Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
685
Views
0
Helpful
1
Replies

ASA Site to Site problem with 10.0.0.0/8 and remote host

roger perkin
Level 2
Level 2

‎12-20-2012 01:49 PM

I am trying to configure a site to site VPN from a client ASA to a datacentre ASA

I have configured everything as per the documentation, however I am facing an isssue when trying to ping the remote host, my ping is getting denied on the ASA

%ASA-3-106014: Deny inbound icmp src inside:10.100.14.230 dst inside:10.10.10.65 (type 8, code 0)

Looking at the config of the firewall it appears that the address range 10.0.0.0/8 has been configured for the inside

object network obj-10.0.0.0

subnet 10.0.0.0 255.0.0.0

object network obj-10.0.0.0

nat (inside,outside) dynamic interface

So it is my assumption that the ASA thinks 10.10.10.65 is inside and is not allowing it out.

The fix I believe is to change the 10.0.0.0/8 network object to only reflect the actual inside networks of the client which will then allow this traffic to go out

Or is there anything else I can do?

There is another NAT on the firewall for a client VPN which works fine

nat (inside,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static vpn_clients vpn_clients route-lookup

The ASA is running 8.4(2)

I am hoping I can just do a no Nat for the remote subnet?

object network DataCenter

subnet 10.10.10.64 255.255.255.248

object network Client

subnet 10.100.14.128 255.255.255.128

access-l Site-2-Site-DataCenter line 1 extended permit ip object Client object DataCenter

access-l Site-2-Site-DataCenter line 2 extended permit icmp object Client object DataCenter

nat (inside,outside) source static Client Client destination static DataCenter DataCenter

Any help is appreciated

Thanks

Roger

ASA routing issue .jpg

Labels:
0 Helpful
1 Reply 1

ivykaixin
Level 1
Level 1

‎12-21-2012 01:51 AM

Hi Roger

I think you can do the following things :

1.make sure that the two ASA have the right route of the VPN traffic . the packets from 10.100.14.230 to 10.10.10.65 should be sent out form the Client ASA outside interface , and the packets fome 10.10.10.65 to 10.100.14.230 should be sent out form the Data Center ASA outside interface . if you config crypto map is on the outside inferface .

2.make sure that , the packets  from 10.100.14.230 to 10.10.10.65 should be not NAT in Client ASA ,  and the packets fome 10.10.10.65 to 10.100.14.230 should be not NAT in the Data Center ASA.

3.make sure that , both ASA have permit the ESP and ISAKMP on the outside ingerface

4.make sure that , the configration in both side is OK

5. make sure that , the PC and the SERVER have the route to each other .

6.BTW you should not do anything about the icmp ,  as the packets is encrypted by ASA .

0 Helpful
Customers Also Viewed These Support Documents