cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1041
Views
0
Helpful
9
Replies

Unable to Ping ASA Subinterface Across VPN Tunnel

Darren Roback
Level 5
Level 5

Hello -

I have a remote ASA with four subinterfaces configured. All four subnets participate in a site-to-site VPN tunnel back to corporate. Currently I'm unable to ping the MGMT subinterface, although I have configured ICMP inspection as well as management-access. Running a debug on ICMP trace shows that, while I am trying to ping 10.33.2.1, the request comes across the debug as 10.33.0.1 (Data_VLAN subinterface).

Any ideas where I'm going wrong??

ASA Version 8.3(1)

!

hostname VA-4500-ASA-LAN-5505-1

domain-name xxxxxxxx.com

enable password <removed>

passwd <removed>

no names

!

interface Vlan2

nameif Data_VLAN

security-level 100

ip address 10.33.0.1 255.255.255.0

!

interface Vlan6

nameif Voice_VLAN

security-level 100

ip address 10.33.1.1 255.255.255.0

!

interface Vlan10

nameif MGMT_VLAN

security-level 100

ip address 10.33.2.1 255.255.255.0

!

interface Vlan56

nameif Video_VLAN

security-level 100

ip address 10.33.3.1 255.255.255.0

!

interface Vlan99

nameif Outside

security-level 0

ip address xxxxxxxx 255.255.255.252

!

interface Ethernet0/0

description Connected to Internet Router

switchport access vlan 99

!

interface Ethernet0/1

description Connected to 2960 Switch

switchport trunk allowed vlan 2,6,10,56

switchport trunk native vlan 10

switchport mode trunk

!

interface Ethernet0/2

switchport access vlan 2

!

interface Ethernet0/3

switchport access vlan 2

!

interface Ethernet0/4

switchport access vlan 2

!

interface Ethernet0/5

switchport access vlan 2

!

interface Ethernet0/6

switchport access vlan 2

!

interface Ethernet0/7

switchport access vlan 2

!

ftp mode passive

clock timezone EST -5

clock summer-time DST recurring

dns domain-lookup MGMT_VLAN

dns server-group DefaultDNS

retries 3

timeout 5

name-server 10.0.204.10

name-server 10.100.204.10

domain-name xxxxxxxx.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network Data_VLAN

subnet 10.33.0.0 255.255.255.0

object network Voice_VLAN

subnet 10.33.1.0 255.255.255.0

object network MGMT_VLAN

subnet 10.33.2.0 255.255.255.0

object network Video_VLAN

subnet 10.33.3.0 255.255.255.0

access-list netflow-export extended permit ip any any

access-list Outside_Cryptomap_1 extended permit ip 10.33.0.0 255.255.255.0 any

access-list Outside_Cryptomap_1 extended permit ip 10.33.1.0 255.255.255.0 any

access-list Outside_Cryptomap_1 extended permit ip 10.33.2.0 255.255.255.0 any

access-list Outside_Cryptomap_1 extended permit ip 10.33.3.0 255.255.255.0 any

pager lines 24

logging enable

logging timestamp

logging buffer-size 512000

logging buffered debugging

logging trap notifications

logging asdm notifications

logging host MGMT_VLAN 10.0.8.11

no logging message 106015

no logging message 313001

no logging message 313008

no logging message 106023

no logging message 710003

no logging message 106100

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 302018

no logging message 302017

no logging message 302016

no logging message 302021

no logging message 302020

flow-export template timeout-rate 1

flow-export delay flow-create 60

mtu Data_VLAN 1500

mtu Voice_VLAN 1500

mtu MGMT_VLAN 1500

mtu Video_VLAN 1500

mtu Outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (Data_VLAN,any) source static Data_VLAN Data_VLAN

nat (Voice_VLAN,any) source static Voice_VLAN Voice_VLAN

nat (Video_VLAN,any) source static Video_VLAN Video_VLAN

nat (MGMT_VLAN,any) source static MGMT_VLAN MGMT_VLAN

route Outside 0.0.0.0 0.0.0.0 50.199.31.202 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server ACS protocol tacacs+

