cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
711
Views
0
Helpful
2
Replies
dannyunger
Beginner

Can't ping across remote sites

I'm working with a client who has an ASA that has site-to-site IPSec VPN connections to both an Azure environment as well as a Rackspace environment. They can access either environment from the office, but servers in Azure are unable to ping to servers at Rackspace and vice versa. I've tried everything that I know of as well as everything I've found while searching but I still cannot get this to work. Any help is greatly appreciated. 

 

Pared down config:

 

ASA Version 8.4(3) 

!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address ********** 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.2.0.1 255.255.255.0 standby 10.2.0.2 
!
interface GigabitEthernet0/2
 shutdown

 nameif DMZ
 security-level 50
 ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2 
!
interface GigabitEthernet0/3
 description LAN/STATE Failover Interface
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
same-security-traffic permit intra-interface

object network RackSpace-network
 subnet 192.168.100.0 255.255.252.0

object-group network azure-networks
 network-object 172.16.16.0 255.255.252.0

object-group network onprem-networks
 network-object 10.10.0.0 255.255.0.0
 network-object object 10.35.0.0
 network-object object 10.250.250.0

object-group network azure-onprem-networks
 network-object 10.10.0.0 255.255.0.0
 network-object 10.35.0.0 255.255.252.0
 network-object 10.250.250.0 255.255.255.0

access-list inside_access_in extended permit ip 10.0.0.0 255.0.0.0 object RackSpace-network 
access-list inside_access_in extended permit ip any object-group azure-networks 

access-list VPNsplitTunnelAcl standard permit 10.0.0.0 255.0.0.0 
access-list VPNsplitTunnelAcl standard permit 192.168.100.0 255.255.255.0 
access-list VPNsplitTunnelAcl standard permit 172.16.16.0 255.255.252.0 

access-list outside1_access_in extended permit ip object RackSpace-network 10.10.0.0 255.255.0.0 

access-list outside_cryptomap extended permit ip object-group onprem-networks object RackSpace-network
access-list outside_cryptomap extended permit ip object group onprem-networks object RackSpace-network
 
access-list azure-vpn-acl extended permit ip object-group azure-onprem-networks object-group azure-networks 

nat (inside,outside) source static onprem-networks onprem-networks destination static RackSpace-network RackSpace-network

nat (inside,outside) source static azure-onprem-networks azure-onprem-networks destination static azure-networks azure-networks

nat (outside,outside) source static RackSpace-network RackSpace-network destination static azure-networks azure-networks
     

2 REPLIES 2
Andrew Phirsov
Rising star

I've been away a little bit, so may be not so accurate.

Check that crypto-map on each remote location includes in crypto ACL subnet for corresponding locations. I.e. crypto acl in Rackspace  should include ACL for subnet in Azure and vice versa. Then check corresponding nat-exception strings on both sides.

Also, possibly you sould enter same security traffic permit intra-interface command on central side.

Just first things that came to my mind

Andrew

Unfortunately I do not have much control over the Azure end of things. Microsoft spits out a config to connect to their endpoint in Azure and that's all you get. There is an actual ASA residing at Rackspace that can be configured how I want. I think it is just a NAT issue at the central office, as I can resolve IP addresses from end to end, I just cannot get a ping to go across and come back.

I do have the same-security-traffic permit intra-interface command set on the ASA at the central location.

Create
Recognize Your Peers
Content for Community-Ad