04-28-2013 11:19 AM
Hi,
I have configured a site-to-site vpn between to sites: A and B.
Site B (172.19.16.0/20) can't ping the inside interface of the Site_B's firewall (192.168.13.254)
Can you help me to set the inside interface as pingable (192.168.13.254)
Result of the command: "show running-config"
: Saved
:
ASA Version 9.1(1)
!
hostname asasba
enable password 9U./y4ITpJEJ8f.V encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.13.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.254 255.255.255.0
!
boot system disk0:/asa911-k8.bin
ftp mode passive
clock timezone CET 1
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network vpn_inside_site_a
subnet 192.168.13.0 255.255.255.0
object network vpn_inside_site_b_172.19.16.0_20
subnet 172.19.16.0 255.255.240.0
object network vpn_inside_b_2
subnet 172.18.8.0 255.255.248.0
object network vpn_inside_site_b_3
subnet 172.18.16.0 255.255.248.0
object network vpn_inside_site_b_172.18.32.0_19
subnet 172.18.32.0 255.255.255.240
object network vpn_inside_site_b_172.18.8.0_21
subnet 172.18.8.0 255.255.248.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object object vpn_inside_site_b_172.19.16.0_20
network-object object vpn_inside_site_b_172.18.8.0_21
network-object object vpn_inside_site_b_172.18.32.0_19
object-group network DM_INLINE_NETWORK_2
network-object object vpn_inside_site_a
network-object object vpn_inside_site_b_172.18.32.0_19
network-object object vpn_inside_site_b_172.18.8.0_21
network-object object vpn_inside_site_b_172.19.16.0_20
network-object object vpn_inside_site_b_3
object-group network DM_INLINE_NETWORK_3
network-object object vpn_inside_site_a
network-object object vpn_inside_site_b_172.18.32.0_19
network-object object vpn_inside_site_b_172.18.8.0_21
network-object object vpn_inside_site_b_172.19.16.0_20
network-object object vpn_inside_site_b_3
access-list inside_access_in extended permit ip any any
access-list outside_cryptomap extended permit ip object vpn_inside_site_a object-group DM_INLINE_NETWORK_1
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging console informational
logging buffered debugging
logging asdm debugging
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-711-52.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,any) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 no-proxy-arp
nat (inside,outside) source static vpn_inside_site_a vpn_inside_site_a destination static vpn_inside_site_b_172.19.16.0_20 vpn_inside_site_b_172.19.16.0_20 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static vpn_inside_site_b_172.19.16.0_20 vpn_inside_site_b_172.19.16.0_20 no-proxy-arp route-lookup
nat (any,any) source static vpn_inside_site_a vpn_inside_site_a destination static vpn_inside_site_b_172.19.16.0_20 vpn_inside_site_b_172.19.16.0_20 no-proxy-arp
nat (any,any) source static vpn_inside_site_b_172.19.16.0_20 vpn_inside_site_b_172.19.16.0_20 destination static vpn_inside_site_a vpn_inside_site_a no-proxy-arp
!
object network obj_any
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer Site_B_Public_IP
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 set ikev2 pre-shared-key *****
crypto map outside_map 1 set validate-icmp-errors
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption 3des
integrity md5
group 2
prf md5
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable inside
crypto ikev2 enable outside
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.13.100-192.168.13.227 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_Site_B_Public_IP internal
group-policy GroupPolicy_Site_B_Public_IP attributes
vpn-tunnel-protocol ikev1 ikev2
username aaaaa password 8tvZ.dnj3Qi0cBv5 encrypted privilege 15
tunnel-group Site_B_Public_IP type ipsec-l2l
tunnel-group Site_B_Public_IP general-attributes
default-group-policy GroupPolicy_Site_B_Public_IP
tunnel-group Site_B_Public_IP ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
!
!
policy-map global-policy
class class-default
user-statistics accounting
!
service-policy global-policy global
pop3s
server pop.gmail.com
default-group-policy DfltGrpPolicy
smtps
port 587
server smtp.gmail.com
default-group-policy DfltGrpPolicy
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:253c1ca11ee52b6a6a4bf5e33153f275
: end
Can you please help me ?
04-28-2013 11:33 AM
Hi,
Normally you arent able to ICMP an ASA interface from behind another interface.
To my understanding the only exception to this rule is connections coming through VPN connections.
In this case you would require "management-access inside" configuration on the ASA
- Jouni
04-28-2013 11:44 AM
Yes the connection are coming throught VPN, and i would like to enable all machines that belongs to Site_B VPN to ping the inside interface of Site_A router (192.168.67.254).
Sorry, i did not understand: require "management-access inside" configuration on the ASA ??
Can you please explain me what i have to do ?
Thank you in advance!
04-28-2013 11:51 AM
Hi,
By default ASA doesnt allow connecting from a host behind another interface to another interface.
For example hosts behind "inside" cant ping the "outside" interface and hosts behind "outside" interface cant ping "inside" interface.
The only exception to this rule is connections coming through VPN connections.
To enable connections to reach the "inside" interface of ASA from a L2L VPN connection you need to add the configuration command "management-access inside" to the ASA.
Here is the link to the ASA Command Reference explaining the command
http://www.cisco.com/en/US/docs/security/asa/asa91/command/reference/m1.html#wp2112283
- Jouni
04-28-2013 12:02 PM
The site_B IT is not here to execute a ping test.
Can i say that is ok with this packet tracer parameter ?
Thank you!
04-28-2013 12:05 PM
Hi,
You should test it from an actual host. ASA "packet-tracer" doesnt simulate VPN traffic all the well when the traffic was entering from VPN connection.
What is the IP address 192.168.67.254?
I cant see the IP address 192.168.13.254 which to my understanding was the IP address you were supposed to be pinging.
- Jouni
04-28-2013 12:16 PM
Sorry again! 192.168.67.254 is the inside interface IP of another router that had the same problem, and i tried your solution on it. it has exactly the same configuration, except the vpn inside subnet.
04-28-2013 12:18 PM
Ok, thank you for remark about the "packet-tracer", i will check the pings with the Site_b IT, and i will tell you the result.
04-28-2013 12:02 PM
Also,
Now that I read the original post again it seems to me that there is probably some typo here.
Site B (172.19.16.0/20) can't ping the inside interface of the Site_B's firewall (192.168.13.254)
You say in the above that the Site B network needs to ping Site B firewall "inside" interface IP address.
If you actually mean that you need to ping an ASA interface IP address on the same site then the reason the ICMP wouldnt be working since I cant see any "route" command for the network 172.19.16.0/20.
Then again your configuration seems to hint that the network 172.19.16.0/20 would be located at Site A?
- Jouni
04-28-2013 12:08 PM
Oups, sorry, i meant that:
Site B (172.19.16.0/20) can't ping the inside interface of the Site_A's firewall (192.168.13.254).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: