cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3394
Views
0
Helpful
14
Replies

Site to Site Tunnel Ping problem

saeedaraghi
Level 1
Level 1

Hi dears

I have a problem with Cisco ASA.

I want to setup a site to site tunnel between ASA-1 and ASA-2 on the internet but the tunnel is not working and I have no ping from inside ASA-1 to inside ASA-2.

The solution is like this:

20.20.20.0/24 ------ (ASA-1) ------ X.X.X.100 ------- (internet) ------ Y.Y.Y.101 ------ (ASA-2) -----10.10.10.0/24

In ASA-1: I have ping to outside and inside interfaces but There is no ping to inside interface of ASA-2.

In ASA-2: I have ping to outside and inside interfaces but There is no ping to inside interface of ASA-1.

The Device`s in inside interface ASA-1 cannot ping the device`s in inside interface ASA-2.

The ASA configure is shown below:

hostname ASA-1

interface g0/0

nameif Outside

security-level 0

ip address X.X.X.100 255.255.255.224

NO SHUT

exit

interface g0/3

nameif Inside

security-level 100

ip address 20.20.20.1 255.255.255.0

NO SHUT

exit

access-list Inside_nat0_Outside extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list Outside_1_Cryptomap extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list 100 extended permit ip any any

access-list 100 extended permit icmp any any

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_Outside

nat (Inside) 1 20.20.20.0 255.255.255.0

access-group 100 in interface Outside

route Outside 0.0.0.0 0.0.0.0 X.X.X.99 1             ---------> to gateway

Same-security-traffic permit inter-interface

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map Outside_map 1 match address Outside_1_Cryptomap

crypto map Outside_map 1 set peer Y.Y.Y.101

crypto map Outside_map 1 set transform-set ESP-DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

tunnel-group Y.Y.Y.101 type ipsec-l2l

tunnel-group Y.Y.Y.101 ipsec-attributes

pre-shared-key 1234

-----------------------------------------------------------------------------------------------------

hostname ASA-2

interface g0/0

nameif Outside

security-level 0

ip address Y.Y.Y.101 255.255.255.224

NO SHUT

exit

interface g0/3

nameif Inside

security-level 100

ip address 10.10.10.1 255.255.255.0

NO SHUT

exit

access-list Inside_nat0_Outside extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

access-list Outside_1_Cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list 100 extended permit ip any any

access-list 100 extended permit icmp any any

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_Outside

nat (Inside) 1 10.10.10.0 255.255.255.0

access-group 100 in interface Outside

route Outside 0.0.0.0 0.0.0.0 Y.Y.Y.50 1             ---------> to gateway          

Same-security-traffic permit inter-interface

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map Outside_map 1 match address Outside_1_Cryptomap

crypto map Outside_map 1 set peer X.X.X.100

crypto map Outside_map 1 set transform-set ESP-DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

tunnel-group X.X.X.100 type ipsec-l2l

tunnel-group X.X.X.100 ipsec-attributes

pre-shared-key 1234

Regards

14 Replies 14

Jennifer Halim
Cisco Employee
Cisco Employee

Please add "management-access Inside" on both ASA and you should be able to ping the Inside interface of the ASA from either side.

ugot2nome
Level 1
Level 1

Hi Saeed:

Jennifer's answer is correct. The ASA's behavior is to not respond to pings on behalf of other interfaces than the one it received the ICMP packet on. While that fixes your immediate issue, you still have overlooked a few things.

1. On both ASA's remove the following, as the former is just making the firewall vulnerable for all types of attacks and the latter is not required in this instance.

access-list 100 extended permit ip any any

and

Same-security-traffic permit inter-interface

2. On ASA-2, you need to fix this:

access-list Outside_1_Cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0

The destination IP should be 20.20.20.0 255.255.255.0; else the traffic initiated from ASA-2 will never qualify for encryption.

Good luck.

Brian

Hello Jennifer

Hello Brian

Thank you for your help, I did things that you said but nothing changed, I have no ping and no active tunnel.

  • •1.     I remove :

Access-list 100 extended permit ip any any

And

Same-security-traffic permit inter-interface

On both ASA

  • •2.     I fixed this:

access-list Outside_1_Cryptomap

On ASA-2

  • •3.     And I add this command:

            Management-access inside

On both ASA

Regards

Please kindly try to ping again, and advise us on which IP Address you are trying to ping to and from?

If you are trying to ping from the ASA itself, you would need to issue the following command:

ping Inside 10.10.10.1

or ping Inside 20.20.20.1

Please kindly share the output of the following if ping still doesn't work:

sh cry isa sa

sh cry ipsec sa

Hello Jennifer

I have one server with IP: 20.20.20.20 on ASA-1and one PC with IP: 10.10.10.10 on ASA-2.

There is no ping from inside ASA-1 to inside ASA-2  but the outside ASA-1 can ping outside ASA-2 and

ASA-1 can ping 20.20.20.1-20 and ASA-2 can ping 10.10.10.1-10

I think the problem is about my tunnel,

Global IKE Statistics

Active Tunnels: 0

Previous Tunnels: 0

IPsec Global Statistics

Active tunnels: 0

Previous tunnels: 0

show crypto ipsec sa

There are no ipsec sas

show crypto isakmp sa

There are no isakmp sas

Regards

Doesn't look like it's triggering the VPN tunnel at all.

Can you please share the complete config from both ASA as well as run the following debug:

debug cry isa

debug cry ipsec

Hi Jennifer

debug crypto isakmp

debug crypto ipsec

I tried these commands on both ASA and there was no report or output, nothing happened.

Once you turn on the debug, you would need to test ping between the 2 sites to try to bring the VPN tunnel up, and you would also need to enable logging on the ASA.

How are you accessing the ASA? telnet or console or ssh?

Pls share the ASA config from both end.

I have access to the both ASA with console.

hostname ASA-1

interface g0/0

nameif Outside

security-level 0

ip address X.X.X.100 255.255.255.224

NO SHUT

exit

interface g0/3

nameif Inside

security-level 100

ip address 20.20.20.1 255.255.255.0

NO SHUT

exit

access-list Inside_nat0_Outside extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list Outside_1_Cryptomap extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_Outside

nat (Inside) 1 20.20.20.0 255.255.255.0

route Outside 0.0.0.0 0.0.0.0 X.X.X.99 1             ---------> to gateway

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map Outside_map 1 match address Outside_1_Cryptomap

crypto map Outside_map 1 set peer Y.Y.Y.101

crypto map Outside_map 1 set transform-set ESP-DES-SHA

crypto map Outside_map 1 set security-association lifetime kilobytes 10000

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

tunnel-group Y.Y.Y.101 type ipsec-l2l

tunnel-group Y.Y.Y.101 ipsec-attributes

pre-shared-key 1234

management-access inside

-----------------------------------------------------------------------------------------------------

hostname ASA-2

interface g0/0

nameif Outside

security-level 0

ip address Y.Y.Y.101 255.255.255.224

NO SHUT

exit

interface g0/3

nameif Inside

security-level 100

ip address 10.10.10.1 255.255.255.0

NO SHUT

exit

access-list Inside_nat0_Outside extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

access-list Outside_1_Cryptomap extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_Outside

nat (Inside) 1 10.10.10.0 255.255.255.0

route Outside 0.0.0.0 0.0.0.0 Y.Y.Y.50 1             ---------> to gateway          

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map Outside_map 1 match address Outside_1_Cryptomap

crypto map Outside_map 1 set peer X.X.X.100

crypto map Outside_map 1 set transform-set ESP-DES-SHA

crypto map Outside_map 1 set security-association lifetime kilobytes 10000

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

tunnel-group X.X.X.100 type ipsec-l2l

tunnel-group X.X.X.100 ipsec-attributes

pre-shared-key 1234

management-access inside

config looks ok.

Please enable logging:

logging on

logging console debug

And try to ping across the tunnel again and collect the debug output.

I set the commands logging enable & logging consol debug

and get this log

but the tunnel is still inactive

log:

%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Outside:255.255.255.255/67

%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Inside:255.255.255.255/67

%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Outside:255.255.255.255/67

%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Inside:255.255.255.255/67

%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Inside:255.255.255.255/67

%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Outside:255.255.255.255/67

%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Inside:255.255.255.255/67

%ASA-7-710005: UDP request discarded from 10.0.16.19/5678 to Outside:255.255.255.255/5678

%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Outside:255.255.255.255/67

%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Outside:255.255.255.255/67

%ASA-7-710005: UDP request discarded from 10.0.10.156/5678 to Outside:255.255.255.255/5678

%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Outside:255.255.255.255/67

%ASA-7-710005: UDP request discarded from 10.0.16.155/5678 to Outside:255.255.255.255/5678

%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Outside:255.255.255.255/67

%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Outside:255.255.255.255/67

Hmm, none of the logs are actually from either 10.10.10.x or 20.20.20.x subnet.

Can you please try to ping from a host behind the ASA to another host behind the other ASA?

You might want to run packet capture on the ASA to see where the traffic is failing.

Dear Jennifer

When the tunnel between ASAs is not up you can not ping from ASA-1 inside to ASA-2 inside.

I think we first need a command to active tunnel or to debug the tunnel to be active then check the insides ping state.

HI Saeed:

Remove the crypto map on both ends and see if you can ping the host on the 20 ntwk from the 10 ntwk and vice versa. If it does, the on both ends add the following command:

crypto map Outside_map 1 set reverse-route

Most likely you have a routing issue. Also, verify the default gateway on the host end and confirm their reachability to the default gateway (via ping).