cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1668
Views
5
Helpful
18
Replies

IPSec tunnel connectivity

BHconsultants88
Level 1
Level 1

Hi everyone

 

I hope someone can point me in the right direction here...I've been going around in circles with connectivity issues between two parties who want traffic to pass through a VPN tunnel via a Cisco ASA. 

 

Please see attached - in summary, router A can reach router B but not vice versa. I'm thinking it's some natting misconfiguration on the ASA but I can't see anything obvious. If not natting, then perhaps MTU related?

**Additional note - router B is able to ping router A public IP, however cannot ping the LAN.

 

Router A - Digi Transport Router

Router B - VPN termination point is an AWS device

ASA in the middle

 

I've also attached the IPSec config on the ASA. Could anyone suggest any ideas as to why router B can't get to router A?

 

Thanks in advance.

18 Replies 18

I'm just waiting for the change to be made Sheraz. Sorry, I don't mean to question you but isn't your ACL the same as the one that's already there? See below:

access-list thorman extended permit ip object-group thorman-local object-group thorman-remote

you are correct.

access-list thorman extended permit ip object-group thorman-local object-group thorman-remote
access-list thorman extended permit ip any4 object-group thorman-remote

 

the above statement match two rule in one. where ip any4 and object-group thorman.

 

what you can do if you dont want to apply the new rules. do show access-list and check what number is giving from ASA to these ACLs.

please do not forget to rate.

Here is the output from the ;show Access List' command. The problem is still we cannot ping from 192.168.142.0/24 (Thorman) to 10.20.4.0/24 (Noverton). The confusing thing is I'm seeing a lot of hits against the Thorman ACL but 0 hits against the Noverton ACL.  

 

 

access-list thorman line 1 extended permit ip 10.20.4.0 255.255.255.0 192.168.142.0 255.255.255.0 (hitcnt=173550) 0x6d3eca4e

access-list 181.49.11.243_Noverton line 2 extended permit ip 192.168.142.0 255.255.255.0 10.20.4.0 255.255.255.0 (hitcnt=0) 0x43b23a2a

There are several things I would comment on:

- both access lists for the vpn have a line that permits any to the remote subnet. For Thorman the more specific entry for the local subnet to the remote subnet comes first and has hitcount of 173550 and then the permit any entry has hitcount of 123. So you are trying to send 123 items over the vpn that do not match your real criteria. The same issue exists for Noverton but the order of statements is reversed. So we see hitcount of 55025 for permit any and hitcount of 0 for local subnet to remote subnet. I suggest that you remove both statements that have permit any.

- I see in the config that 192.168.142.0 is the subnet for Noverton. That network also appears as the local network for Beverly and for Sherman. Is that really the case? And if so is it possibly related to the problem?

- I see in the config that the set peer statement in Thorman crypto map has 2 peer addresses. Can you verify which of the peers is active? Could you then switch over to the other peer and see if the behavior changes?

 

HTH

 

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: