03-22-2011 12:52 PM
Hello
Im setting up a test site to site VPN between Cisco ASA 5520 and cisco 800 or any other VPN capable router (i have 2600xm and 2800). im using ASDM to configure the ASA and CLI to configure the router the inviroment is as the following
(the router and the ASA is directly connected)
1- ASA side
outside interface ip 82.205.xxx.xxx
inside interface ip 192.168.5.1
inside network 192.168.5.0 255.255.255.0
no natting is used
the default gateway is the router outside interface
2- router side
outside interface ip 82.205.xxx.yyy
inside interface ip 192.168.6.1
inside network 192.168.6.0 255.255.255.0
no natting is used
the default gateway is the ASA outside interface
i have managed to bring the tunnel up and running but the problem is i can ping the router inside network (192.168.6.0) from the ASA inside network (192.168.5.0) normally but it wont work the other way (i mean i cant ping the ASA inside network from the router inside network). i have tripple checked the following :-
1- the inetersting traffic ACL on both sides (permit 192.168.5.0 255.255.255.0 to 192.168.6.0) on the ASA side and vice versa in the router.
2- the VPN is bidirectional on the ASA side.
3- restore the ASA to factory default ad did the configuration again withe same problem.
4- checked that there is no NAT translations configured on both sides.
5- no route but the default route mensioned above.
6- did the confs from the ASA side using the wizard and checking the box (to bypass the local networks form the interface ACL's) although there no interface ACL's but still didn't work.
7- change the default route to the local outside interface on both sides.
03-22-2011 10:37 PM
hi,
can you please check if the ASA is not learning the route to 192.168.6.0 via some other routing protocol or somewhere else.
Please ensure that the ASA knows that it needs to exit via the tunnel to reach 192.168.6.0. Please check the internal routing of the ASA. make sure that the route to 192.168.6.0 is via the ASA.
Hope this helps.
Regards,
Anisha
-Do rate helpful posts.
03-22-2011 10:45 PM
Thank you Anisha
Did that by changhing the VPN tunnel parameters while the tunnel is up and when the tunnel goes down NO ping tp (192.168.6.0) from the ASA side.
thanks again.
03-22-2011 11:00 PM
hmmm.. ok.. what is connected on the inside of the ASA directly. i mean a L3 device? what is the default route in there.
Alternately you can run a packet tracer on the ASA and find out where it is dropping.
Next we can apply packet captures and check if the packet is actually reaching the ASA or not to be sent across the tunnel.
Hope this helps.
Regards,
Anisha.
- Do rate helpful posts.
03-23-2011 02:07 AM
03-23-2011 02:45 AM
and only a single PC is connected to the inside interfaces from both sides
03-23-2011 05:56 AM
Hi,
Is the tunnel up? please paste the output of "sh cry isa sa" from both the ends.
Also i don't see nat exemption on the ASA or router.
Please paste the output of "sh run nat" as well.
Regards,
Anisha
03-24-2011 12:26 AM
03-24-2011 02:06 AM
03-24-2011 02:14 AM
I also did the comand "sysopt connection permit-vpn" to make the IPsec traffic bypass the interface access-lists but same problem again
03-24-2011 05:38 AM
Hi,
Could you please paste the output of the following:
packet-tracer in inside icmp 192.168.5.10 8 0 192.168.6.110 detailed
After this please do the following:
access-li capi permit ip host 192.168.5.10 host 192.168.6.110
access-li capi permit ip host 192.168.6.110 host 192.168.5.10
capture capin access-li capi interface inside buffer 33554430
Ping from 192.168.5.10 to 192.168.6.110
do "sh cap capin" give the output of the same.
Regards,
Anisha
-Do rate helpful posts.
03-24-2011 05:38 AM
Hi,
Could you please paste the output of the following:
packet-tracer in inside icmp 192.168.5.10 8 0 192.168.6.110 detailed
After this please do the following:
access-li capi permit ip host 192.168.5.10 host 192.168.6.110
access-li capi permit ip host 192.168.6.110 host 192.168.5.10
capture capin access-li capi interface inside buffer 33554430
Ping from 192.168.5.10 to 192.168.6.110
do "sh cap capin" give the output of the same.
Regards,
Anisha
-Do rate helpful posts.
03-27-2011 03:11 AM
03-28-2011 05:47 AM
Hi,
The captures of the ASA show the packet is being replied by the 192.168.5.10 netwrok.
Could you please check if the local firewall of the machine 192.168.6.110 is on. if it is on then please switch if off.
Also please attach the output of packet tracer mentioned in the last post.
Regards,
Anisha
P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.
03-28-2011 05:53 AM
Hi
i think the problem on the interest traffic access list at the Router Side.
try this
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip any any
ip nat inside source route-map TEST interfacefastethernet 0 overload
!
route-map TEST permit 1
match ip address 100
try this i think it should work
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide