Problem with extended pings on ASA

baskervi · ‎01-07-2011

We have multiple VPN tunnels to multiple ASAs. However, one we have OSPF running over the IPSec tunnel to the host ASA, and this remote site is the only ASA we're having problems pinging to or from the internal interface from across the tunnel. The host ASA that is also running OSPF is able to ping across the tunnels from its internal interface, and for the life of me I can't see a difference. Has any one else encountered that or have an idea?

Thank you.

Here is the config from the non-working ASA:

ASA Version 8.2(1)
!
hostname ASA
enable password * encrypted
passwd * encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.254.1.6 255.255.255.252
ospf priority 10
ospf network point-to-point non-broadcast
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.3.6.1 255.255.255.252
ospf priority 10
!
...
object-group network LOCAL
network-object 10.3.0.0 255.255.0.0
network-object 10.7.7.0 255.255.255.0
network-object 10.7.8.0 255.255.255.0
network-object 10.4.0.0 255.255.0.0
network-object 10.40.0.0 255.255.0.0
object-group network REMOTE
network-object 10.1.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
network-object 172.18.1.0 255.255.255.0
access-list acl_vpn_local extended permit ip object-group LOCAL object-group REMOTE
access-list acl_vpn_local extended deny ip object-group LOCAL 10.254.0.0 255.255.0.0
access-list acl_vpn_local extended permit ip object-group LOCAL any
access-list acl_vpn_local extended permit ip 10.3.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list acl_vpn_local extended permit ospf interface outside host 10.254.1.2
access-list acl_NONAT extended permit ip object-group LOCAL object-group REMOTE
access-list acl_NONAT extended deny ip object-group LOCAL 10.254.0.0 255.255.0.0
access-list acl_NONAT extended permit ip object-group LOCAL any
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-621.bin
global (outside) 10 interface
nat (inside) 0 access-list acl_NONAT
nat (inside) 10 0.0.0.0 0.0.0.0
!
router ospf 100
network 10.3.0.0 255.255.0.0 area 0
network 10.254.1.0 255.255.255.252 area 0
network 10.254.1.4 255.255.255.252 area 0
neighbor 10.254.1.2 interface outside
log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 10.254.1.5 1
route outside 10.254.1.2 255.255.255.255 10.254.1.5 1
...
crypto ipsec transform-set set_local esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map maplocal 10 match address acl_vpn_local
crypto map maplocal 10 set pfs group5
crypto map maplocal 10 set peer 10.254.1.2
crypto map maplocal 10 set transform-set set_local
crypto map maplocal interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
...
tunnel-group 10.254.1.2 type ipsec-l2l
tunnel-group 10.254.1.2 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global

Federico Coto Fajardo · ‎01-07-2011

Hi,

If I understand correclty the tunnel running OSPF thru IPsec is the only one not allowing to PING to the internal interface?

What if you add a static route, does it work?

Normally you use the ''management-access inside'' to be able to PING/administer the ASA through the tunnel.

Please clarify.

Federico.

baskervi · ‎01-08-2011

You are correct. The ASA with OSPF is the only problematic one. We already had a static route for the gateway, and I can't even ping it from the inside interface, but this didn't work. I added a static route for another range, but it didn't work either. The command "management-access inside" was already in the configuration. I probably deleted it when I was scaling it back. Thanks for your response.

Kureli Sankar · ‎01-08-2011

baskervi,

You need.

1. icmp permit any inside

2. management-access inside

You say you have both. I am not sure why it doesn't work. What do the logs show?

how about "debug icmp trace" does that show anything? The other side is an ASA also right. You can also gather "debug icmp trace there".

This IP that you are trying to ping is the IP address of the peer correct? Is that traffic in the crypto acl to go over encrypted?

If you apply capture on the outside interface "cap capout int outside match icmp any any" - you don't see it going as clear traffic right?

PS:

It looks like this traffic is being denied from getting encrypted.

access-list acl_vpn_local extended deny ip object-group LOCAL 10.254.0.0 255.255.0.0

-KS