05-16-2022 01:50 PM
Hello little bit of a newbie when it comes to Cisco ASA and setting up the VPN but I have it configured but not able to ping anything internally. Please advise if you need to see my config I will be happy to provide it.
Solved! Go to Solution.
05-19-2022 09:30 AM
@SinghRaminderand @MHM Cisco World ahhh! I guess I should have mentioned that my apologies. The 172.22.45.254 is our Sonicwall firewall system.
05-19-2022 09:41 AM - edited 05-19-2022 09:42 AM
pn# packet-tracer input outside tcp 192.168.15.20 12345 172.22.45.X 80 detail <- any ip other than ASA interface IP
05-19-2022 09:48 AM
@MHM Cisco World and @SinghRaminder I did it to the Sonicwall Firewall device see below:
vpn# packet-tracer input outside tcp 192.168.15.20 12345 172.22.45.254 80 deta$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 172.22.45.254 using egress ifc inside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_172.22.45.0_24 NETWORK_OBJ_172.22.45.0_24 destination static NETWORK_OBJ_192.168.15.0_24 NETWORK_OBJ_192.168.15.0_24 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 172.22.45.254/80 to 172.22.45.254/80
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group acl_outside in interface outside
access-list acl_outside extended deny ip any4 any4
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f9d64269e00, priority=13, domain=permit, deny=true
hits=13886, user_data=0x7f9d754a8980, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055e35b571b00 flow (NA)/NA
vpn#
05-19-2022 09:55 AM - edited 05-19-2022 09:56 AM
This is normal. Since packet tracer command will look the ACL. But your actuall traffic will bypass the Outside ACL as you have sysopt permit vpn in your configuration.
Chris, check your routing. You need to fix that. Your return traffic is going to Sonic Wall which has nothing to do with what we have been presented with so far. I am.unable to. Understand your architecture and scenario here as where in the picture is ASA and Sonicwall?
At this moment we do not know the big picture. One thing you can do to test is add ip route 192.168.15.10 255.255.255.255 172.22.45.13 on device with ip 172.22.45.1
05-19-2022 10:05 AM
@chris.bias @MHM Cisco World and you may want to check routing between 172.22.45.13 and 172.22.45.1 if any routing protocol is running or you are redistributing any static from. 172. 22.45.1 to avoid any loop
05-19-2022 10:45 AM
@SinghRaminderand @MHM Cisco World okay so adding the ip route 192.168.15.10 255.255.255.255 172.22.45.13 made the remote vpn device start talking to 172.22.45.1
shv_core_stack#config t
Enter configuration commands, one per line. End with CNTL/Z.
shv_core_stack(config)#ip route 192.168.15.0 255.255.255.0 172.22.45.13
shv_core_stack(config)#exi
shv_core_stack#config t
Enter configuration commands, one per line. End with CNTL/Z.
shv_core_stack(config)#$2.168.15.0 255.255.255.0 172.22.45.0 255.255.255.0
ip route 192.168.15.0 255.255.255.0 172.22.45.0 255.255.255.0
^
% Invalid input detected at '^' marker.
shv_core_stack(config)#$2.168.15.0 255.255.255.0 172.22.45.0
shv_core_stack(config)#
05-19-2022 11:28 AM
Glad it is working but you may want to check routing between 172.22.45.13 and 172.22.45.1 if any routing protocol is running or you are redistributing any static from. 172. 22.45.1 to avoid any loop
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide