Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
453
Views
0
Helpful
5
Replies

No packet round trip over VPN tunnel

alexthegr8
Level 1
Level 1

‎01-15-2016 08:23 AM

Hello. I have an ASA on 9.1 (6) that is giving me some issues.

My company is using the ASA to provide a temporary site-to-site VPN to another site. The remote company has provided a public IP to the ASA. The ASA has the following:

Ethernet 0/0 = outside, ip 12.x.x.x

Ethernet 0/1 = inside, ip 192.168.10.95 (via dhcp)

Currently, the remote client has a VM set with the ASA as the default gateway. So all traffic from that VM goes straight to the ASA, then over the tunnel back to here.

There is a NAT statement which translates 192.168.10.0/23 to 192.168.52.0/23. The tunnel is up as I can remote desktop from my desk (10.100.6.104) to 192.168.52.92 and it will go over the tunnel to arrive at the VM at 192.168.10.92

Issue is that I cannot ping nor ssh to the ASA inside interface over the tunnel.

What I am not understanding is why can I not send ICMP nor SSH to the ASA directly?  This is what I get when trying to send SSH packet:

Jan 15 2016 07:05:54: %ASA-6-302013: Built inbound TCP connection 78423 for outside:10.100.6.104/33265 (10.100.6.104/33265) to inside:192.168.10.95/22 (192.168.52.95/22)

which is correct, but then I get no response, and this is logged:

Jan 15 2016 07:06:24: %ASA-6-302014: Teardown TCP connection 78423 for outside:10.100.6.104/33265 to inside:192.168.10.95/22 duration 0:00:30 bytes 0 SYN Timeout

which is as if the ASA does not know where to return the traffic.

I already have management-access inside enabled.

Any ideas?

Labels:
0 Helpful
5 Replies 5

rvarelac
Level 7
Level 7

‎01-15-2016 04:57 PM

Hi alexthegr8

Make sure the NATs used for VPN have the route-lookup keyword at the end.

Hope it helps

-Randy-

0 Helpful

alexthegr8
Level 1
Level 1
In response to rvarelac

‎01-16-2016 11:52 AM

Unfortunately, since it's not a static NAT, it does not allow for one to input that command 

0 Helpful

Diego Lopez
Level 1
Level 1

‎01-17-2016 09:41 AM

Hello

The ASA doesn't translate its own interface address so to accomplish this you will need to SSH to real IP assigned to the interface. You need to add the real network to the interesting traffic so you can send traffic over the tunnel and in that way the inside interface can replay to the traffic. Make sure that you are allowing SSH on the inside interface from the remote network 10.100.6.0 /24.

ssh 10.100.6.0 255.255.255.0 inside

0 Helpful

alexthegr8
Level 1
Level 1
In response to Diego Lopez

‎01-18-2016 07:59 AM

The ssh command is already implemented.

If I add the real network to the interesting traffic, wont it try and send over the tunnel as that IP as well? That subnet is already in use over on this side, so it has to come as the alternate (NAT) IP

0 Helpful

Diego Lopez
Level 1
Level 1
In response to alexthegr8

‎01-18-2016 11:38 AM

NAT is done before checking the cyrpto map ACL so it will not encrypt the real traffic.

I understand the overlapping issue now unfortunately the ASA wont translate its own interface address you will need to find an alternate solution to SSH to that device, due to the overlapping problem I don´t think this can be accomplished like you are trying to.

You can enable ssh on the outside interface of the remote ASA and just permit your public IP.

Or if you want this traffic encrypted you can setup Anyconnect on the remote ASA and connect to it and ssh to the inside interface. ASA Base license will include 2 SSL connections so there is no need to purchase additional license, you can use it and manage the device with Anyconnect instead of the site to site tunnel.

0 Helpful
Customers Also Viewed These Support Documents