[Apologies if you've already seen this message in other forums.]

Hi,

I have a very basic lab site to site vpn setup where I have a ASA 5505 running v7.2(4) on one side and a cisco 2811 on the other side.

What's my issue?

I can't seem to ping from cisco router to the 'inside' network of ASA (see config below) and can't seem to ping from ASA packets leaving the 'inside' interface to cisco router even w/ an ICMP ACL permit outside in. However I'm able to ping within ASA inside network & ping cisco 2811 side w/ packets leaving ASA 'outside' interface just fine.

example:

-------

ciscoasa# ping inside 10.20.20.1 (to cisco loopback1 from ASA inside)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ciscoasa# ping outside 10.20.20.1 (to cisco loopback1 from ASA outside interface)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ciscoasa# show run

: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.50.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.1.2 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown    

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

same-security-traffic permit intra-interface

access-list nonat extended permit ip 192.168.50.0 255.255.255.0 10.20.20.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.50.0 255.255.255.0 10.20.20.0 255.255.255.0

access-list outgoing extended permit ip any any

access-list outgoing extended permit icmp any any

access-list incoming extended permit icmp any any

access-list incoming extended permit icmp any any unreachable

access-list incoming extended permit icmp any any echo-reply

access-list incoming extended permit icmp any any time-exceeded

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.50.0 255.255.255.0

access-group outgoing in interface inside

access-group incoming in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ASA5505 esp-aes esp-md5-hmac

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 192.168.1.1

crypto map outside_map 1 set transform-set ASA5505

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 30

console timeout 0

tunnel-group 192.168.1.1 type ipsec-l2l

tunnel-group 192.168.1.1 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:e567558c7b91b38da8286168c20745c8

: end

; cisco 2811 config:

------------------

HUB-RTR-2811#

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname HUB-RTR-2811

!

boot-start-marker

boot system flash:c2800nm-adventerprisek9-mz.124-11.XJ4.bin

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

no network-clock-participate wic 0

!

!

ip cef

!

!

no ip domain lookup

!

multilink bundle-name authenticated

!

!

voice-card 0

no dspfarm

!

!

crypto pki trustpoint TP-self-signed-2814333580

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2814333580

revocation-check none

rsakeypair TP-self-signed-2814333580

!

!

crypto pki certificate chain TP-self-signed-2814333580

certificate self-signed 01

30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32383134 33333335 3830301E 170D3132 30323230 32303339

30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38313433

33333538 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100C499 0DC0E3DA 208E0AA9 4F97E9F5 8C763232 DDFBAE93 BA44EAED 456E8B5E

1253F5C2 E84E4718 F3371C84 1F9A687E E4C3B422 DAD4AAFA 06378D22 74CBB1B4

C7946A78 347B0999 82857B13 797E57FE B3EECCDB 2C64F831 C2405D8D 37AF6044

99E45243 B6C04972 E558EF9B D2CFA990 C1813329 6FD120E9 CB9050E1 16E02F3D

ACBB0203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603

551D1104 10300E82 0C485542 2D525452 2D323831 31301F06 03551D23 04183016

801493C4 BA29E1DF 658929BF 57BBC58C 53974EB8 7472301D 0603551D 0E041604

1493C4BA 29E1DF65 8929BF57 BBC58C53 974EB874 72300D06 092A8648 86F70D01

01040500 03818100 5EE53EC6 C6E77238 E4C8409B 0372EFA5 C413316F 9725372D

3F0F2362 37E4E870 09A1E109 EE5A78DD 6BD46334 9831A0A1 33FC3EE8 B5DADE15

F288817A B88044C5 9EAA69DF FF76CE52 B161E1CD C85C3F9D 776F87B2 B874DA42

35B160D7 92A0E439 B1C2D4BA 3D13206C 9547D3B3 81A74925 A453DE1B D003E2D8

B7AB0C47 FED8B737

quit

!

!

controller T1 0/0/0

framing esf

linecode b8zs

channel-group 0 timeslots 1-24

!

controller T1 0/0/1

framing esf

linecode b8zs

channel-group 0 timeslots 1-24

vlan internal allocation policy ascending

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 192.168.1.2

!

!

crypto ipsec transform-set 2811 esp-aes esp-md5-hmac

!

crypto map MYMAP 1 ipsec-isakmp

set peer 192.168.1.2

set security-association lifetime seconds 86400

set transform-set 2811

set pfs group2

match address net-local-to-remote

!

interface Loopback1

desc inside network

ip address 10.20.20.1 255.255.255.0

!

interface FastEthernet0/0

description connection to ASA5505 ipsec tunnel

ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto

crypto map MYMAP

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/0/0:0

no ip address

shutdown

!

interface Serial0/0/1:0

no ip address

shutdown

!

interface Serial0/2/0

no ip address

shutdown

!

interface FastEthernet1/0

no switchport

no ip address

duplex full

speed 100

!

interface FastEthernet1/1

no switchport

no ip address

shutdown

!

interface FastEthernet1/2

!

interface FastEthernet1/3

!

interface FastEthernet1/4

!

interface FastEthernet1/5

!

interface FastEthernet1/6

!

interface FastEthernet1/7

!

interface FastEthernet1/8

!

interface FastEthernet1/9

!

interface FastEthernet1/10

!

interface FastEthernet1/11

no switchport

no ip address

!

interface FastEthernet1/12

!

interface FastEthernet1/13

!

interface FastEthernet1/14

!

interface FastEthernet1/15

!

interface Vlan1

no ip address

shutdown

!

ip route 0.0.0.0 0.0.0.0 192.168.1.2

!

!

no ip http server

no ip http secure-server

!

ip access-list extended net-local-to-remote

permit ip 10.20.20.0 0.0.0.255 192.168.50.0 0.0.0.255

!

control-plane

!

line con 0

logging synchronous

line aux 0

line vty 0 4

privilege level 15

logging synchronous

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

; Prior to the tunnel coming up on 2811

--------------------------------------

HUB-RTR-2811#show crypto session

Crypto session current status

Interface: FastEthernet0/0

Session status: DOWN

Peer: 192.168.1.2 port 500

IPSEC FLOW: permit ip 10.20.20.0/255.255.255.0 192.168.50.0/255.255.255.0

Active SAs: 0, origin: crypto map

; Pushing interesting traffic via ping on 2811 w/ no response, however ipsec tunnel comes up.

-----------------------------------------------------------------------------------------

HUB-RTR-2811#ping 192.168.50.1 source loopback1 (pinging towards inside of ASA)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.50.1, timeout is 2 seconds:

Packet sent with a source address of 10.20.20.1

.....

Success rate is 0 percent (0/5)

HUB-RTR-2811#ping 192.168.50.1 source loopback1 (pinging towards inside of ASA)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.50.1, timeout is 2 seconds:

Packet sent with a source address of 10.20.20.1

.....

Success rate is 0 percent (0/5)

; ipsec tunnel comes up even though ping fails

--------------------------------------------

HUB-RTR-2811#show crypto session

Crypto session current status

Interface: FastEthernet0/0

Session status: UP-ACTIVE

Peer: 192.168.1.2 port 500

IKE SA: local 192.168.1.1/500 remote 192.168.1.2/500 Active

IPSEC FLOW: permit ip 10.20.20.0/255.255.255.0 192.168.50.0/255.255.255.0

Active SAs: 2, origin: crypto map

Any insight/pointers will be appreciated.

regards,

sky