cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
275
Views
0
Helpful
2
Replies

B2B VPN BGP over IPSC cant ping/ssh across tunnel

oriongruca
Beginner
Beginner

Hi

I am hoping that i can get some guidance on getting this lab up and running.  I am trying to run bgp over IPSeC between two asa in routed mode and pass traffic over it.  I have successfully got BPG up and running over the IPSeC from what i can tell using a VTI on the ASAs.  However i am unable to ping from a client on each side across the VPN Tunnel.  I have enabled ICMP inspection on the ASAs.  The debug output on the ASA when i do try to ping from a src at 20.1.1.2 to dst 20.2.1.2 shows:

Sep 25 2022 04:00:38: %ASA-7-713906: IKE Receiver: Packet received on 10.1.1.5:500 from 10.2.1.5:500
Sep 25 2022 04:00:48: %ASA-7-713906: IKE Receiver: Packet received on 10.1.1.5:500 from 10.2.1.5:500
Sep 25 2022 04:01:02: %ASA-3-106014: Deny inbound icmp src inside:20.1.1.2 dst vti:20.2.1.2 (type 8, code 0)
Sep 25 2022 04:01:03: %ASA-7-710005: UDP request discarded from 10.1.1.2/45537 to outside:255.255.255.255/53
Sep 25 2022 04:01:03: %ASA-3-106014: Deny inbound icmp src inside:20.1.1.2 dst vti:20.2.1.2 (type 8, code 0)
Sep 25 2022 04:01:04: %ASA-3-106014: Deny inbound icmp src inside:20.1.1.2 dst vti:20.2.1.2 (type 8, code 0)
Sep 25 2022 04:01:07: %ASA-7-710005: UDP request discarded from 10.1.1.2/10043 to outside:255.255.255.255/53

Screen Shot 2022-09-25 at 2.04.30 pm.png

Any suggestions would be great.

Thank You.

1 Accepted Solution

Accepted Solutions

oriongruca
Beginner
Beginner

Hazahhh...Awesome

That did the trick thank you for taking the time to respond.  So obvious now

Thank You

View solution in original post

2 Replies 2

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@oriongruca your security levels are incorrect on the inside and outside interfaces, the outside interface should have a security level of 0 and the inside interface should have 100. Traffic will be denied source from an interface with a lower security level to an interface with a higher security level, unless there is an ACL explictly permitting the traffic.

Change the security level on both ASAs as below.

interface GigabitEthernet0/1
 nameif inside
 security-level 100
!
interface GigabitEthernet0/2
 nameif outside
 security-level 0

oriongruca
Beginner
Beginner

Hazahhh...Awesome

That did the trick thank you for taking the time to respond.  So obvious now

Thank You

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers