03-08-2010 03:33 AM
Hi
After setting up an L2L VPN between an ASA 5505 and Cisco 3825, I'm not able to ping the inside network.
My network for the ASA is 172.28.45.0/24 and for the 3825 is 172.28.53.0/24. I've been told that there may be overlapping in the ACL and all.
But when I change the 3825 network to 171.28.53.0/24 the VPN is not up at all. Attached are my configs, please help on both issues as I ould like to have the 172.28.53.0 and other network VPN also to be up.
Thanks
Shameem
03-08-2010 06:54 AM
Your inside network definitions were fine, don't change them if they correctly represent your network configuration.
From the output you provided it looks like you are pinging the inside interface of the 3825 from the outside interface of the ASA. The outside interface of the ASA is not in the encryption domain.
Try pinging from another device on the 171.28.45.0/24 subnet to the 3825 interface or to another device on the 171 28.53.0/24 subnet. That will generate "interesting traffic", traffic defined by the encryption domain.
03-08-2010 10:49 PM
Hi
Thank you for the support. The VPN is up now but still does not get reply when ping and cannot ssh.
IPv4 Crypto
ISAKMP SA
dst src state conn-id slot status
xx.xx.194.99 xx.94.167.110 QM_IDLE 4022 0 ACTIVE
MAR#sh crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: SDM_CMAP_1, local addr xx.94.167.110
protected vrf: (none)
local ident (addr/mask/prot/port): (171.28.53.0/255.255.255.128/0/0)
remote ident (addr/mask/prot/port): (10.0.4.0/255.255.255.0/0/0)
current_peer 41.72.203.142 port
500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xx.94.167.110, remote crypto endpt.: 41.72.203.142
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (171.28.53.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.28.45.0/255.255.255.0/0/0)
current_peer xx.xx.194.99 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 285, #pkts encrypt: 285, #pkts digest: 285
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: xx.94.167.110, remote crypto endpt.: xx.xx.194.99
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x60028D9A(1610780058
)
inbound esp sas:
spi: 0xCBD57743(3419764547
)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 17, flow_id: AIM-VPN/SSL-3:17, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4380728/2031)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x60028D9A(1610780058)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 18, flow_id: AIM-VPN/SSL-3:18, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4380696/2031)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
03-08-2010 11:26 PM
In "show crypto ipsec sa", "decrypt" count is "0", which means the remote end did not send the packet back.
You need check the following at the remote end.
- NAT
- routing
- if you are trying to ping/ssh the inside interface of ASA, you need andd "management-access
03-11-2010 06:30 AM
Thank you very much for the support. It's working fie now.
Now I would like to restrict access from one side of the VPN. Only one ip address and some traffic should be allowed from the 3825 to the ASA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide