Re: Unable to ping via S2S VPN

kamrannaseem1 · ‎11-07-2019

Hello,

We have a site to site VPN configured on cisco asa 5505, VPN is up and we can see TX and RX but we are unable to get any ping replies. We also tried RDP and other access to the remote end but no luck.

The strange thing is TX and RX are going up on the VPN but we cant get any ping etc replies from the remote end.

Please find attached asa config and wireshark traces.

any help will be much appreciated.

Many thanks.

Sheraz.Salim · ‎11-07-2019

you have to change your nat.

CHANGE THIS
nat (inside,outside) source dynamic LocalVPNClients LocalVPN-NAT destination static RemoteVPNClients RemoteVPNClients
!
TO THIS
nat (inside,outside) source static LocalVPNClients LocalVPN-NAT destination static RemoteVPNClients RemoteVPNClients no-proxy-arp route-lookup
!

for PING
policy-map global_policy
class inspection_default
inspect icmp

inspect icmp-error

check this reference guide too.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html

I also noticed you have overlap of ip address in your network and remote network

!

object network ClientSubnet
subnet 192.168.0.0 255.255.248.0
!
object-group network LocalVPNClients
network-object object ClientSubnet
!
object-group network LocalVPN-NAT
network-object object 192.168.6.3
!
object-group network RemoteVPNClients
network-object object RemoteVPNClient1
network-object object RemoteVPNClient2
network-object object RemoteVPNClient3
network-object object RemoteVPNClient4
!
object network RemoteVPNClient1
host 129.1.3.12
object network RemoteVPNClient2
host 129.1.33.65
object network RemoteVPNClient3
host 129.1.155.61
object network 192.168.6.3
host 192.168.6.3
object network RemoteVPNClient4
host 129.1.3.11

could you also run this command and past the results.

show crypto ipsec sa peer 185.170.172.10

please do not forget to rate.

kamrannaseem1 · ‎11-07-2019

Thanks sheraz for the quick response.

Problem is that we have to use many to one NAT. Basically the requirement is to NAT the subnet to single IP so shouldn't we use dynamic for that ?

I have changes the below but no luck. I haven't yet changed the NAT.

inspect icmp

inspect icmp-error

BAirASA# show crypto ipsec sa peer 185.170.172.10
peer address: 185.170.172.10
Crypto map tag: outside_map0, seq num: 1, local addr: 64.66.10.70

access-list outside_cryptomap_1 extended permit ip host 192.168.6.3 host 1 29.1.3.12
local ident (addr/mask/prot/port): (192.168.6.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (129.1.3.12/255.255.255.255/0/0)
current_peer: 185.170.172.10

#pkts encaps: 4479, #pkts encrypt: 4479, #pkts digest: 4479
#pkts decaps: 4466, #pkts decrypt: 4466, #pkts verify: 4466
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4479, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 64.66.10.70/0, remote crypto endpt.: 185.170.172.10/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: D4B437E8
current inbound spi : 41568E7D

inbound esp sas:
spi: 0x41568E7D (1096191613)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 282624, crypto-map: outside_map0
sa timing: remaining key lifetime (sec): 2634
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xD4B437E8 (3568580584)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 282624, crypto-map: outside_map0
sa timing: remaining key lifetime (sec): 2634
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Sheraz.Salim · ‎11-07-2019

try this command

nat (inside,outside) source dynamic LocalVPNClients LocalVPN-NAT destination static RemoteVPNClients RemoteVPNClients no-proxy-arp route-lookup

please do not forget to rate.

kamrannaseem1 · ‎11-07-2019

it doesn't take this command. Doesn't give me option for no-proxy-arp route-lookup.

gerald.scott · ‎11-07-2019

I recommend trying the following things

1. run a packet tracer and see what step is failing

2. run debugs: debug cryp isa sa 127 and deb cryp ipsec sa 127 - while these are running, attempt ping across the tunnel and attach to output to this thread

Sheraz.Salim · ‎11-08-2019

I had a thought on this. you need to define a subnet for you real traffic to mapped into mapped network.

you have single ip address in this object LocalVPN-NAT

create a subnet

object network LocalVPN-NAT

subnet 192.168.10.x 255.255.255.0

!

nat (inside,outside) source static LocalVPNClients LocalVPN-NAT destination static RemoteVPNClients RemoteVPNClients no-proxy-arp route-lookup

you also need to let the remote network Firewall to change the network to LocalVPN-NAT subnet 192.168.10.x 255.255.255.0

please do not forget to rate.

kamrannaseem1 · ‎11-15-2019

Thanks every one, issue resolved, issue wasn't with the vpn, the issue was with the internal network.

Sheraz.Salim · ‎11-15-2019

what was the issue? your site to site vpn working ?

could you please show your final working configuration

please do not forget to rate.