aaa-server ACS (MGMT_VLAN) host 10.0.8.250

timeout 5

key xxxxxxxx

aaa-server ACS (MGMT_VLAN) host 10.39.157.165

timeout 5

key xxxxxxxx

aaa authentication enable console ACS LOCAL

aaa authentication http console ACS LOCAL

aaa authentication ssh console ACS LOCAL

aaa authentication telnet console ACS LOCAL

http server enable

http xxxxxxxx 255.255.255.0 Outside

http xxxxxxxx 255.255.255.0 Outside

http xxxxxxxx 255.255.255.192 Outside

http 10.0.0.0 255.0.0.0 MGMT_VLAN

http redirect MGMT_VLAN 80

http redirect Outside 80

snmp-server host MGMT_VLAN 10.0.8.11 community ***** version 2c

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_Map 1 match address Outside_Cryptomap_1

crypto map Outside_Map 1 set peer 192.64.157.61

crypto map Outside_Map 1 set transform-set ESP-AES-128-SHA

crypto map Outside_Map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 1

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh scopy enable

ssh 0.0.0.0 0.0.0.0 Data_VLAN

ssh 10.0.0.0 255.0.0.0 MGMT_VLAN

ssh 0.0.0.0 0.0.0.0 MGMT_VLAN

ssh xxxxxxxx 255.255.255.0 Outside

ssh xxxxxxxx 255.255.255.0 Outside

ssh xxxxxxxx 255.255.255.192 Outside

ssh timeout 5

ssh version 2

console timeout 0

management-access MGMT_VLAN

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 10.0.4.21 prefer

tftp-server MGMT_VLAN 10.0.81.160 VA-4500-ASA-LAN-5505-1_Config

webvpn

username cisco password <removed> privilege 15

tunnel-group xxxxxxxx type ipsec-l2l

tunnel-group xxxxxxxx ipsec-attributes

pre-shared-key *****

!

class-map netflow-export-class

match access-list netflow-export

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map netflow-policy

class netflow-export-class

class class-default

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect ip-options

  inspect icmp

class class-default

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:4fef1b392d267ef2da40dca56aad1687

: end

9 Replies 9

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Darren,

while I am trying to ping 10.33.2.1, the request comes across the debug as 10.33.0.1 (Data_VLAN subinterface

Do you mean that you see the destination being 10.33.0.1 or the source of the ICMP packet being 10.33.0.1

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello -

I've performed a debug on ICMP traffic, and here's what I'm seeing from two different stations trying to ping 10.33.2.1. It's interesting as it lists the destination as the Data_VLAN subinterface (10.33.0.1).

ICMP echo request from 10.0.8.11 to 10.33.0.1 ID=288 seq=3947 len=23

ICMP echo request from 10.0.81.160 to 10.33.0.1 ID=1 seq=14 len=32

ICMP echo request from 10.0.8.11 to 10.33.0.1 ID=288 seq=3959 len=23

ICMP echo request from 10.0.81.160 to 10.33.0.1 ID=1 seq=15 len=32

Definitely a weird one!!

Darren

Hello Darren,

Can you change the any keyword on the nat statements to be as specific as possible.

Instead of "any" using the right output interface?

Let me know when you do the changes

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I've updated the NAT translations to the following, with the same result...

nat (MGMT_VLAN,Outside) source static MGMT_VLAN MGMT_VLAN

nat (Data_VLAN,Outside) source static Data_VLAN Data_VLAN

nat (Voice_VLAN,Outside) source static Voice_VLAN Voice_VLAN

nat (Video_VLAN,Outside) source static Video_VLAN Video_VLAN

Thanks
Darren

Hello Darren,

What happens if you do

ping MGMT_VLAN 10.0.8.11

Also can you get as many logs as possible from the ICMP session??

Have you clear the xlate table after the changes?

Let me know

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Interestingly enough, if you source the ping from the MGMT_VLAN subinterface, it will work properly. I have cleared the XLATE and CONN table after making the NAT changes to no avail.

Here's the output from an ICMP debug. Note that I am trying to ping 10.33.2.1 from 10.0.8.11 and 10.0.81.160.

ICMP echo request from 10.0.8.11 to 10.33.0.1 ID=288 seq=3947 len=23

ICMP echo request from 10.0.81.160 to 10.33.0.1 ID=1 seq=14 len=32

ICMP echo request from 10.0.8.11 to 10.33.0.1 ID=288 seq=3959 len=23

ICMP echo request from 10.0.81.160 to 10.33.0.1 ID=1 seq=15 len=32

Hello Darren,

Okay ,.. I would like to see the logs now, not the debugs,

I will wait for them,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Below are the logs - thanks

VA-4500-ASA-LAN-5505-1# sh log

Syslog logging: enabled

    Facility: 20

    Timestamp logging: enabled

    Standby logging: disabled

    Debug-trace logging: disabled

    Console logging: disabled

    Monitor logging: disabled

    Buffer logging: level debugging, 285166 messages logged

    Trap logging: level notifications, facility 20, 1736 messages logged

        Logging to MGMT_VLAN 10.0.8.11

    History logging: disabled

    Device ID: disabled

    Mail logging: disabled

    ASDM logging: level notifications, 2191 messages logged

May 09 2013 09:28:05: %ASA-5-111008: User 'droback' executed the 'clear logging buffer' command.

May 09 2013 09:28:05: %ASA-5-111010: User 'droback', running 'CLI' from IP 192.64.157.42, executed 'clear logging buffer'

May 09 2013 09:28:07: %ASA-7-609002: Teardown local-host Outside:10.0.81.160 duration 0:00:02

May 09 2013 09:28:07: %ASA-7-609002: Teardown local-host identity:10.33.0.1 duration 0:00:02

May 09 2013 09:28:08: %ASA-7-609001: Built local-host Outside:192.175.48.42

May 09 2013 09:28:10: %ASA-7-609001: Built local-host Outside:10.0.81.160

May 09 2013 09:28:10: %ASA-7-609001: Built local-host identity:10.33.0.1

May 09 2013 09:28:12: %ASA-7-609002: Teardown local-host Outside:10.0.81.160 duration 0:00:02

May 09 2013 09:28:12: %ASA-7-609002: Teardown local-host identity:10.33.0.1 duration 0:00:02

May 09 2013 09:28:14: %ASA-7-111009: User 'droback' executed cmd: show logging

May 09 2013 09:28:15: %ASA-7-609001: Built local-host Outside:10.0.81.160

May 09 2013 09:28:15: %ASA-7-609001: Built local-host identity:10.33.0.1

May 09 2013 09:28:17: %ASA-7-609002: Teardown local-host Outside:10.0.81.160 duration 0:00:02

May 09 2013 09:28:17: %ASA-7-609002: Teardown local-host identity:10.33.0.1 duration 0:00:02

May 09 2013 09:28:20: %ASA-7-609001: Built local-host Outside:10.0.81.160

May 09 2013 09:28:20: %ASA-7-609001: Built local-host identity:10.33.0.1

May 09 2013 09:28:20: %ASA-7-609001: Built local-host Outside:192.175.48.6

May 09 2013 09:28:22: %ASA-7-609002: Teardown local-host Outside:10.0.81.160 duration 0:00:02

May 09 2013 09:28:22: %ASA-7-609002: Teardown local-host identity:10.33.0.1 duration 0:00:02

May 09 2013 09:28:22: %ASA-7-609001: Built local-host identity:10.33.0.1

May 09 2013 09:28:24: %ASA-7-609002: Teardown local-host identity:10.33.0.1 duration 0:00:02

May 09 2013 09:28:24: %ASA-7-609001: Built local-host identity:10.33.0.1

May 09 2013 09:28:24: %ASA-7-111009: User 'droback' executed cmd: show logging

May 09 2013 09:28:25: %ASA-7-609001: Built local-host Outside:10.0.81.160

Hello Darren,

Please check your inbox,

I will analize the logs

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card