Re: Ping across Site-to-Site problems - Page 2

Cybervex3 · ‎06-05-2012

Having a problem pinging across a site-to-site. Any ideas would be appreciated.

Anyconnect Client ---- ASA5505 ---- Internet(ipsec tunnel) ---- ASA5510 ---- LAN

Directly connected ---^

From a client PC with AnyConnect I can ping ASA5505, ASA5510, Servers & Clients on the remote LAN. So the tunnel is working and passing traffic.

From a client PC connected directly to the ASA5505 I can ping ASA5505, ASA5510, Servers & Clients on the remote LAN.

From the ASA5505 I can only ping locally attach devices. I cannot ping AnyConnect clients or anything through the tunnel.

From the ASA5510 I can only devices on the LAN

From a PC on the LAN I can ping device connected directly and via AnyConnect to ASA5505. Again showing the tunnel works

Removing "access-list outside_access_in extended deny icmp any any" on the ASA5510 does not fix the problem

ASA5505 ACL

access-list inside_out_outside extended permit ip any any

access-list outside_in_inside extended permit icmp any any

access-list CORVID-Split-Tunnel standard permit 10.100.0.0 255.255.0.0

access-list CORVID-Split-Tunnel standard permit 10.10.0.0 255.255.0.0

access-list INSIDE_NAT0_OUTBOUND extended permit ip 10.100.0.0 255.255.0.0 NH-LAN 255.255.0.0

access-list INSIDE_NAT0_OUTBOUND extended permit ip any 10.100.0.0 255.255.0.0

access-list OUTSIDE_1_CRYPTO extended permit ip 10.100.0.0 255.255.0.0 NH-LAN 255.255.0.0

ASA5510 ACL

access-list nonat extended permit ip any 10.10.11.0 255.255.255.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.10.11.0 255.255.255.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.101.0 255.255.255.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.100.0.0 255.255.0.0

access-list nonat extended permit ip 10.100.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq smtp

access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq https

access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq www

access-list outside_access_in extended permit tcp any host SonomaBullsEye eq https inactive

access-list outside_access_in extended permit tcp any host AUTHENTICA-EXT-BAK eq www

access-list outside_access_in extended permit tcp any host AUTHENTICA-EXT-BAK eq https

access-list outside_access_in extended permit tcp any host FILETRANSFER-EXT-BAK eq www

access-list outside_access_in extended permit tcp any host FILETRANSFER-EXT-BAK eq https

access-list outside_access_in remark HTTP for TeamWeb

access-list outside_access_in extended permit tcp any host ALEXSYS-EXT-BAK eq www

access-list outside_access_in remark HTTPS for TeamWeb

access-list outside_access_in extended permit tcp any host ALEXSYS-EXT-BAK eq https

access-list outside_access_in extended permit icmp host 10.100.0.1 any

access-list outside_access_in extended deny icmp any any

access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0

access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq smtp

access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq https

access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq www

access-list outside_access_in_1 extended permit tcp any host Sonoma eq https inactive

access-list outside_access_in_1 extended permit tcp any host PMEUPDATE-EXT-OUT eq www

access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq www

access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq ssh inactive

access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq https

access-list outside_access_in_1 remark FTPS

access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT object-group DM_INLINE_TCP_1

access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT range 60200 60400

access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq www

access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq https

access-list outside_access_in_1 extended permit tcp any host OSCODA-EXT-OUT object-group SQLTEST_TCP inactive

access-list outside_access_in_1 extended permit udp any host OSCODA-EXT-OUT object-group SQLTEST inactive

access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq www

access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq https

access-list outside_access_in_1 extended deny icmp any any

access-list inside_access_out extended permit ip any any log

Cybervex3 · ‎06-06-2012

I ended up getting this working. Inside of DefaultWEBVPNGroup I changed:

default-group-policy DfltGrpPolicy

to

default-group-policy CORVID-WC-SSL

ping also works if I type ping inside 10.10.1.1 rather than ping 10.10.1.1

I am sure I still have something wrong. AnyConnect clients go to DefaultWEBVPNGroup rather than CORID-WC-SSL to get an IP. If I do not add the address-pool to DefaultWEBVPNGroup then I do not get an IP

This does not work:

tunnel-group CORVID-WC-SSL general-attributes

address-pool CORVID-WC-VPNPOOL

authentication-server-group PMERADIUS

default-group-policy CORVID-WC-SSL

This works:

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool CORVID-WC-VPNPOOL

authentication-server-group PMERADIUS

default-group-policy CORVID-WC-SSL

rizwanr74 · ‎06-07-2012

Hi there,

ip pool is missing on "CORVID-WC-SSL"

group-policy CORVID-WC-SSL attributes

address-pools value ?

Let me know, if this helps.

thanks