Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
689
Views
0
Helpful
3
Replies

Remote Access VPN cannot Ping across S2S VPN

byates
Level 1
Level 1

‎08-19-2019 02:15 PM - edited ‎02-21-2020 09:43 PM

I Have a 5508 ASA and we have a Remote Access VPN (192.168.1.0/24) and also a S2S that connects to Azure.

 

The remote Access VPN users can ping resources on the internal network just fine. However, trying to ping resources on the other side of the S2S from the RA VPN doesnt work. 

 

I checked to make sure that HairPinning is enabled, it is. I looked at the Nat.

The 1st entry is Outside,Outside (RA Vpn) (Azure Network)

                         Outside, Outside (Azure Network) (RA VPN)

 

The Last NAT entry in the list has a :

                Inside, Outside (All internal VLANS, Including RA VPN) (Azure Networks)

 

 

I tried adding an ACL entry Under Configuration>Site-to-site VPN>Advanced> ACL Manager thinking maybe it was getting blocked. Not the case.

 

Not sure what else to check.

 

TIA

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎08-19-2019 03:09 PM

HI,
Please can you provide the actual configuration of your nat rules please?
Can you also run packet-tracer from the command line and provide the output
0 Helpful

byates
Level 1
Level 1
In response to Rob Ingram

‎08-19-2019 03:52 PM

Here is the output of Packet Tracer:

 


****# packet-tracer input outSIDE-0 icmp 192.168.0.50 0 0 10.1$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (OUTSIDE-0,OUTSIDE-0) source static obj_PALMDALE-HQ-RAVPN_net obj_PALMDALE-HQ-RAVPN_net destination static azure-networks azure-networks
Additional Information:
NAT divert to egress interface OUTSIDE-0
Untranslate 10.10.1.5/0 to 10.10.1.5/0

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE-0_access_in in interface OUTSIDE-0
access-list OUTSIDE-0_access_in extended permit icmp any4 any4 echo-reply
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (OUTSIDE-0,OUTSIDE-0) source static obj_PALMDALE-HQ-RAVPN_net obj_PALMDALE-HQ-RAVPN_net destination static azure-networks azure-networks
Additional Information:
Static translate 192.168.0.50/0 to 192.168.0.50/0

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: OUTSIDE-0
input-status: up
input-line-status: up
output-interface: OUTSIDE-0
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

I did a couple screen snips of the NAT Rules

The HQ_RAVPN Object group contains the remote access vlan

The Azure networks contains the Azure VLan

 

Preview file
12 KB
Preview file
6 KB
0 Helpful

Rob Ingram
VIP
VIP
In response to byates

‎08-20-2019 10:21 AM - edited ‎08-20-2019 10:50 AM

Can you re-run the packet-tracer again, twice and upload the output. NOTE the icmp type is 8 instead of 0

 

packet-tracer input outSIDE-0 icmp 192.168.0.50 8 0 10.10.1.5

 

Can you also provide the configuration - crypto map, ACL, objects (obj_PALMDALE-HQ-RAVPN_net and

azure-networks)

0 Helpful
Customers Also Viewed These Support Documents