Solved: Cannot ping inside over VPN after upgrade

langleys25 · ‎01-17-2012

Hi All,

We currently have a central hub using an ASA5510 and then a few site-to-site VPN connections to our support staff homes. The devices at the homes are Cisco routers.

We were running version 8.25 on the ASA and all was working fine. We recently upgraded to version 8.42 and although all the functionality of the network is ok and it does what it should, our support staff cannot ping, ASDM or telnet to the ASA inside interface anymore whereas they could before the upgrade. The home VPNs all run on a 10.30 subnet (i.e. 10.30.1.x, 10.30.2.x etc etc).

I can post our config (security edited of course), but it is quite a big config. The command management-access inside is specified and the 10.30.0.0/16 subnet is permitted to ASDM and Telnet.

Are there any extra things that have to be done in version 8.42 to get this to work as the support staff do have to access the firewall for configuration purposes. At the moment, they have to telnet to one of the routers on the local LAN and then Telnet to the firewall from there.

Prior to the upgrade, they were all able to ping the inside ASA interface and also telnet and HTTPS to it from their PCs at home. Now they cannot and the only change made was an upgrade to 8.42. Immediately after the upgrade none of them can ping the interface anymore and it seems it can only be accessed from the local LAN. I cannot find any access-lists that might be blocking the packets so can only assume it's something in the way 8.42 works.

Many thanks for any help you can give.

Julio Carvajal · ‎01-17-2012

Hello,

So at this moment you are unable to make a connection between host on both sides, what you cannot do is to connect to the inside interface of the ASA from the other site.

Here is the bug ID you are hitting:CSCtr16184

After upgrading the ASA to 8.4.2, Hosts over the VPN (over L2L or users connecting via vpn clients) are unable to ping/telnet/ssh/ASDM to the inside interface of the ASA.

Please create a overlapping nat statement like this

nat (inside,outside) source static London_Network London_Network destination static London_Network London_Network route-lookup

And let me know!!

Rate the posts that helps

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎01-17-2012

Hello Lang,

Please provide the Nat exemption rule for the site to site VPN.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Marvin Rhoads · ‎01-17-2012

Have you looked at your NAT exempt statements? There're some outstanding bugs with how they are handled in a migration to 8.3+. I suspect they might have been translated properly for you.

The migration should have created an "upgrade_startup_errors_[datestamp].log file on the ASA's disk0: that you can check. Look for things like:

MIGRATION: NAT Exempt command is encountered in config.

Static NATs which overlap with NAT Exempt source are not migrated.

Please check migrated ACLs for accuracy.

Hope this helps.

Julio Carvajal · ‎01-17-2012

Hello Lang,

Please change the nat statements (Do not use the any keyword)

So do the following:

no nat (inside,any) source static LondonNetworks LondonNetworks destination static VpnNetworks VpnNetworks

nat (inside,outside) source static LondonNetworks LondonNetworks destination static VpnNetworks VpnNetworks

That should do it!

Rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

langleys25 · ‎01-17-2012

Many thanks for your reply. I have just tried changign it and it didn't make any difference. I changed them all to (inside,outside) instead of any but I still cannot ping the inside interface or telnet to it.

Julio Carvajal · ‎01-17-2012

Hello,

So at this moment you are unable to make a connection between host on both sides, what you cannot do is to connect to the inside interface of the ASA from the other site.

Here is the bug ID you are hitting:CSCtr16184

After upgrading the ASA to 8.4.2, Hosts over the VPN (over L2L or users connecting via vpn clients) are unable to ping/telnet/ssh/ASDM to the inside interface of the ASA.

Please create a overlapping nat statement like this

nat (inside,outside) source static London_Network London_Network destination static London_Network London_Network route-lookup

And let me know!!

Rate the posts that helps

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

langleys25 · ‎01-17-2012

That bug is exactly what we are getting.

I tried what you said and it worked perfectly. I then deleted the extra NAT rule and changed the NAT statement for the VPN networks to route-lookup and that also worked.

Do you happen to know if there could be any negative affect from turning on route-lookup on that rule. It seems it was the route-lookup that fixed the problem.

Thankyou so much for your help.

Julio Carvajal · ‎01-17-2012

Hello Lang,

No negative effect, in fact that is the way to solve this bug.

Glad I could help!!!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC