Cisco ASA and Cisco Router ipsec vpn NO PING

serdar_selli · ‎04-14-2014

Site to site vpn is connect between Cisco Asa Cisco Router. But we can not ping to remote site. Can you help me please.

Cisco Router 870 Configuration is as below.

sh crypto isakmp sa, sh crypto session, sh crypto ipsec sa cammands as below too.

Cisco Router Configuration;

Building configuration...

Current configuration : 2545 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yener
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
ip ips po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
controller DSL 0
line-term cpe
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 90.158.xx.xx
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map yener_to_karel 10 ipsec-isakmp
set peer 90.158.xx.xx
set transform-set myset
match address 101
!
!
!
interface BRI0
no ip address
shutdown
no cdp enable
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
switchport access vlan 2
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
shutdown
no cdp enable
!
interface FastEthernet3
no ip address
shutdown
no cdp enable
!
interface Vlan1
description WAN
no ip address
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
pppoe enable
pppoe-client dial-pool-number 1
!
interface Vlan2
description LOCAL LAN
ip address 10.10.10.8 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
description Logical ADSL Interface
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xx@ttnet
ppp chap password 0 yy
ppp pap sent-username xx@ttnet password 0 yy
ppp ipcp dns request accept
ppp ipcp address accept
crypto map yener_to_karel
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat pool pool1 10.10.10.0 10.10.10.255 netmask 255.255.255.0
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list acl1 pool pool1
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.0.0 0.0.255.255
dialer-list 1 protocol ip permit
snmp-server community public RO
no cdp run
!
!
control-plane
!
!
line con 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
login
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
end

sh crypto session

Crypto session current status

Interface: Dialer1
Session status: UP-NO-IKE
Peer: 90.158.24.11 port 500
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 192.168.0.0/255.255.0.0
Active SAs: 2, origin: crypto map

Interface: Virtual-Access1
Session status: DOWN
Peer: 90.158.24.11 port 500
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 192.168.0.0/255.255.0.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 192.168.0.0/255.255.0.0
Active SAs: 0, origin: crypto map

Interface: Dialer1
Session status: UP-IDLE
Peer: 90.158.24.11 port 500
IKE SA: local 85.105.xx.xx/500 remote 90.158.xx.xx/500 Active

sh crypto ipsec sa

interface: Dialer1
Crypto map tag: yener_to_karel, local addr 85.105.xx.xx

protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
current_peer 90.158.24.11 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 85.105.xx.xx, remote crypto endpt.: 90.158.xx.xx
path mtu 1492, ip mtu 1492
current outbound spi: 0xF3A406C(255475820)

inbound esp sas:
spi: 0x256257B0(627201968)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: C87X_MBRD:2, crypto map: yener_to_karel
sa timing: remaining key lifetime (k/sec): (4441867/3417)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xF3A406C(255475820)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: C87X_MBRD:1, crypto map: yener_to_karel
sa timing: remaining key lifetime (k/sec): (4441867/3416)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

sh crypto isakmp sa

dst src state conn-id slot status
85.105.xx.xx 90.158.xx.xx QM_IDLE 2 0 ACTIVE

David Johan Castro Fernandez · ‎10-19-2014

hello,

I just see the configuration, and it appears that the phase 1 can establish just fine, though phase 2, you can send traffic or receive, this is happening because you are missing a NAT 0 statement on the router.

To accomplish on sending traffic across and receive it from this router perspective you will need to do the following:

access-list 110 deny ip 10.10.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 110 permit ip 10.10.10.0 0.0.0.255 any

route-map nonat permit 10
match ip address 110

ip nat inside source route-map nonat interface Dialer1 overload

With these you are avoiding the router to translate the inside hosts when going to --> 192.168.0.0 /16.

Also make sure the other side of the tunnel meet with these, so you won't run into conflicts.

Let me know how it works out.

Please don't forget to rate.

Best Regards,

David Castro,