01-06-2009 06:09 AM - edited 02-21-2020 03:11 AM
Sylogs show that Cisco 5520 tears down all ICMP connections coming from one to another internal VPN tunnel host.
VPN tunnel addresses are assigned through Address pool
172.16.8.0/24
For example, once VPN connection established host 172.16.8.1 cannot ping any other host on 172.16.8.0 network
Is this a misconfiguration issue? What kind of Security setting should be configured to allow this flow?
Please help. thanks in advance
important:
ASA is connected on public interface to Internet FW and on private interface to Intranet FW.
Default routes on ASA are configured as follows:
"route private 0.0.0.0 0.0.0.0 172.16.7.65 tunneled
route public 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1"
This means that all tunneled traffic should go through Intranet FW, which is true for all trafic from the VPN tunnel (172.16.8.x) to LAN but not for the traffic back to the tunnel (172.16.8.x). The latter will go out of the public interface and finish on the Internet FW, where the VPN tunnel address is spoofed.
Can someone explain why the tunnel address is going out through public interface? Thnx
01-06-2009 10:36 AM
Perhaps it will clarify your confusion if you think from the perspective of the ASA: if it has a packet that it should send to the remote VPN peer, which interface should it use to send it? public or private?
The most common reason why devices in the 172.16.8.0 subnet can not ping each other is a basic assumption in the ASA and PIX that by default it will not forward a packet out the same interface on which it was received. So if one remote client in 172.16.8.0 attempts to ping another remote client in that subnet, the request is received and the path to the destination is back out that interface. The way to get around this restriction is to configure:
same-security-traffic permit intra-interface
Give this a try and let us know if it solves the problem.
HTH
Rick
01-07-2009 12:11 AM
Rick, I appreciate your prompt reply.
If the security level of the private interface is at 100 and that of the public one at 0 by default, you mean that I should set the security level of the public one to 100 and enable the network traffic between the interfaces with the same security level, don't you?
I will give it a try. thanks again
Melita
01-07-2009 10:30 AM
Melita
NO I did not suggest that you change the security level of the public interface. Leave the security level of the public interface at 0.
If you want to allow traffic between two interfaces with the same security level you would specify to allow inter interface traffic. What you need to do is to allow traffic to out the same interface that it entered on, which is intra interface traffic.
HTH
Rick
01-08-2009 06:04 AM
Rick,
Done. after applying
"same-security-traffic permit intra-interface"
pings (icmp) are working between hosts on the VPN tunnel (172.16.8.0).
Could you please suggest, what is an "access list" command that would allow for example, any ip traffic between the hosts on the tunnel.
Many thanks in advance.
BR, Melita
01-08-2009 07:08 AM
Rick,
Done. after applying
"same-security-traffic permit intra-interface"
pings (icmp) are working between hosts on the VPN tunnel (172.16.8.0).
1. Somehow it works for icmp packet but not for the rest of the ip traffic. Could you please suggest, what is an "access list" command that would allow for example, any ip traffic between the hosts on the tunnel.
2. I also have a few static routes mapped to the management interface on ASA that point to several devices on the corporate LAN ; those devices cannot be reached by the hosts on the VPN tunnel, because ASA sends to them packets incoming from the tunnel through the management interface instead of the private one (which is the default route for the tunneled traffic) and the packets are then spoofed on the external FW because expected from the ASA private interface. I hoped that the "..permit intra-interface" would have solve the issue but no...Is there a way to overcome this ?
Many thanks in advance.
BR, Melita
01-08-2009 10:00 AM
Melita
I am glad that the intra-interface command fixed the initial problem. Without knowing a bit more about how the ASA is set up it is difficult to give really good advice about how to set up the access list, but it probably would be something like permit ip 172.16.8.0 255.255.255.0 any
I am not clear why you have static routes for certain devices pointed through the management interface. But if you do I am not sure how you would route traffic from the VPN tunnels differently. If you need to keep the static routes pointed to the management interface then perhaps it might be possible to set up some address translation so that they look like they originate from the ASA when they get to the firewall?
HTH
Rick
01-08-2009 01:38 PM
Rick, I appreciate greatly all your help.
Best Regards
Melita
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide