Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1757
Views
5
Helpful
6
Replies

Site-to-Site VPN: Can't ping other network

shawnsherwood
Level 1
Level 1

‎12-08-2011 07:12 PM - edited ‎03-04-2019 02:34 PM

I cannot ping the remote LAN, but site to site tunnel show's connected. I am able to ping from a local computer to the LAN IP on the remote ASA and vice versa for the other network.

The configuration has been done through the ASDM (I'm still a little green on the CLI)

Been struggling with this thing for hours NEED HELP, Site has to be online tomorrow

Thanks in Advance!

Local Site ASA 10.128.1.254

interface Vlan1

nameif inside

security-level 100

ip address 10.128.1.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address Safeway-Adtran 255.255.255.252

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 66.7.224.17

name-server 66.7.224.18

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

access-list test_splitTunnelAcl standard permit any

access-list outside_1_cryptomap extended permit ip Safeway-Subnet 255.255.255.0 Inland-Empire-Subnet 255.255.255.0

access-list inside_nat0_outbound extended permit ip any any

access-list inside_nat0_outbound extended permit ip Safeway-Subnet 255.255.255.0 Inland-Empire-Subnet 255.255.255.0

access-list NONAT extended permit ip Inland-Empire-Subnet 255.255.255.0 Safeway-Subnet 255.255.255.0

access-list NONAT extended permit ip Safeway-Subnet 255.255.255.0 Inland-Empire-Subnet 255.255.255.0

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN_DHCP 10.128.1.60-10.128.1.69 mask 255.255.255.255

ip local pool test 10.128.1.70-10.128.1.71 mask 255.255.0.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 Adtran 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http Safeway-Subnet 255.255.255.0 inside

http Inland-Empire-Subnet 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection timewait

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group5

crypto map outside_map 1 set peer 64.31.115.54

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet Safeway-Subnet 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 10.128.1.50-10.128.1.59 inside

dhcpd dns 66.7.224.17 66.7.224.18 interface inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy JSP internal

group-policy JSP attributes

dns-server value 71.250.0.12 71.242.0.12

vpn-tunnel-protocol IPSec

username Brian password azfVYiIWlJ60Q23e encrypted

username Brian attributes

service-type remote-access

username ssherwood password JkjHliTRLXMXtcz8 encrypted privilege 15

username zshafiq password 1cX5kOX/dDvqoDs6 encrypted privilege 15

tunnel-group JSP type remote-access

tunnel-group JSP general-attributes

address-pool VPN_DHCP

default-group-policy JSP

tunnel-group JSP ipsec-attributes

pre-shared-key *****

tunnel-group 64.31.115.54 type ipsec-l2l

tunnel-group 64.31.115.54 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

Remote Site ASA 10.128.2.254

access-list inside_nat0_outbound extended permit ip any any

access-list inside_nat0_outbound extended permit ip Safeway-Subnet 255.255.255.0 Inland-Empire-Subnet 255.255.255.0

access-list inside_nat0_outbound extended permit ip Inland-Empire-Subnet 255.255.255.0 Safeway-Subnet 255.255.255.0

access-list NONAT extended permit ip Inland-Empire-Subnet 255.255.255.0 Safeway-Subnet 255.255.255.0

access-list NONAT extended permit ip Safeway-Subnet 255.255.255.0 Inland-Empire-Subnet 255.255.255.0

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN_DHCP 10.128.2.60-10.128.2.69 mask 255.255.255.0

ip local pool Inland 10.128.2.50-10.128.2.52 mask 255.255.0.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 modem 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http Inland-Empire-Subnet 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection timewait

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group5

crypto map outside_map 1 set peer Safeway-Adtran

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet 172.16.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 10.128.2.50-10.128.2.59 inside

dhcpd dns 64.60.0.17 interface inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy Inland internal

group-policy Inland attributes

dns-server value 64.60.0.17

vpn-tunnel-protocol IPSec

group-policy JSP internal

group-policy JSP attributes

dns-server value 71.250.0.12 71.242.0.12

vpn-tunnel-protocol IPSec

username Brian password azfVYiIWlJ60Q23e encrypted

username Brian attributes

service-type remote-access

username ssherwood password JkjHliTRLXMXtcz8 encrypted privilege 15

username zshafiq password 1cX5kOX/dDvqoDs6 encrypted privilege 15

tunnel-group JSP type remote-access

tunnel-group JSP general-attributes

address-pool VPN_DHCP

default-group-policy JSP

tunnel-group JSP ipsec-attributes

pre-shared-key *****

tunnel-group Inland type remote-access

tunnel-group Inland general-attributes

address-pool Inland

default-group-policy Inland

tunnel-group Inland ipsec-attributes

pre-shared-key *****

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

Labels:
0 Helpful
6 Replies 6

andrew.prince
Level 10
Level 10

‎12-09-2011 06:35 AM

Off the bat I notice that you do not have "sysopt connection permit-vpn" at either end which allows VPN's to bypass any ACL's applied to the outside interface, which you do have on both sites?

mvsheik123
Level 7
Level 7
In response to andrew.prince

‎12-09-2011 07:50 AM

Shawn,

Your ACLs seems to be causing the issue. Also, on remote site I do not see the 'outside_1_cryptomap' ACL.

Which site is which end. Can you post complete configuration of both sides (remove username/snmp info) with 'no names'. That shows IP addresses and easy to t-shoot.

Thx

MS

0 Helpful

shawnsherwood
Level 1
Level 1
In response to andrew.prince

‎12-09-2011 08:55 AM

Andrew,

That was it. Thanks, working like a charm

THANKS AGAIN

0 Helpful

mvsheik123
Level 7
Level 7
In response to shawnsherwood

‎12-09-2011 09:40 AM

Yeap.. Thanks Andrew. I totally went in wrong  direction.5 Stars to you ..:-).

Thx

MS

0 Helpful

andrew.prince
Level 10
Level 10
In response to mvsheik123

‎12-10-2011 12:38 AM

Thanks for the rating

Sent from Cisco Technical Support iPad App

0 Helpful

andrew.prince
Level 10
Level 10
In response to shawnsherwood

‎12-10-2011 12:37 AM

Sure no problem

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card