:

ping ip_remote

Thanks,

N.

Hello,

Can you add

management-access inside asa

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

nothing changed. if i try to trace the packet this is the results:

packet-tracer input inside-g tcp 192.168.1.42 80 192.168.2.31 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.2.0     255.255.255.0   outside

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside-g,outside) source static obj-LAN-G obj-LAN-G destination static obj-LAN-BO obj-LAN-BO no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface outside

Untranslate 192.168.2.31/80 to 192.168.2.31/80

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside-g

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hello,

Expected Behavior, don't use the ASA interface IP address for Packet-tracer tests.

Again how are you trying to test this?

If you do a  ping ip_remote it will try to use the interface closest to the destination. is the interface closest to the destination the inside interface?

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

yes, a simple diagram is

host1-LAN1--insideASA1outside--ROUTER1------GREtunnel------ROUTER2--outsideASA2inside---LAN2-host2

If i ping host2 from host1 all it's ok.

If i ping host1 from host2 all it's ok.

If i ping host2 from ROUTER1 all it's ok.

If i ping host1 from ROUTER2 all it's ok.

If i ping host2 from ASA1 not works.

If i ping host1 from ASA2 not works.

Thanks

Hello,

Facts

  • Okey so it's not a problem with ICMP through the ASA,
  • The packet is being generated on the ASA.

Is traffic over the GRE tunnel including the outside subnets of both ASAs?

Can you ping from ASA1 ASA 2?

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello,

no from ASA1 i can't ping ASA2 and vice versa and yes outside subnet are routed over GRE tunnel.

Thanks!

Hello,

If they can communicate with each other via the outside interface then there should be an issue on the network in between (GRE tunnel)

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

It would be better to have your addressing scheme and see what you're trying to ping from where. In your packet tracer it looks like you're trying to ping from the asa's inside interface wich won't work. Have you tried to ping just from ASA1 to ASA2? Do both ASA know that traffic to another ASA should go through corresponding ISR? are those ISRs default gateways for each ASA?

na26
Level 1
Level 1

I hope that the jpg attached can clarify my network.

- ISRs are the default gateway for both ASA.

- If i ping ASA2 outside interface from ASA1 all it's ok, same from ASA2 to ASA1

- If i ping a host on 192.168.2.0/24 from router1 it works

- If i ping a host on 192.168.1.0/24 from router2 it works

- If i ping a host on 192.168.3.0/24 from router2 it works

- If i ping a host on 192.168.2.0/24 from 192.168.1.0 subnet it works

- If i ping a host on 192.168.2.0/24 from 192.168.3.0 subnet it works

- If i ping a host on 192.168.1.0/24 from 192.168.2.0 subnet it works

- If i ping a host on 192.168.3.0/24 from 192.168.2.0 subnet it works

- If i ping a host on 192.168.2.0/24 from ASA1  NOT works

- If i ping a host on 192.168.1.0/24 from ASA2  NOT works

- If i ping a host on 192.168.3.0/24 from ASA2  NOT works

ASA1 routing table:

D    192.168.2.0 255.255.255.0

           [90/14057472] via 1.1.1.1, 0:50:28, outside

D    6.6.6.1 255.255.255.248

           [90/14054912] via 1.1.1.1, 0:50:28, outside

ASA2 routing table:

D    192.168.1.0 255.255.255.0

           [90/14057472] via 6.6.6.1, 0:01:21, outside

D    1.1.1.0 255.255.255.0

           [90/14054912] via 6.6.6.1, 0:01:21, outside

D    192.168.3.0 255.255.255.0

           [90/14057472] via 6.6.6.1, 0:01:21, outside

Thanks,

N.

To my understanding there might be two things:

1. ASAs are not the default gateways for their LANs and host, say on site B (where ASA2 sits) doesn't know the route back towards ASA1, when replying to the ICMP.

2. Or in the same situation, ASA2  doesn't allow returning ICMP traffic back from the host towards ASA1 outside IP, due to the ACL configuration.

Another thing, is that some NAT rules might be configured on either ASA with no nat exemption for communication between some LAN and oposite ASA's outside IP.

I don't really think that you've got one of those things, but to me there should be nothing else preventing this communication having environment that you've got (with all those pings between subnets and ASA's working fine).

ASAs are the default gw for respective LANs. For the point 2 if i trace the packets i can see that their are blocked

packet-tracer input inside-g tcp 192.168.1.42 80 192.168.2.31 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.2.0     255.255.255.0   outside

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside-g,outside) source static obj-LAN-G obj-LAN-G destination static obj-LAN-BO obj-LAN-BO no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface outside

Untranslate 192.168.2.31/80 to 192.168.2.31/80

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside-g

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

192.168.1.42 is the ASA1 inside IP address. But i've an explicit ACL that permits ALL traffic from 192.168.1.0/24.

I've also tried to add an ACL for the specific IP for inside interface but with no results.

Review Cisco Networking for a $25 gift card