09-04-2011 12:20 AM
Hi dears
I have a problem with Cisco ASA.
I want to setup a site to site tunnel between ASA-1 and ASA-2 on the internet but the tunnel is not working and I have no ping from inside ASA-1 to inside ASA-2.
The solution is like this:
20.20.20.0/24 ------ (ASA-1) ------ X.X.X.100 ------- (internet) ------ Y.Y.Y.101 ------ (ASA-2) -----10.10.10.0/24
In ASA-1: I have ping to outside and inside interfaces but There is no ping to inside interface of ASA-2.
In ASA-2: I have ping to outside and inside interfaces but There is no ping to inside interface of ASA-1.
The Device`s in inside interface ASA-1 cannot ping the device`s in inside interface ASA-2.
The ASA configure is shown below:
hostname ASA-1
interface g0/0
nameif Outside
security-level 0
ip address X.X.X.100 255.255.255.224
NO SHUT
exit
interface g0/3
nameif Inside
security-level 100
ip address 20.20.20.1 255.255.255.0
NO SHUT
exit
access-list Inside_nat0_Outside extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Outside_1_Cryptomap extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 100 extended permit ip any any
access-list 100 extended permit icmp any any
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_Outside
nat (Inside) 1 20.20.20.0 255.255.255.0
access-group 100 in interface Outside
route Outside 0.0.0.0 0.0.0.0 X.X.X.99 1 ---------> to gateway
Same-security-traffic permit inter-interface
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map Outside_map 1 match address Outside_1_Cryptomap
crypto map Outside_map 1 set peer Y.Y.Y.101
crypto map Outside_map 1 set transform-set ESP-DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
tunnel-group Y.Y.Y.101 type ipsec-l2l
tunnel-group Y.Y.Y.101 ipsec-attributes
pre-shared-key 1234
-----------------------------------------------------------------------------------------------------
hostname ASA-2
interface g0/0
nameif Outside
security-level 0
ip address Y.Y.Y.101 255.255.255.224
NO SHUT
exit
interface g0/3
nameif Inside
security-level 100
ip address 10.10.10.1 255.255.255.0
NO SHUT
exit
access-list Inside_nat0_Outside extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list Outside_1_Cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 100 extended permit ip any any
access-list 100 extended permit icmp any any
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_Outside
nat (Inside) 1 10.10.10.0 255.255.255.0
access-group 100 in interface Outside
route Outside 0.0.0.0 0.0.0.0 Y.Y.Y.50 1 ---------> to gateway
Same-security-traffic permit inter-interface
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map Outside_map 1 match address Outside_1_Cryptomap
crypto map Outside_map 1 set peer X.X.X.100
crypto map Outside_map 1 set transform-set ESP-DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
tunnel-group X.X.X.100 type ipsec-l2l
tunnel-group X.X.X.100 ipsec-attributes
pre-shared-key 1234
Regards
09-04-2011 01:38 AM
Please add "management-access Inside" on both ASA and you should be able to ping the Inside interface of the ASA from either side.
09-04-2011 11:31 AM
Hi Saeed:
Jennifer's answer is correct. The ASA's behavior is to not respond to pings on behalf of other interfaces than the one it received the ICMP packet on. While that fixes your immediate issue, you still have overlooked a few things.
1. On both ASA's remove the following, as the former is just making the firewall vulnerable for all types of attacks and the latter is not required in this instance.
access-list 100 extended permit ip any any
and
Same-security-traffic permit inter-interface
2. On ASA-2, you need to fix this:
access-list Outside_1_Cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0
The destination IP should be 20.20.20.0 255.255.255.0; else the traffic initiated from ASA-2 will never qualify for encryption.
Good luck.
Brian
09-04-2011 10:35 PM
Hello Jennifer
Hello Brian
Thank you for your help, I did things that you said but nothing changed, I have no ping and no active tunnel.
Access-list 100 extended permit ip any any
And
Same-security-traffic permit inter-interface
On both ASA
access-list Outside_1_Cryptomap
On ASA-2
Management-access inside
On both ASA
Regards
09-04-2011 10:39 PM
Please kindly try to ping again, and advise us on which IP Address you are trying to ping to and from?
If you are trying to ping from the ASA itself, you would need to issue the following command:
ping Inside 10.10.10.1
or ping Inside 20.20.20.1
Please kindly share the output of the following if ping still doesn't work:
sh cry isa sa
sh cry ipsec sa
09-04-2011 11:10 PM
Hello Jennifer
I have one server with IP: 20.20.20.20 on ASA-1and one PC with IP: 10.10.10.10 on ASA-2.
There is no ping from inside ASA-1 to inside ASA-2 but the outside ASA-1 can ping outside ASA-2 and
ASA-1 can ping 20.20.20.1-20 and ASA-2 can ping 10.10.10.1-10
I think the problem is about my tunnel,
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
IPsec Global Statistics
Active tunnels: 0
Previous tunnels: 0
show crypto ipsec sa
There are no ipsec sas
show crypto isakmp sa
There are no isakmp sas
Regards
09-04-2011 11:28 PM
Doesn't look like it's triggering the VPN tunnel at all.
Can you please share the complete config from both ASA as well as run the following debug:
debug cry isa
debug cry ipsec
09-04-2011 11:51 PM
Hi Jennifer
debug crypto isakmp
debug crypto ipsec
I tried these commands on both ASA and there was no report or output, nothing happened.
09-05-2011 12:09 AM
Once you turn on the debug, you would need to test ping between the 2 sites to try to bring the VPN tunnel up, and you would also need to enable logging on the ASA.
How are you accessing the ASA? telnet or console or ssh?
Pls share the ASA config from both end.
09-05-2011 12:26 AM
I have access to the both ASA with console.
hostname ASA-1
interface g0/0
nameif Outside
security-level 0
ip address X.X.X.100 255.255.255.224
NO SHUT
exit
interface g0/3
nameif Inside
security-level 100
ip address 20.20.20.1 255.255.255.0
NO SHUT
exit
access-list Inside_nat0_Outside extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Outside_1_Cryptomap extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_Outside
nat (Inside) 1 20.20.20.0 255.255.255.0
route Outside 0.0.0.0 0.0.0.0 X.X.X.99 1 ---------> to gateway
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map Outside_map 1 match address Outside_1_Cryptomap
crypto map Outside_map 1 set peer Y.Y.Y.101
crypto map Outside_map 1 set transform-set ESP-DES-SHA
crypto map Outside_map 1 set security-association lifetime kilobytes 10000
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
tunnel-group Y.Y.Y.101 type ipsec-l2l
tunnel-group Y.Y.Y.101 ipsec-attributes
pre-shared-key 1234
management-access inside
-----------------------------------------------------------------------------------------------------
hostname ASA-2
interface g0/0
nameif Outside
security-level 0
ip address Y.Y.Y.101 255.255.255.224
NO SHUT
exit
interface g0/3
nameif Inside
security-level 100
ip address 10.10.10.1 255.255.255.0
NO SHUT
exit
access-list Inside_nat0_Outside extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list Outside_1_Cryptomap extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_Outside
nat (Inside) 1 10.10.10.0 255.255.255.0
route Outside 0.0.0.0 0.0.0.0 Y.Y.Y.50 1 ---------> to gateway
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map Outside_map 1 match address Outside_1_Cryptomap
crypto map Outside_map 1 set peer X.X.X.100
crypto map Outside_map 1 set transform-set ESP-DES-SHA
crypto map Outside_map 1 set security-association lifetime kilobytes 10000
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
tunnel-group X.X.X.100 type ipsec-l2l
tunnel-group X.X.X.100 ipsec-attributes
pre-shared-key 1234
management-access inside
09-05-2011 12:42 AM
config looks ok.
Please enable logging:
logging on
logging console debug
And try to ping across the tunnel again and collect the debug output.
09-05-2011 01:16 AM
I set the commands logging enable & logging consol debug
and get this log
but the tunnel is still inactive
log:
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Outside:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Inside:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Outside:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Inside:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Inside:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Outside:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Inside:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.0.16.19/5678 to Outside:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Outside:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Outside:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.0.10.156/5678 to Outside:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Outside:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 10.0.16.155/5678 to Outside:255.255.255.255/5678
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Outside:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Outside:255.255.255.255/67
09-05-2011 01:19 AM
Hmm, none of the logs are actually from either 10.10.10.x or 20.20.20.x subnet.
Can you please try to ping from a host behind the ASA to another host behind the other ASA?
You might want to run packet capture on the ASA to see where the traffic is failing.
09-05-2011 01:44 AM
Dear Jennifer
When the tunnel between ASAs is not up you can not ping from ASA-1 inside to ASA-2 inside.
I think we first need a command to active tunnel or to debug the tunnel to be active then check the insides ping state.
09-05-2011 05:10 AM
HI Saeed:
Remove the crypto map on both ends and see if you can ping the host on the 20 ntwk from the 10 ntwk and vice versa. If it does, the on both ends add the following command:
crypto map Outside_map 1 set reverse-route
Most likely you have a routing issue. Also, verify the default gateway on the host end and confirm their reachability to the default gateway (via ping).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide