Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
544
Views
0
Helpful
3
Replies

VPN Connectivity

BHconsultants88
Level 1
Level 1

‎01-23-2019 08:32 AM

Hi friends. I've been going around in circles with this one for a few days but I'm hoping someone will be able to tell me where I'm going wrong. I've provided a fairly basic overview but hopefully you'll come across this issue in your careers/experiences.

 

Summary (diagram also attached):

 

Company A and Company B need to be able to have two way communication with each other via a Cisco ASA firewall in an external Data Centre. We have an IPSEC tunnel between Company A and the ASA and another tunnel between Company B and the ASA. Encryption settings have been checked and verified at each point.

 

The Problem

 

Company A can ping ASA. The ASA can ping Company B

Company B can ping ASA. The ASA can ping Company A

Company A can ping Company B

 

The problem is that Company B cannot ping Company A

 

My thoughts:

 

  • Company B has a subnet of 192.168.142.0 /24. Would this need to be natted at Company B router or the ASA or is this not required as traffic is passing through a tunnel?
  • Company A has a Digirouter. I am waiting for access to check configuration. Would there be anything on this device that I should pay attention to?
  • I am waiting for information of Company B's breakout device

 

Does anyone have any ideas what could be stopping Company B talking to Company A?

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎01-23-2019 09:03 AM

we would like to have look some kind of network topology of both, where company A network which you not able to ping, what are the devices in the path.

 

as long as you have right ACL in place and ping allowed in VPN you should able to. but it was not working as expected.

 

can you post configuration of both ASA and topology to have a look and suggest.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎01-23-2019 09:34 AM

Hi,

I am thinking that Your VPN is up, Packet encryption and decryption is happing at both ends and Ping is not blocked anywhere.

If it is yes then please share the running configuration and if there is any issue in above result then must check few things:

1. Is VPN Phase1 and Phase2 UP?

2. Is VPN ACL is applied correctly? 

3. Is Remote end VPN traffic is denied in NATing ACL?

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

BHconsultants88
Level 1
Level 1
In response to Deepak Kumar

‎01-23-2019 01:14 PM

Thanks for the replies guys, much appreciated. I can confirm that both VPN tunnels are initiated and up. The only issue is Compnay B can't ping Company A through the tunnel. I'm beginning to think more than ever it is a problem with Company A router (DIGI Transport WR44V2)

 

Deepak, for your point number 3 would this be on Company A router or Company B router?

 

I've attached the routing table from Company A. On the routing table, traffic going through interface PPP 3 is all we are interested in - this is the VPN traffic.  I've checked the ASA, specifically network objects, networks and subnets for Company A are setup correctly. I've checked on ASDM and can see the tunnels are up.

 

Could we be looking at a missing route or something similar?

Preview file
61 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents