Cisco ASA cannot / can Ping remote network of IPSEC LAN

active-energy · ‎08-04-2013

Hi together

we have setup an IPSEC connection and the strange thing is that the IPSEC tunnel goes up well and we can also positively ping a client on the remote LAN of the other site on the ASA itself.

Yet once we try to ping the remote client from our local LAN behind the ASA this fails.

When doing a traceroute on a remote LAN client the client tries to go reach the network over the public gateway, yet this should be routed over the IPSEC tunnel.

I have checked the ACLs and they are all set to allow - allow for these settings, yet it still does not want to work, any ideas?

Cheers

Wolfgang

Marvin Rhoads · ‎08-04-2013

On an ASA a good tool to check why something isn't flowing as expected is the packet-tracer command. It will take you through the logic the ASA uses step by step including VPN encapsulation (or lack thereof) and routing.

More details on packet-tracer here and here.

If that doesn't help, please share the relevant ACLs and crypto configurations from both devices for a more definitive answer.

ankshar2 · ‎08-04-2013

Hi,

Yes,I agre with marvin.. Please try to run a packet tracer on the ASA. With the current description, it seems for the Local LAN subnet NAT exempt might not be configured. If yes, try to take captures on the inside interface of the ASA for icmp traffic to see if packets are reaching the inside interface. please try to upload the configs from the VPN end devices as Marvin suggested.

Thanks,

Ankit Sharma

active-energy · ‎08-05-2013

Hi together,

thank you very much for your reply and I have gone through the test with the packet tracer. which was all in all positive:

ICMP from inside network to client of remote network

What does yet wonder me is that when I look at the log with the ping requests from a local client to the remote network I see that the asa is trying to router the icmp packet via the public interface, rather than route the packet through the VPN IPSEC Tunnel.

If I do a ping test on the ASA to a client of the remote network this works.

If I do a ping test on the local client to a client of the remote network this fails.

What can I do here?

Thanks

Wolfgang

Marius Gunnerud · ‎08-05-2013

The issue is most likely a crypto ACL mismatch or a NAT Exempt misconfiguration on one of the locations. Would you be able to post a sanitized configuration of both locations?

--
Please remember to select a correct answer and rate helpful posts

active-energy · ‎08-05-2013

Hi Marius,

attached I have the relevant config lines from the local site:

crypto map world_map 2 set peer 1xx.xxx.47.10
crypto map world_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

tunnel-group 1xx.xxx.47.10 type ipsec-l2l
tunnel-group 1xx.xxx.47.10 general-attributes
default-group-policy GroupPolicy2
tunnel-group 1xxx.xxx.47.10 ipsec-attributes
ikev1 pre-shared-key *****

crypto map world_map 2 match address world_cryptomap_2
crypto map world_map 2 set peer 1xx.xxx.47.10
crypto map world_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

tunnel-group 1xx.xxx.47.10 type ipsec-l2l
tunnel-group 1xx.xxx.47.10 general-attributes
default-group-policy GroupPolicy2
tunnel-group 1xx.xxx.47.10 ipsec-attributes
ikev1 pre-shared-key *****

object network VPN-Devices
subnet 10.124.0.0 255.255.0.0

The remote site is managed by a provider and I will post this later.

Thanks

Wolfgang

Marius Gunnerud · ‎08-06-2013

Could you also include the ACL configuration of world_cryptomap_2 as this indicates what traffic is to be encrypted.

Also include the NAT Exempt configuration as this prevents the VPN traffic from being NATed out to the internet.

--
Please remember to select a correct answer and rate helpful posts