Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3266
Views
15
Helpful
51
Replies

ASA VPN Cannot ping across split Tunnel

Go to solution
chris.bias
Level 1
Level 1

‎05-16-2022 01:50 PM

Hello little bit of a newbie when it comes to Cisco ASA and setting up the VPN but I have it configured but not able to ping anything internally. Please advise if you need to see my config I will be happy to provide it.

Labels:
51 Replies 51

Go to solution
chris.bias
Level 1
Level 1
In response to SinghRaminder

‎05-19-2022 09:30 AM

@SinghRaminderand @MHM Cisco World  ahhh! I guess I should have mentioned that my apologies. The 172.22.45.254 is our Sonicwall firewall system.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎05-19-2022 09:41 AM - edited ‎05-19-2022 09:42 AM

pn# packet-tracer input outside tcp 192.168.15.20 12345 172.22.45.X 80 detail <- any ip other than ASA interface IP

0 Helpful

Go to solution
chris.bias
Level 1
Level 1
In response to MHM Cisco World

‎05-19-2022 09:48 AM

@MHM Cisco World  and @SinghRaminder  I did it to the Sonicwall Firewall device see below:


vpn# packet-tracer input outside tcp 192.168.15.20 12345 172.22.45.254 80 deta$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 172.22.45.254 using egress ifc inside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_172.22.45.0_24 NETWORK_OBJ_172.22.45.0_24 destination static NETWORK_OBJ_192.168.15.0_24 NETWORK_OBJ_192.168.15.0_24 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 172.22.45.254/80 to 172.22.45.254/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group acl_outside in interface outside
access-list acl_outside extended deny ip any4 any4
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f9d64269e00, priority=13, domain=permit, deny=true
hits=13886, user_data=0x7f9d754a8980, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055e35b571b00 flow (NA)/NA

vpn#

0 Helpful

Go to solution
SinghRaminder
Level 1
Level 1
In response to chris.bias

‎05-19-2022 09:55 AM - edited ‎05-19-2022 09:56 AM

This is normal. Since packet tracer command will look the ACL. But your actuall traffic will bypass the Outside ACL as you have sysopt permit vpn in your configuration. 

Chris, check your routing. You need to fix that. Your return traffic is going to Sonic Wall which has nothing to do with what we have been presented with so far. I am.unable to. Understand your architecture and scenario here as where in the picture is ASA and Sonicwall? 

At this moment we do not know the big picture. One thing you can do to test is add ip route 192.168.15.10 255.255.255.255 172.22.45.13 on device with ip 172.22.45.1 

 

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer
0 Helpful

Go to solution
SinghRaminder
Level 1
Level 1
In response to SinghRaminder

‎05-19-2022 10:05 AM

@chris.bias @MHM Cisco World  and you may want to check routing between 172.22.45.13 and 172.22.45.1 if any routing protocol is running or you are redistributing any static from. 172. 22.45.1 to avoid any loop

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer
0 Helpful

Go to solution
chris.bias
Level 1
Level 1
In response to SinghRaminder

‎05-19-2022 10:45 AM

@SinghRaminderand @MHM Cisco World  okay so adding the ip route 192.168.15.10 255.255.255.255 172.22.45.13 made the remote vpn device start talking to 172.22.45.1


shv_core_stack#config t
Enter configuration commands, one per line. End with CNTL/Z.
shv_core_stack(config)#ip route 192.168.15.0 255.255.255.0 172.22.45.13
shv_core_stack(config)#exi
shv_core_stack#config t
Enter configuration commands, one per line. End with CNTL/Z.
shv_core_stack(config)#$2.168.15.0 255.255.255.0 172.22.45.0 255.255.255.0
ip route 192.168.15.0 255.255.255.0 172.22.45.0 255.255.255.0
^
% Invalid input detected at '^' marker.

shv_core_stack(config)#$2.168.15.0 255.255.255.0 172.22.45.0
shv_core_stack(config)#

0 Helpful

Go to solution
SinghRaminder
Level 1
Level 1
In response to chris.bias

‎05-19-2022 11:28 AM

Glad it is working but you may want to check routing between 172.22.45.13 and 172.22.45.1 if any routing protocol is running or you are redistributing any static from. 172. 22.45.1 to avoid any loop

 

 

Thanks
Raminder
PS: If this answered your question, please don't forget to rate and select as validated answer
0 Helpful
Customers Also Viewed These Support Documents