10-29-2012 03:11 PM - edited 02-21-2020 06:26 PM
[Apologies if you've already seen this message in other forums.]
Hi,
I have a very basic lab site to site vpn setup where I have a ASA 5505 running v7.2(4) on one side and a cisco 2811 on the other side.
What's my issue?
I can't seem to ping from cisco router to the 'inside' network of ASA (see config below) and can't seem to ping from ASA packets leaving the 'inside' interface to cisco router even w/ an ICMP ACL permit outside in. However I'm able to ping within ASA inside network & ping cisco 2811 side w/ packets leaving ASA 'outside' interface just fine.
example:
-------
ciscoasa# ping inside 10.20.20.1 (to cisco loopback1 from ASA inside)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ciscoasa# ping outside 10.20.20.1 (to cisco loopback1 from ASA outside interface)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa# show run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
same-security-traffic permit intra-interface
access-list nonat extended permit ip 192.168.50.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.50.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list outgoing extended permit ip any any
access-list outgoing extended permit icmp any any
access-list incoming extended permit icmp any any
access-list incoming extended permit icmp any any unreachable
access-list incoming extended permit icmp any any echo-reply
access-list incoming extended permit icmp any any time-exceeded
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.50.0 255.255.255.0
access-group outgoing in interface inside
access-group incoming in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ASA5505 esp-aes esp-md5-hmac
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 192.168.1.1
crypto map outside_map 1 set transform-set ASA5505
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e567558c7b91b38da8286168c20745c8
: end
; cisco 2811 config:
------------------
HUB-RTR-2811#
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HUB-RTR-2811
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.124-11.XJ4.bin
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
no network-clock-participate wic 0
!
!
ip cef
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
!
crypto pki trustpoint TP-self-signed-2814333580
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2814333580
revocation-check none
rsakeypair TP-self-signed-2814333580
!
!
crypto pki certificate chain TP-self-signed-2814333580
certificate self-signed 01
30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32383134 33333335 3830301E 170D3132 30323230 32303339
30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38313433
33333538 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C499 0DC0E3DA 208E0AA9 4F97E9F5 8C763232 DDFBAE93 BA44EAED 456E8B5E
1253F5C2 E84E4718 F3371C84 1F9A687E E4C3B422 DAD4AAFA 06378D22 74CBB1B4
C7946A78 347B0999 82857B13 797E57FE B3EECCDB 2C64F831 C2405D8D 37AF6044
99E45243 B6C04972 E558EF9B D2CFA990 C1813329 6FD120E9 CB9050E1 16E02F3D
ACBB0203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603
551D1104 10300E82 0C485542 2D525452 2D323831 31301F06 03551D23 04183016
801493C4 BA29E1DF 658929BF 57BBC58C 53974EB8 7472301D 0603551D 0E041604
1493C4BA 29E1DF65 8929BF57 BBC58C53 974EB874 72300D06 092A8648 86F70D01
01040500 03818100 5EE53EC6 C6E77238 E4C8409B 0372EFA5 C413316F 9725372D
3F0F2362 37E4E870 09A1E109 EE5A78DD 6BD46334 9831A0A1 33FC3EE8 B5DADE15
F288817A B88044C5 9EAA69DF FF76CE52 B161E1CD C85C3F9D 776F87B2 B874DA42
35B160D7 92A0E439 B1C2D4BA 3D13206C 9547D3B3 81A74925 A453DE1B D003E2D8
B7AB0C47 FED8B737
quit
!
!
controller T1 0/0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 0/0/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
vlan internal allocation policy ascending
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.1.2
!
!
crypto ipsec transform-set 2811 esp-aes esp-md5-hmac
!
crypto map MYMAP 1 ipsec-isakmp
set peer 192.168.1.2
set security-association lifetime seconds 86400
set transform-set 2811
set pfs group2
match address net-local-to-remote
!
interface Loopback1
desc inside network
ip address 10.20.20.1 255.255.255.0
!
interface FastEthernet0/0
description connection to ASA5505 ipsec tunnel
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
crypto map MYMAP
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0:0
no ip address
shutdown
!
interface Serial0/0/1:0
no ip address
shutdown
!
interface Serial0/2/0
no ip address
shutdown
!
interface FastEthernet1/0
no switchport
no ip address
duplex full
speed 100
!
interface FastEthernet1/1
no switchport
no ip address
shutdown
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
no switchport
no ip address
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Vlan1
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!
!
no ip http server
no ip http secure-server
!
ip access-list extended net-local-to-remote
permit ip 10.20.20.0 0.0.0.255 192.168.50.0 0.0.0.255
!
control-plane
!
line con 0
logging synchronous
line aux 0
line vty 0 4
privilege level 15
logging synchronous
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
; Prior to the tunnel coming up on 2811
--------------------------------------
HUB-RTR-2811#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: DOWN
Peer: 192.168.1.2 port 500
IPSEC FLOW: permit ip 10.20.20.0/255.255.255.0 192.168.50.0/255.255.255.0
Active SAs: 0, origin: crypto map
; Pushing interesting traffic via ping on 2811 w/ no response, however ipsec tunnel comes up.
