Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
233
Views
0
Helpful
1
Replies

Unable to send interesting traffic through tunnel

pdm000001
Level 1
Level 1

‎04-16-2015 02:28 AM - edited ‎03-11-2019 10:47 PM

I have an ASA 5510 site to site tunnel with a watchguard XTM. The tunnel is up, both phase 1 and 2 complete. I am connecting a network behind the watchguard to a network behind the ASA.

ASA 77.88.4.32/28 to XTM 10.10.10.32/28

 

I have set up a tunnel between to ips one in the 10.10.10.32/28 network, and the one in the 77.88.4.32/28 network. When I ping from the ip in the 10.10.10.32/28 network I am able to reach the ip in the 77.88.4.32/28 network but the reply never returns back to the 10.10.10.32/28 network. I can see on the box being pinged in the 77.88.4.32/28 network that the reply is sent (using wireshark), but it appears to just disappear. I cant find any trace of it in te ASA logs. I can only assume that the packet is not forwarded from the inside interface to the outside interface correctly.

Here is my configuration, If anyone could enlighten me on what I should be doing to get the traffic across I would greatly appreciate it.

 

 Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(5)48 
!
hostname buwickFW-taa
domain-name fw01.buwick.dk
enable password xxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
 description Vlan 1567 - Internet connection
 nameif outside
 security-level 0
 ip address 204.88.4.9 255.255.255.248 
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1.2045
 vlan 2045
 nameif inside
 security-level 100
 ip address 192.168.254.1 255.255.255.248 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
boot system disk0:/asa825-48-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 217.116.227.8
 name-server 217.116.227.58
 domain-name fw01.buwick.dk
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object tcp
object-group network onprem-networks
 network-object host 77.88.4.43
object-group network LDN-networks
 network-object 192.168.9.0 255.255.255.0
access-list inbound extended permit icmp any any log debugging 
access-list inbound extended permit ip 10.254.254.0 255.255.255.0 any 
access-list splittunnel standard permit 77.88.4.32 255.255.255.240 
access-list splittunnel standard permit 77.88.29.80 255.255.255.240 
access-list splittunnel standard permit 77.88.32.176 255.255.255.240 
access-list vpn_remote extended permit ip 10.254.254.0 255.255.255.0 any 
access-list LDN-vpn-acl extended permit ip host 77.88.4.43 host 10.10.10.11 log debugging interval 15 
pager lines 24
logging enable
logging buffered debugging
logging asdm debugging
logging from-address support@buwick.com
logging recipient-address dp@buwick.com level errors
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool buwickvpnpool 10.254.254.1-10.254.254.100 mask 255.255.255.255
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
asdm history enable
arp timeout 14400
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 77.88.4.14 1
route inside 77.88.4.32 255.255.255.240 192.168.254.6 1
route inside 77.88.29.80 255.255.255.240 192.168.254.6 1
route inside 77.88.32.176 255.255.255.240 192.168.254.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1350
auth-prompt prompt Welcome to buwick / buwick remote access 
auth-prompt accept You have now been authenticated by buwicks AAA server 
auth-prompt reject You have not been authenticated by buwicks AAA server 
crypto ipsec transform-set vpn_aws esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set LDN-ipsec-proposal-set esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto map LDN-office-crypto-map 5 match address LDN-vpn-acl
crypto map LDN-office-crypto-map 5 set peer 204.18.110.2 
crypto map LDN-office-crypto-map 5 set transform-set LDN-ipsec-proposal-set
crypto map LDN-office-crypto-map 5 set reverse-route
crypto map LDN-office-crypto-map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=buwickFW-taa
 crl configure
crypto ca trustpoint buwickNet
 enrollment self
 fqdn vpn.buwick.net
 subject-name CN=buwickNet
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate ********
  quit
crypto ca certificate chain buwickNet
 certificate *********
  quit
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 5
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 dtls port 10000
 anyconnect-essentials
 svc image disk0:/anyconnect-linux-64-4.0.00048-k9.pkg 1
 svc image disk0:/anyconnect-macosx-i386-4.0.00048-k9.pkg 2
 svc image disk0:/anyconnect-win-4.0.00048-k9.pkg 3
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout 90
 vpn-filter value splittunnel
group-policy buwick internal
group-policy buwick attributes
 wins-server none
 dns-server value 117.116.221.1 117.116.217.51
 vpn-simultaneous-logins 2
 vpn-filter value vpn_remote
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splittunnel
 default-domain value fw01.buwick.dk
 user-authentication enable
 address-pools value buwickvpnpool
 webvpn
  svc dtls enable
  svc keep-installer installed
  svc dpd-interval client 60
  svc dpd-interval gateway 60
  svc ask enable default svc timeout 60
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec svc 
 service-type remote-access
tunnel-group buwick type remote-access
tunnel-group buwick general-attributes
 default-group-policy buwick
tunnel-group buwick webvpn-attributes
 group-alias "Remote Access" enable
tunnel-group 204.18.110.2 type ipsec-l2l
tunnel-group 204.18.110.2 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
privilege show level 2 mode exec command running-config
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:71ae902040a875f9fde09f3a23a68e22
: end

 

Labels:
0 Helpful
1 Reply 1

luke.smith
Level 1
Level 1

‎04-17-2015 02:01 PM

If you apply a capture on the inside interface do you see the echo-reply arriving at the interface on the ASA? If not does your network know to definitely route "10.10.10.32/28" back to the ASA "192.168.254.1"

 

capture echo-reply-test interface inside match icmp 77.88.4.32 255.255.255.240 10.10.10.32 255.255.255.240

Initiate Ping

show capture echo-reply-test
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card