Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6764
Views
0
Helpful
8
Replies

ASA VPN Cannot ping across tunnel

Joe Mullis
Level 1
Level 1

‎01-24-2018 11:48 PM - edited ‎03-12-2019 04:57 AM

I have a VPN I am setting up for our phone company to allow access from our main office to our satellite to connect their equipment. I am using Cisco ASA's at both end. I have the tunnel up but cannot ping across the tunnel. Probably should mention there is actually 2 VPN's one is used for a connection to a different site for other reasons. I suspect my issue is NAT but I am not sure. local Object networks I am working with for this VPN is named " phones" remote object network is "remote-phones"  please take a look at my config and let me know what I am doing wrong. I am also not 100% sure the other VPN is passing traffic correctly either since NAT rules are pretty much the same. 

 

 

Labels:
Preview file
6 KB
0 Helpful
8 Replies 8

Joe Mullis
Level 1
Level 1

‎01-25-2018 12:03 AM - edited ‎01-25-2018 03:50 AM


IKEv1 SAs:

Active SA: 2

Here is the output of the sh cry isa sa 

 

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: 6.6.6.6
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 7.7.7.7.
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

There are no IKEv2 SAs

0 Helpful

mvsheik123
Level 7
Level 7
In response to Joe Mullis

‎01-25-2018 03:31 AM

Hi,

Quick check on config...'outside interface' and 'default route got same IP...

 

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 5.5.5.5 255.255.255.252

!

route outside 0.0.0.0 0.0.0.0 5.5.5.5  ---> This needs to be next hop IP : route outside 0.0.0.0 0.0.0.0 5.5.5.6 1

-> Does not seem to be an issue with your config, but consider using 'inspect icmp' under class_map at the end instead of ACL on the outside interface.

 

Try with these and post results back.

hth

MS 

 

   

0 Helpful

Joe Mullis
Level 1
Level 1
In response to mvsheik123

‎01-25-2018 03:48 AM

Yes my apologies, that isn’t that actual IP address. When I was replacing
IPs with random ones for security reasons I accidentally put the same IP in
for interface and default gateway. In real config they are different and
also correct.
0 Helpful

mvsheik123
Level 7
Level 7
In response to Joe Mullis

‎01-25-2018 03:53 AM

I though so.. just wanted to make sure. 1. Check tunnel forms successfully  2. Do a 'debug icmp trace' on both side devices and see if you see 'ping' traffic passing the tunnel.

 

Thx

MS

0 Helpful

Joe Mullis
Level 1
Level 1
In response to mvsheik123

‎01-25-2018 02:08 PM - edited ‎01-25-2018 03:04 PM

 

Here are the results from side 2 back to side 1, looks like the traffic is going out the WAN and not staying internal. i have delete the last two octets for security purposes.

 

Ochoa2# ping 192.168.42.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.42.20, timeout is 2 seconds:
ICMP echo request from 76.81.x.x to 192.168.42.20 ID=1183 seq=31008 len=72
?ICMP echo request from 76.81.x.x to 192.168.42.20 ID=1184 seq=31008 len=72
?ICMP echo request from 76.81.x.x to 192.168.42.20 ID=1185 seq=31008 len=72
?ICMP echo request from 76.81.x.xto 192.168.42.20 ID=1186 seq=31008 len=72
?ICMP echo request from x.xto 192.168.42.20 ID=1187 seq=31008 len=72

It just dawned on me, do I need a static route telling the asa where to find the remote network? I have a default route telling everything to go out the WAN.

 

Ive read you dont need static routes with the ACL's, Maybe i need to move my deny any any acl to the bottom ?

 

access-list ACL-OUTSIDE-IN extended permit icmp any any echo-reply
access-list ACL-OUTSIDE-IN extended deny ip any any
access-list outside_1_cryptomap extended permit ip 172.12.54.0 255.255.255.0 10.0.6.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 172.12.54.0 255.255.255.0 10.0.7.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 172.12.54.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 172.12.54.0 255.255.255.0 10.100.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 172.12.54.0 255.255.255.0 10.200.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 172.12.54.0 255.255.255.0 host 172.23.1.87
access-list ACL-INSIDE-IN extended permit ip object-group OBJ-INSIDE-NETWORKS any
access-list outside_2_cryptomap extended permit ip 192.168.43.0 255.255.255.0 192.168.42.0 255.255.255.0
Ochoa2#
Ochoa2#
Ochoa2#

0 Helpful

Joe Mullis
Level 1
Level 1
In response to Joe Mullis

‎01-25-2018 02:25 PM

Maybe my access-lists are misconfigured? I am finding some things on the cisco forums that say they should look more like this 

 

access-list outside_2_cryptomap extended permit "Local VPN IP Range " object-group " remote object group"

 

I am currently doing the destination as the remote ip addresses im trying to reach ? 

0 Helpful

mvsheik123
Level 7
Level 7
In response to Joe Mullis

‎01-25-2018 05:48 PM

Hi,

1. ACL direction is fine. You remove outside ACL and can add inspect icmp.

2. Having default route is good enough.. as ASA send traffic to unknown network to default route.

3. How you initiated Ping?  If it is from inside PC, then VPN does not seem to work fine.  

4. Post show vpn-sessiondb output. Also, if ping not initiated from a PC internal, try that.

 

hth

MS

0 Helpful

Oleg Barkov
Level 1
Level 1

‎07-08-2020 03:11 PM

management-access inside

icmp permit any inside

0 Helpful
Customers Also Viewed These Support Documents