-----------------------------------------------------------------------------------------
HUB-RTR-2811#ping 192.168.50.1 source loopback1 (pinging towards inside of ASA)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.1, timeout is 2 seconds:
Packet sent with a source address of 10.20.20.1
.....
Success rate is 0 percent (0/5)
HUB-RTR-2811#ping 192.168.50.1 source loopback1 (pinging towards inside of ASA)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.1, timeout is 2 seconds:
Packet sent with a source address of 10.20.20.1
.....
Success rate is 0 percent (0/5)
; ipsec tunnel comes up even though ping fails
--------------------------------------------
HUB-RTR-2811#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 192.168.1.2 port 500
IKE SA: local 192.168.1.1/500 remote 192.168.1.2/500 Active
IPSEC FLOW: permit ip 10.20.20.0/255.255.255.0 192.168.50.0/255.255.255.0
Active SAs: 2, origin: crypto map
Any insight/pointers will be appreciated.
regards,
sky
10-29-2012 04:20 PM
Hello Sky,
Do the following on the ASA:
Fixup protocol ICMP
managment-access inside
Then try to ping
Regards,
10-29-2012 08:35 PM
Hi,
Tried the above commands w/ no avail. See out below.
ciscoasa# ping inside 10.20.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
HUB-RTR-2811#ping 192.168.50.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
HUB-RTR-2811#ping 192.168.50.1 source loopback1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.1, timeout is 2 seconds:
Packet sent with a source address of 10.20.20.1
.....
Success rate is 0 percent (0/5)
regards,
sky
10-30-2012 02:28 AM
r u able to ping without VPN up ?
and if yes than , what do u see in phase 2 , "sh cry ipsec sa" output when u ping from firewall. on both the sides ?
put the output of, sh run | in management and sh run policy-map from asa.
10-30-2012 08:38 AM
Hi,
Answers to your questions below:
r u able to ping without VPN up ?
-----------------------
yes from ASA side but not from cisco router side:
ciscoasa# show cry ipsec sa
There are no ipsec sas
ciscoasa# ping 10.20.20.1 (pinging cisco loopback1)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ciscoasa# show cry ipsec sa
There are no ipsec sas
ciscoasa# ping 192.168.1.1 (pinging cisco router interface)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa# show cry ipsec sa
There are no ipsec sa
and if yes than , what do u see in phase 2 , "sh cry ipsec sa" output when u ping from firewall. on both the sides ?
----------------------------------
no but output included:
ciscoasa# show cry ipsec sa
There are no ipsec sa
HUB-RTR-2811#ping 192.168.1.2 (pinging ASA outside interface)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
HUB-RTR-2811#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: DOWN
Peer: 192.168.1.2 port 500
IPSEC FLOW: permit ip 10.20.20.0/255.255.255.0 192.168.50.0/255.255.255.0
Active SAs: 0, origin: crypto map
HUB-RTR-2811#ping 192.168.50.1 (pinging ASA inside interface)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
HUB-RTR-2811#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: DOWN
Peer: 192.168.1.2 port 500
IPSEC FLOW: permit ip 10.20.20.0/255.255.255.0 192.168.50.0/255.255.255.0
Active SAs: 0, origin: crypto map
HUB-RTR-2811#ping 192.168.50.1 source loopback1 (pinging ASA inside sourced from cisco loopback1)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.1, timeout is 2 seconds:
Packet sent with a source address of 10.20.20.1
.....
Success rate is 0 percent (0/5)
HUB-RTR-2811#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: 192.168.1.2 port 500
IKE SA: local 192.168.1.1/500 remote 192.168.1.2/500 Inactive
IPSEC FLOW: permit ip 10.20.20.0/255.255.255.0 192.168.50.0/255.255.255.0
Active SAs: 0, origin: crypto map
put the output of, sh run | in management and sh run policy-map from asa.
-------------------------------
ciscoasa# show run | in management
management-access inside
ciscoasa# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
regards,
sky
10-31-2012 01:57 AM
it is good if you are able to ping from ASA to router without VPN as you can't ping from router to inside interface of the ASA which is already blocked. so, the concept is you can't ping any interface across the firewall like, if you are on a pc in inside zone from that pc you can ping inside interfac but not outside interfac however from the same pc you can ping any pc which is in outside zone. and this management-access for inside will work only when tunnel is up or if traffic is crossing over VPN , then management-access command lets you ping from outside to inside interface only.
now, since you are able to ping from ASA inside to router loopback. we should focus on vpn tunnel. please give me the output of sh cry isa sa and sh cry ipsec sa ,after initiating the ping from ASA side and try to diaable pfs n try again
your ping from ASA to initiate the tunnel should be , "ping inside 10.20.20.1"
11-03-2012 08:40 AM
After removing and re-applying the following statements off ASA I'm now able to reach both sides of the tunnel!
crypto map outside_map 1 match address outside_1_cryptomap
managment-access inside
regards,
sky
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide