Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2753
Views
0
Helpful
17
Replies

IPSec VPN Help!!

Go to solution
kaleemullah.mohammed
Level 1
Level 1

‎06-24-2011 06:00 PM - edited ‎02-21-2020 05:25 PM

Two directly connected ASA. Their are LAN behind ASA. I have configured NAT,Global and IPSec VPN can anyone check the configuration of these firewalls and find out why am not able to pings LANs from either sides??

ASA1

-----

ASA Version 8.0(2)

!

hostname ASA1

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.1.1.1 255.255.252.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

access-group 101 in interface outside

route outside 172.16.1.0 255.255.255.0 10.1.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

: end

ASA2

--------

ASA Version 8.0(2)

!

hostname ASA2

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.1.1.2 255.255.252.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

access-group 101 in interface outside

route outside 192.168.1.0 255.255.255.0 10.1.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

!

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

Labels:
0 Helpful
17 Replies 17

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to kaleemullah.mohammed

‎06-26-2011 04:49 PM

If you want to ping the ASA interfaces via the VPN tunnel, please add the following command on both ASA:

management-access inside

Then test ping from the ASA as follows:

From ASA1: ping inside 172.16.1.1

From ASA2: ping inside 192.168.1.1

0 Helpful

Go to solution
kaleemullah.mohammed
Level 1
Level 1
In response to Jennifer Halim

‎06-27-2011 01:10 AM

Thanks to all of you guys. Finally its working. Normally i was not able to ping from my pc1 behind ASA1 to pc2 behind ASA2. But after giving management-access inside commands on both ASAs its working, why is it so can anyone give me the concept.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to kaleemullah.mohammed

‎06-27-2011 01:54 AM

By default, you won't be able to ping the ASA interface if the traffic is not originated from that particular interface.

Eg:

if you are trying to ping ASA1 inside interface IP from ASA2 inside interface IP across the VPN, the traffic will arrive at ASA1 outside interface first. You can only ping ASA1 outside interface, but not across towards ASA1 inside interface.

With the "management-access inside" command, it allows that, and only if traffic is originating from VPN, not clear text traffic from the Internet.

Hope that answers your question.

0 Helpful
Customers Also Viewed These Support Documents