06-24-2011 06:00 PM - edited 02-21-2020 05:25 PM
Two directly connected ASA. Their are LAN behind ASA. I have configured NAT,Global and IPSec VPN can anyone check the configuration of these firewalls and find out why am not able to pings LANs from either sides??
ASA1
-----
ASA Version 8.0(2)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.252.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
access-group 101 in interface outside
route outside 172.16.1.0 255.255.255.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ASA2
--------
ASA Version 8.0(2)
!
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.1.1.2 255.255.252.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
access-group 101 in interface outside
route outside 192.168.1.0 255.255.255.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
Solved! Go to Solution.
06-26-2011 04:49 PM
If you want to ping the ASA interfaces via the VPN tunnel, please add the following command on both ASA:
management-access inside
Then test ping from the ASA as follows:
From ASA1: ping inside 172.16.1.1
From ASA2: ping inside 192.168.1.1
06-24-2011 06:07 PM
Doesn't look like you paste the right configuration.
There is no IPSec VPN nor NAT configuration on the posted config.
06-25-2011 09:38 AM
hmm yes you are right Jennifer, this is the updated copy of configirations, kindly give me solution Thanks.
ASA1
--------
ASA Version 8.0(2)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.252.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list 101 extended permit icmp any interface outside echo-reply
access-list vpn extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat
nat (inside) 1 192.168.1.0 255.255.255.0
access-group 101 in interface outside
route outside 172.16.1.0 255.255.255.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set leve_set esp-aes-256 esp-sha-hmac
crypto map level_map 10 match address vpn
crypto map level_map 10 set peer 10.1.1.2
crypto map level_map interface outside
crypto map leve_map 10 set transform-set leve_set
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
tunnel-group 10.1.1.2 type ipsec-l2l
tunnel-group 10.1.1.2 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
-------------------------------------------------------------------------------------------------
ASA2
---------
ASA Version 8.0(2)
!
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.1.1.2 255.255.252.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list 101 extended permit icmp any interface outside echo-reply
access-list vpn extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nat extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat
nat (inside) 1 172.16.1.0 255.255.255.0
access-group 101 in interface outside
route outside 192.168.1.0 255.255.255.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set leve_set esp-aes-256 esp-sha-hmac
crypto map leve_map 10 match address vpn
crypto map leve_map 10 set peer 10.1.1.1
crypto map leve_map 10 set transform-set leve_set
crypto map leve_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
tunnel-group 10.1.1.1 type ipsec-l2l
tunnel-group 10.1.1.1 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
06-25-2011 08:03 PM
The configuration looks correct to me.
Can you please advise which phase of the ipsec vpn it fails?
Please share the output of:
show cry isa sa
show cry ipsec sa
from both sides.
Also can you please advise where you are pinging from and to?
If the show output doesn't show anything, please run debug while trying to ping:
debug cry isa
debug cry ipsec
06-26-2011 05:30 AM
show cry isa sa
show cry ipsec sa
these commands are giving no output, so i gave debug cry isa and debug cry ipsec commands on ASA2 and pinged from ASA1 as shown in output.
ASA1# ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA2# sh debug
debug crypto ipsec enabled at level 1
debug crypto isakmp enabled at level 1
ASA2#
ASA2# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
--------------------------------------------------------------------------------------------------------------------
as you can see debug commands also not showing anything much, so i tried this command
debug icmp trace on ASA2 and again tried to ping from ASA1
ASA2# debug icmp trace
debug icmp trace enabled at level 1
ASA2#
ASA2# ICMP echo request from 10.1.1.1 to 172.16.1.1 ID=4388 seq=8678 len=72
ICMP echo request from 10.1.1.1 to 172.16.1.1 ID=4388 seq=8678 len=72
ICMP echo request from 10.1.1.1 to 172.16.1.1 ID=4388 seq=8678 len=72
ICMP echo request from 10.1.1.1 to 172.16.1.1 ID=4388 seq=8678 len=72
ICMP echo request from 10.1.1.1 to 172.16.1.1 ID=4388 seq=8678 len=72
ASA1#
ASA1# ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
-------------------------------------------------------------------------------------------------------------------------------
06-26-2011 08:01 AM
You cant ping ASA's farthest (inside) interface from outside, this is a normal behaviour, it is an architecture of the device.
Morever, you need debug crypto isakmp 127 to see debug messages. 1 is the least informational debug, 255 is the highest.
Can you post these debug messages to us?
One more thing, can you ping Second ASA's outside interface from Firts ASA?
06-26-2011 08:49 AM
Only, outside(ASA1) to outside(ASA2)---ping is working.
inside(ASA1) to inside(ASA2)----not working
inside(ASA1) to outside(ASA2)----noy working
outside(ASA1) to intside(ASA2)----not working
inside(ASA2) to inside(ASA1)----not working
inside(ASA2) to outside(ASA1)----not working
outside(ASA2) to intside(ASA1)----not working
i gave debug crypto isakmp 127 command on ASA2 and pinged inside (ASA2) from outside(ASA1) but am not getting any debug messages
ASA2# debug cry isa 127
ASA2# sh debug crypto isakmp
debug crypto isakmp enabled at level 127
ASA2#
-------------------------------------------------------------
ASA1# ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
06-26-2011 09:01 AM
To see debug messages, you would probably need to enable logging
conf t
logging enable
I would like to stress once againg, you cant ping from:
outside(ASA1) to inside(ASA2)
outside(ASA2) to inside(ASA1)
This is disabled by default and there is no way to enable it
You cant ping in all other scenarious, because your VPN connection is not established.
