Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1622
Views
13
Helpful
14
Replies

site-2-site VPN between ASA 5520 and cisco 800 router, traffic problem

thunderbird815
Level 1
Level 1

‎03-22-2011 12:52 PM

Hello

Im setting up a test site to site VPN between Cisco ASA 5520 and cisco 800 or any other VPN capable router (i have 2600xm and 2800). im using ASDM to configure the ASA and CLI to configure the router the inviroment is as the following

(the router and the ASA is directly connected)

1- ASA side

outside interface ip 82.205.xxx.xxx

inside interface ip 192.168.5.1

inside network 192.168.5.0 255.255.255.0

no natting is used

the default gateway is the router outside interface

2- router side

outside interface ip 82.205.xxx.yyy

inside interface ip 192.168.6.1

inside network 192.168.6.0 255.255.255.0

no natting is used

the default gateway is the ASA outside interface

i have managed to bring the tunnel up and running but the problem is i can ping the router inside network (192.168.6.0) from the ASA inside network (192.168.5.0) normally but it wont work the other way (i mean i cant ping the ASA inside network from the router inside network). i have tripple checked the following :-

1- the inetersting traffic ACL on both sides (permit 192.168.5.0 255.255.255.0 to 192.168.6.0) on the ASA side and vice versa in the router.

2- the VPN is bidirectional on the ASA side.

3- restore the ASA to factory default ad did the configuration again withe same problem.

4- checked that there is no NAT translations configured on both sides.

5- no route but the default route mensioned above.

6- did the confs from the ASA side using the wizard and checking the box (to bypass the local networks form the interface ACL's) although there no interface ACL's but still didn't work.

7- change the default route to the local outside interface on both sides.

all that didn't fix the problem and still i can ping only from the ASA side.
I will be very thankfull for any help
Thank you

Labels:
0 Helpful
14 Replies 14

andamani
Cisco Employee
Cisco Employee

‎03-22-2011 10:37 PM

hi,

can you please check if the ASA is not learning the route to 192.168.6.0 via some other routing protocol or somewhere else.

Please ensure that the ASA knows that it needs to exit via the tunnel to reach 192.168.6.0. Please check the internal routing of the ASA. make sure that the route to 192.168.6.0 is via the ASA.

Hope this helps.

Regards,

Anisha

-Do rate helpful posts.

thunderbird815
Level 1
Level 1
In response to andamani

‎03-22-2011 10:45 PM

Thank you Anisha

Did that by changhing the VPN tunnel parameters while the tunnel is up and when the tunnel goes down NO ping tp (192.168.6.0) from the ASA side.

thanks again.

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to thunderbird815

‎03-22-2011 11:00 PM

hmmm.. ok.. what is connected on the inside of the ASA directly. i mean a L3 device? what is the default route in there.

Alternately you can run a packet tracer on the ASA and find out where it is dropping.

Next we can apply packet captures and check if the packet is actually reaching the ASA or not to be sent across the tunnel.

Hope this helps.

Regards,

Anisha.

- Do rate helpful posts.

thunderbird815
Level 1
Level 1
In response to andamani

‎03-23-2011 02:07 AM

attached is the configurations for both sides have a look on it and please advice

thanks again for the quick responce

83808-s2s_VPN_configurations .txt.zip
0 Helpful

thunderbird815
Level 1
Level 1
In response to thunderbird815

‎03-23-2011 02:45 AM

and only a single PC is connected to the inside interfaces from both sides

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to thunderbird815

‎03-23-2011 05:56 AM

Hi,

Is the tunnel up? please paste the output of "sh cry isa sa" from both the ends.

Also i don't see nat exemption on the ASA or router.

Please paste the output of "sh run nat" as well.

Regards,

Anisha

thunderbird815
Level 1
Level 1
In response to andamani

‎03-24-2011 12:26 AM

Hi again

The tunnel is up and Attached is the "sh crypto" commands you have asked, as for the NAT sh commands when i execute them the result is empty on both sides "No NAT translation are configured in order to do the exemption"

Thank you

83852-sh crypto.txt.zip
0 Helpful

thunderbird815
Level 1
Level 1
In response to thunderbird815

‎03-24-2011 02:06 AM

Attached also is the log between the two hosts (192.168.6.110 router side ) and ( 192.168.5.10 ASA side ). the ASA is keep tearing down all types of connections as u see in the log (TCP , ICMP,(telnet although its enabled for the IP 192.168.6.110)

83860-log.txt.zip
0 Helpful

thunderbird815
Level 1
Level 1
In response to thunderbird815

‎03-24-2011 02:14 AM

I also did the comand  "sysopt connection permit-vpn" to make the IPsec traffic bypass the interface access-lists but same problem again

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to thunderbird815

‎03-24-2011 05:38 AM

Hi,

Could you please paste the output of the following:

packet-tracer in inside icmp 192.168.5.10 8 0 192.168.6.110 detailed

After this please do the following:

access-li capi permit ip host 192.168.5.10 host 192.168.6.110

access-li capi permit ip host 192.168.6.110 host 192.168.5.10

capture capin access-li capi interface inside buffer 33554430

Ping from 192.168.5.10 to 192.168.6.110

do "sh cap capin" give the output of the same.

Regards,

Anisha

-Do rate helpful posts.

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to thunderbird815

‎03-24-2011 05:38 AM

Hi,

Could you please paste the output of the following:

packet-tracer in inside icmp 192.168.5.10 8 0 192.168.6.110 detailed

After this please do the following:

access-li capi permit ip host 192.168.5.10 host 192.168.6.110

access-li capi permit ip host 192.168.6.110 host 192.168.5.10

capture capin access-li capi interface inside buffer 33554430

Ping from 192.168.5.10 to 192.168.6.110

do "sh cap capin" give the output of the same.

Regards,

Anisha

-Do rate helpful posts.

thunderbird815
Level 1
Level 1
In response to andamani

‎03-27-2011 03:11 AM

The results is in the attached file

"you can see that the request from 192.168.5.10 is being replied from 192.168.6.110 but the request from 192.168.6.110 is not being replied from 192.160.5.10"

FYI

192.168.6.110 cant ping 192.168.5.1 which is the ASA inside interface either

83969-sh cap.txt.zip
0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to thunderbird815

‎03-28-2011 05:47 AM

Hi,

The captures of the ASA show the packet is being replied by the 192.168.5.10 netwrok.

Could you please check if the local firewall of the machine 192.168.6.110 is on. if it is on then please switch if off.

Also please attach the output of packet tracer mentioned in the last post.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

Reyad Safi
Level 1
Level 1

‎03-28-2011 05:53 AM

Hi

i think the problem on the interest traffic access list at the Router Side.

try this

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip any any

ip nat inside source route-map TEST interfacefastethernet 0 overload

!

route-map TEST permit 1
match ip address 100

try this i think it should work

0 Helpful
Customers Also Viewed These Support Documents