06-26-2011 09:33 AM
i got your point that we cant ping from outside interfaces of ASA to inside interfaces. i have enabled logging but still no debug messages
ASA2(config)# logging enable
ASA2(config)# debug crypto isakmp 127
ASA2(config)# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA1(config)# ping
Interface: inside
Target IP address: 172.16.1.1
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Here i enabled logging buffer-size 10000
and logging console information then i got this output but i have already given static routes on both ASAs correctly why its giving
ASA2# ping
Interface: inside
Target IP address: 192.168.1.1
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
%ASA-6-110003: Routing failed to locate next hop for icmp from NP Identity I ide:192.168.1.1/0
?????
Success rate is 0 percent (0/5)
ASA2# %ASA-5-111008: User 'enable_15' executed the 'ping' command.
ASA2# sh ip ro.
Gateway of last resort is not set
C 172.16.1.0 255.255.255.0 is directly connected, inside
C 10.1.0.0 255.255.252.0 is directly connected, outside
S 192.168.1.0 255.255.255.0 [1/0] via 10.1.1.1, outside
06-26-2011 09:38 AM
Try
ciscoasa(config)#logging enable ciscoasa(config)#logging buffered debugging
ciscoasa#show logging
06-26-2011 09:52 AM
ASA1(config)# ping
Interface: inside
Target IP address: 172.16.1.1
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
-------------------------------------------------------------------------------------------------------
ASA2(config)# logging enable
ASA2(config)# logging buffered debugging
ASA2(config)# sh logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 97 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
%ASA-5-111008: User 'enable_15' executed the 'logging enable' command.
%ASA-7-711002: Task ran for 2 msec, Process = ci/console, PC = 8179a3b, Traceback = 0x08739E15 0x090A828A 0x080B7A6A 0x080ACE08 0x080AD921 0x0805E033
%ASA-5-111008: User 'enable_15' executed the 'logging buffered debugging' command.
%ASA-7-711002: Task ran for 2 msec, Process = ethpoll, PC = 88d7c35, Traceback =
%ASA-7-711002: Task ran for 2 msec, Process = ethpoll, PC = 88d7c35, Traceback = 0x088D7C35 0x0805E033
ASA2(config)#
06-26-2011 09:59 AM
Can you try pinging from inside hosts, not from ASA's interfaces?
Also enable this
conf t
logging monitor
06-26-2011 10:35 AM
this is some what interesting i have pinged from PC1(192.168.1.2/24) behind ASA1 to inside(ASA2) interface 172.16.1.1 this is the output from ASA1
ASA1(config)# sh logging
%ASA-4-106023: Deny icmp src outside:10.1.1.2 dst inside:192.168.1.2 (type 0, code 0) by access-group "101" [0x0, 0x0]
%ASA-4-106023: Deny icmp src outside:10.1.1.2 dst inside:192.168.1.2 (type 0, code 0) by access-group "101" [0x0, 0x0]
%ASA-4-106023: Deny icmp src outside:10.1.1.2 dst inside:192.168.1.2 (type 0, code 0) by access-group "101" [0x0, 0x0]
%ASA-4-106023: Deny icmp src outside:10.1.1.2 dst inside:192.168.1.2 (type 0, code 0) by access-group "101" [0x0, 0x0]
%ASA-4-106023: Deny icmp src outside:10.1.1.2 dst inside:192.168.1.2 (type 0, code 0) by access-group "101" [0x0, 0x0]
its saying my access-list 101 on outside(ASA2) is denying ping
and if i ping form pc1 to outside(ASA1) interface this is the output of sh logging command on ASA1
ASA1(config)# sh logging
%ASA-7-715047: Group = 10.1.1.2, IP = 10.1.1.2, processing hash payload
%ASA-7-715047: Group = 10.1.1.2, IP = 10.1.1.2, processing notify payload
%ASA-7-715075: Group = 10.1.1.2, IP = 10.1.1.2, Received keep-alive of type DPD R-U-THERE (seq number 0x7fcb36b0)
%ASA-7-715036: Group = 10.1.1.2, IP = 10.1.1.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x7fcb36b0)
%ASA-7-715046: Group = 10.1.1.2, IP = 10.1.1.2, constructing blank hash payload
%ASA-7-715046: Group = 10.1.1.2, IP = 10.1.1.2, constructing qm hash payload
%ASA-7-713236: IP = 10.1.1.2, IKE_DECODE SENDING Message (msgid=d58670be) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
06-26-2011 10:47 AM
I am not sure these pings are going through the vpn tunnel..
06-26-2011 10:50 AM
i c, but am able to ping outsie(ASA2) interface from PC behind ASA1 but am not able to reach inside(ASA2)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide