- Cisco Community
- Technology and Support
- Security
- VPN
- Site to Site VPN connected but cannot ping remote site.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Site to Site VPN connected but cannot ping remote site.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-12-2011 09:28 AM
Hi All,
I am fairly new to cisco products and am struggling getting a VPN going between an ASA 5505 and 5510. I have a VPN created (using the VPN wizward on both) and it shows the VPN is up, but I can't ping the remote site (from either side).
Any help would be great.
Thanks
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-12-2011 09:34 AM
Ashley
You have not given us much to work with. Perhaps you could post the relevant parts of the config? Then perhaps we might find some problem.
HTH
Rick
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-12-2011 09:37 AM
Thanks for the reply Richard...
Here is my running config...
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(1)
!
hostname FW-SAS
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.22.5.0 DrydenFirefly
!
interface Vlan1
nameif client
security-level 100
ip address 10.23.5.1 255.255.255.0
!
interface Vlan2
nameif DMTS
security-level 0
ip address 67.226.238.43 255.255.255.128
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list client_nat0_outbound extended permit ip 10.23.5.0 255.255.255.0 DrydenFirefly 255.255.255.0
access-list DMTS_1_cryptomap extended permit ip 10.23.5.0 255.255.255.0 DrydenFirefly 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu client 1500
mtu DMTS 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any client
no asdm history enable
arp timeout 14400
global (DMTS) 1 interface
nat (client) 0 access-list client_nat0_outbound
nat (client) 1 0.0.0.0 0.0.0.0
route DMTS 0.0.0.0 0.0.0.0 67.226.238.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.23.5.0 255.255.255.0 client
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map DMTS_map 1 match address DMTS_1_cryptomap
crypto map DMTS_map 1 set pfs group1
crypto map DMTS_map 1 set peer 67.226.238.31
crypto map DMTS_map 1 set transform-set myset
crypto map DMTS_map interface DMTS
crypto isakmp enable DMTS
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config DMTS
!
dhcpd address 10.23.5.50-10.23.5.60 client
dhcpd dns 64.202.144.72 64.202.144.73 interface client
dhcpd enable client
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group 67.226.238.31 type ipsec-l2l
tunnel-group 67.226.238.31 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:4ff7b67ae0c6821748568c695a639403
: end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-12-2011 11:53 AM
Hello,
Configuration looks fine. Have you checked the config on the other end? Try enabling 'debug icmp trace' both ends and check where the packet loss is. This may be a simple ACL issue.
Thx
MS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-12-2011 12:12 PM
Here is the other sides config... I didn't setup this one, it was someone who was here previous to me. There is one running VPN on this FW that works, and the one I created which doesn't.
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(1)
!
hostname FW-DRY
enable password CzyC4ZBlkF2D.I07 encrypted
passwd r8ZNG/r5UscXoAyk encrypted
names
name 10.23.5.0 SAShouse
!
interface Ethernet0/0
description CLIENT VLAN
nameif CLIENT
security-level 50
ip address 10.22.5.1 255.255.255.0 standby 10.22.5.2
!
interface Ethernet0/1
description SERVER VLAN
nameif SERVER
security-level 50
ip address 10.22.10.1 255.255.255.0 standby 10.22.10.2
!
interface Ethernet0/1.100
description MANAGEMENT VLAN
vlan 100
nameif MANAGEMENT
security-level 100
ip address 10.22.100.1 255.255.255.0 standby 10.22.100.2
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
description DMTS INTERNET
nameif DMTS
security-level 0
ip address 67.226.238.31 255.255.255.128 standby 67.226.238.32
!
interface Management0/0
description LAN/STATE Failover Interface
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list DMTS_ACCESS_IN extended permit tcp any interface DMTS eq https
access-list DMTS_ACCESS_IN extended permit tcp any interface DMTS eq smtp
access-list KENORA extended permit ip 10.22.5.0 255.255.255.0 10.21.5.0 255.255.255.0
access-list KENORA extended permit ip 10.22.5.0 255.255.255.0 10.21.10.0 255.255.255.0
access-list KENORA extended permit ip 10.22.10.0 255.255.255.0 10.21.5.0 255.255.255.0
access-list KENORA extended permit ip 10.22.10.0 255.255.255.0 10.21.10.0 255.255.255.0
access-list KENORA extended permit ip 10.22.100.0 255.255.255.0 10.21.5.0 255.255.255.0
access-list KENORA extended permit ip 10.22.100.0 255.255.255.0 10.21.10.0 255.255.255.0
access-list KENORA extended permit ip 10.22.100.0 255.255.255.0 10.21.100.0 255.255.255.0
access-list NONAT extended permit ip 10.22.0.0 255.255.0.0 10.21.0.0 255.255.0.0
access-list NONAT extended permit ip 10.22.5.0 255.255.255.0 SAShouse 255.255.255.0
access-list DMTS_1_cryptomap extended permit ip 10.22.5.0 255.255.255.0 SAShouse 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu CLIENT 1500
mtu SERVER 1500
mtu MANAGEMENT 1500
mtu DMTS 1500
failover
failover lan unit primary
failover lan interface FAILOVER Management0/0
failover link FAILOVER Management0/0
failover interface ip FAILOVER 10.22.1.1 255.255.255.0 standby 10.22.1.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any CLIENT
icmp permit any SERVER
icmp permit any MANAGEMENT
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (DMTS) 1 interface
nat (CLIENT) 0 access-list NONAT
nat (CLIENT) 1 0.0.0.0 0.0.0.0
nat (SERVER) 0 access-list NONAT
nat (SERVER) 1 0.0.0.0 0.0.0.0
nat (MANAGEMENT) 0 access-list NONAT
nat (MANAGEMENT) 1 0.0.0.0 0.0.0.0
static (SERVER,DMTS) tcp interface https 10.22.10.14 https netmask 255.255.255.255
static (SERVER,DMTS) tcp interface smtp 10.22.10.14 smtp netmask 255.255.255.255
static (CLIENT,SERVER) 10.22.5.0 10.22.5.0 netmask 255.255.255.0
static (SERVER,CLIENT) 10.22.10.0 10.22.10.0 netmask 255.255.255.0
static (CLIENT,MANAGEMENT) 10.22.5.0 10.22.5.0 netmask 255.255.255.0
static (MANAGEMENT,CLIENT) 10.22.100.0 10.22.100.0 netmask 255.255.255.0
static (SERVER,MANAGEMENT) 10.22.10.0 10.22.10.0 netmask 255.255.255.0
static (MANAGEMENT,SERVER) 10.22.100.0 10.22.100.0 netmask 255.255.255.0
access-group DMTS_ACCESS_IN in interface DMTS
route DMTS 0.0.0.0 0.0.0.0 67.226.238.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.22.100.0 255.255.255.0 MANAGEMENT
http 10.22.10.0 255.255.255.0 SERVER
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map KENORA 1 match address DMTS_1_cryptomap
crypto map KENORA 1 set pfs group1
crypto map KENORA 1 set peer 67.226.238.43
crypto map KENORA 1 set transform-set myset
crypto map KENORA 20 match address KENORA
crypto map KENORA 20 set peer 69.26.70.13
crypto map KENORA 20 set transform-set myset
crypto map KENORA interface DMTS
crypto isakmp enable DMTS
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.22.5.0 255.255.255.0 CLIENT
telnet 10.22.10.0 255.255.255.0 SERVER
telnet 10.22.100.0 255.255.255.0 MANAGEMENT
telnet timeout 5
ssh timeout 5
console timeout 0
dhcprelay server 10.22.10.11 SERVER
dhcprelay server 10.22.10.12 SERVER
dhcprelay enable CLIENT
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ciscoasa password ccRUt7PLwPeHKLnY encrypted
tunnel-group 69.26.70.13 type ipsec-l2l
tunnel-group 69.26.70.13 ipsec-attributes
pre-shared-key *
tunnel-group 67.226.238.43 type ipsec-l2l
tunnel-group 67.226.238.43 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:61be0b54fd218b455e0815fb2a3d5d9c
: end
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(1)
!
hostname FW-DRY
enable password CzyC4ZBlkF2D.I07 encrypted
passwd r8ZNG/r5UscXoAyk encrypted
names
name 10.23.5.0 SAShouse
!
interface Ethernet0/0
description CLIENT VLAN
nameif CLIENT
security-level 50
ip address 10.22.5.1 255.255.255.0 standby 10.22.5.2
!
interface Ethernet0/1
description SERVER VLAN
nameif SERVER
security-level 50
ip address 10.22.10.1 255.255.255.0 standby 10.22.10.2
!
interface Ethernet0/1.100
description MANAGEMENT VLAN
vlan 100
nameif MANAGEMENT
security-level 100
ip address 10.22.100.1 255.255.255.0 standby 10.22.100.2
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
description DMTS INTERNET
nameif DMTS
security-level 0
ip address 67.226.238.31 255.255.255.128 standby 67.226.238.32
!
interface Management0/0
description LAN/STATE Failover Interface
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list DMTS_ACCESS_IN extended permit tcp any interface DMTS eq https
access-list DMTS_ACCESS_IN extended permit tcp any interface DMTS eq smtp
access-list KENORA extended permit ip 10.22.5.0 255.255.255.0 10.21.5.0 255.255.255.0
access-list KENORA extended permit ip 10.22.5.0 255.255.255.0 10.21.10.0 255.255.255.0
access-list KENORA extended permit ip 10.22.10.0 255.255.255.0 10.21.5.0 255.255.255.0
access-list KENORA extended permit ip 10.22.10.0 255.255.255.0 10.21.10.0 255.255.255.0
access-list KENORA extended permit ip 10.22.100.0 255.255.255.0 10.21.5.0 255.255.255.0
access-list KENORA extended permit ip 10.22.100.0 255.255.255.0 10.21.10.0 255.255.255.0
access-list KENORA extended permit ip 10.22.100.0 255.255.255.0 10.21.100.0 255.255.255.0
access-list NONAT extended permit ip 10.22.0.0 255.255.0.0 10.21.0.0 255.255.0.0
access-list NONAT extended permit ip 10.22.5.0 255.255.255.0 SAShouse 255.255.255.0
access-list DMTS_1_cryptomap extended permit ip 10.22.5.0 255.255.255.0 SAShouse 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu CLIENT 1500
mtu SERVER 1500
mtu MANAGEMENT 1500
mtu DMTS 1500
failover
failover lan unit primary
failover lan interface FAILOVER Management0/0
failover link FAILOVER Management0/0
failover interface ip FAILOVER 10.22.1.1 255.255.255.0 standby 10.22.1.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any CLIENT
icmp permit any SERVER
icmp permit any MANAGEMENT
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (DMTS) 1 interface
nat (CLIENT) 0 access-list NONAT
nat (CLIENT) 1 0.0.0.0 0.0.0.0
nat (SERVER) 0 access-list NONAT
nat (SERVER) 1 0.0.0.0 0.0.0.0
nat (MANAGEMENT) 0 access-list NONAT
nat (MANAGEMENT) 1 0.0.0.0 0.0.0.0
static (SERVER,DMTS) tcp interface https 10.22.10.14 https netmask 255.255.255.255
static (SERVER,DMTS) tcp interface smtp 10.22.10.14 smtp netmask 255.255.255.255
static (CLIENT,SERVER) 10.22.5.0 10.22.5.0 netmask 255.255.255.0
static (SERVER,CLIENT) 10.22.10.0 10.22.10.0 netmask 255.255.255.0
static (CLIENT,MANAGEMENT) 10.22.5.0 10.22.5.0 netmask 255.255.255.0
static (MANAGEMENT,CLIENT) 10.22.100.0 10.22.100.0 netmask 255.255.255.0
static (SERVER,MANAGEMENT) 10.22.10.0 10.22.10.0 netmask 255.255.255.0
static (MANAGEMENT,SERVER) 10.22.100.0 10.22.100.0 netmask 255.255.255.0
access-group DMTS_ACCESS_IN in interface DMTS
route DMTS 0.0.0.0 0.0.0.0 67.226.238.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.22.100.0 255.255.255.0 MANAGEMENT
http 10.22.10.0 255.255.255.0 SERVER
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map KENORA 1 match address DMTS_1_cryptomap
crypto map KENORA 1 set pfs group1
crypto map KENORA 1 set peer 67.226.238.43
crypto map KENORA 1 set transform-set myset
crypto map KENORA 20 match address KENORA
crypto map KENORA 20 set peer 69.26.70.13
crypto map KENORA 20 set transform-set myset
crypto map KENORA interface DMTS
crypto isakmp enable DMTS
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.22.5.0 255.255.255.0 CLIENT
telnet 10.22.10.0 255.255.255.0 SERVER
telnet 10.22.100.0 255.255.255.0 MANAGEMENT
telnet timeout 5
ssh timeout 5
console timeout 0
dhcprelay server 10.22.10.11 SERVER
dhcprelay server 10.22.10.12 SERVER
dhcprelay enable CLIENT
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ciscoasa password ccRUt7PLwPeHKLnY encrypted
tunnel-group 69.26.70.13 type ipsec-l2l
tunnel-group 69.26.70.13 ipsec-attributes
pre-shared-key *
tunnel-group 67.226.238.43 type ipsec-l2l
tunnel-group 67.226.238.43 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:61be0b54fd218b455e0815fb2a3d5d9c
: end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-12-2011 12:39 PM
Hi,
Both ASAs are at the same location sharing the same internet /public IP subnet?
5505:
ip address 67.226.238.43 255.255.255.128
!
other end:
ip address 67.226.238.31 255.255.255.128 standby 67.226.238.32
Thx
MS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-12-2011 02:25 PM
That is correct.
The situation is one office is across town from the other, both use same ISP.
Those were the statics give to us.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2011 01:24 PM
Can you enable 'debug icmp trace' on both end ASAs and try to ping the pvt IP. See if you see if you notice anything from the console logs.
Thx
MS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2011 08:37 AM
Here is what was on the log....
6|Oct 14 2011|10:35:34|302021|10.22.5.33|0|10.23.5.52|1|Teardown ICMP connection for faddr 10.22.5.33/0 gaddr 10.23.5.52/1 laddr 10.23.5.52/1
6|Oct 14 2011|10:35:33|305012|10.23.5.6|65098|67.226.238.43|42440|Teardown dynamic UDP translation from client:10.23.5.6/65098 to DMTS:67.226.238.43/42440 duration 0:02:30
6|Oct 14 2011|10:35:33|305012|10.23.5.6|52608|67.226.238.43|65321|Teardown dynamic UDP translation from client:10.23.5.6/52608 to DMTS:67.226.238.43/65321 duration 0:02:30
6|Oct 14 2011|10:35:33|305012|10.23.5.6|54201|67.226.238.43|53238|Teardown dynamic UDP translation from client:10.23.5.6/54201 to DMTS:67.226.238.43/53238 duration 0:02:30
6|Oct 14 2011|10:35:33|305012|10.23.5.6|55418|67.226.238.43|47653|Teardown dynamic UDP translation from client:10.23.5.6/55418 to DMTS:67.226.238.43/47653 duration 0:02:30
6|Oct 14 2011|10:35:32|302020|10.23.5.52|1|10.22.5.33|0|Built outbound ICMP connection for faddr 10.22.5.33/0 gaddr 10.23.5.52/1 laddr 10.23.5.52/1
6|Oct 14 2011|10:35:30|305012|10.23.5.6|52117|67.226.238.43|18894|Teardown dynamic UDP translation from client:10.23.5.6/52117 to DMTS:67.226.238.43/18894 duration 0:02:30
6|Oct 14 2011|10:35:29|302021|10.22.5.33|0|10.23.5.52|0|Teardown ICMP connection for faddr 10.22.5.33/0 gaddr 10.23.5.52/0 laddr 10.23.5.52/0
6|Oct 14 2011|10:35:27|302020|10.23.5.52|0|10.22.5.33|0|Built outbound ICMP connection for faddr 10.22.5.33/0 gaddr 10.23.5.52/0 laddr 10.23.5.52/0
6|Oct 14 2011|10:35:25|305012|10.23.5.6|55846|67.226.238.43|1066|Teardown dynamic TCP translation from client:10.23.5.6/55846 to DMTS:67.226.238.43/1066 duration 0:02:30
6|Oct 14 2011|10:35:24|305012|10.23.5.6|54116|67.226.238.43|39533|Teardown dynamic UDP translation from client:10.23.5.6/54116 to DMTS:67.226.238.43/39533 duration 0:02:30
6|Oct 14 2011|10:35:24|302016|64.202.144.72|53|10.23.5.6|52225|Teardown UDP connection 25247 for DMTS:64.202.144.72/53 to client:10.23.5.6/52225 duration 0:02:01 bytes 107
6|Oct 14 2011|10:35:24|305012|10.23.5.6|55805|67.226.238.43|29770|Teardown dynamic UDP translation from client:10.23.5.6/55805 to DMTS:67.226.238.43/29770 duration 0:02:30
6|Oct 14 2011|10:35:22|302014|69.26.70.13|443|10.23.5.6|55907|Teardown TCP connection 25303 for DMTS:69.26.70.13/443 to client:10.23.5.6/55907 duration 0:00:01 bytes 7957 TCP FINs
6|Oct 14 2011|10:35:21|305012|10.23.5.6|65052|67.226.238.43|7771|Teardown dynamic UDP translation from client:10.23.5.6/65052 to DMTS:67.226.238.43/7771 duration 0:02:30
6|Oct 14 2011|10:35:21|305012|10.23.5.6|58874|67.226.238.43|55610|Teardown dynamic UDP translation from client:10.23.5.6/58874 to DMTS:67.226.238.43/55610 duration 0:02:30
6|Oct 14 2011|10:35:21|305012|10.23.5.6|52461|67.226.238.43|44975|Teardown dynamic UDP translation from client:10.23.5.6/52461 to DMTS:67.226.238.43/44975 duration 0:02:30
6|Oct 14 2011|10:35:21|305012|10.23.5.6|62584|67.226.238.43|8624|Teardown dynamic UDP translation from client:10.23.5.6/62584 to DMTS:67.226.238.43/8624 duration 0:02:30
6|Oct 14 2011|10:35:21|302015|64.202.144.72|53|10.23.5.6|62395|Built outbound UDP connection 25304 for DMTS:64.202.144.72/53 (64.202.144.72/53) to client:10.23.5.6/62395 (67.226.238.43/10385)
6|Oct 14 2011|10:35:21|305011|10.23.5.6|62395|67.226.238.43|10385|Built dynamic UDP translation from client:10.23.5.6/62395 to DMTS:67.226.238.43/10385
6|Oct 14 2011|10:35:20|302013|69.26.70.13|443|10.23.5.6|55907|Built outbound TCP connection 25303 for DMTS:69.26.70.13/443 (69.26.70.13/443) to client:10.23.5.6/55907 (67.226.238.43/45119)
6|Oct 14 2011|10:35:20|305011|10.23.5.6|55907|67.226.238.43|45119|Built dynamic TCP translation from client:10.23.5.6/55907 to DMTS:67.226.238.43/45119
6|Oct 14 2011|10:35:20|305012|10.23.5.52|4230|67.226.238.43|32507|Teardown dynamic TCP translation from client:10.23.5.52/4230 to DMTS:67.226.238.43/32507 duration 0:01:30
6|Oct 14 2011|10:35:19|305012|10.23.5.6|51254|67.226.238.43|62528|Teardown dynamic UDP translation from client:10.23.5.6/51254 to DMTS:67.226.238.43/62528 duration 0:02:30
6|Oct 14 2011|10:35:18|305012|10.23.5.6|49790|67.226.238.43|19321|Teardown dynamic UDP translation from client:10.23.5.6/49790 to DMTS:67.226.238.43/19321 duration 0:02:30
6|Oct 14 2011|10:35:18|305012|10.23.5.6|59733|67.226.238.43|55907|Teardown dynamic UDP translation from client:10.23.5.6/59733 to DMTS:67.226.238.43/55907 duration 0:02:30
6|Oct 14 2011|10:35:18|305012|10.23.5.6|51634|67.226.238.43|59113|Teardown dynamic UDP translation from client:10.23.5.6/51634 to DMTS:67.226.238.43/59113 duration 0:02:30
6|Oct 14 2011|10:35:18|305012|10.23.5.6|60797|67.226.238.43|19710|Teardown dynamic UDP translation from client:10.23.5.6/60797 to DMTS:67.226.238.43/19710 duration 0:02:30
6|Oct 14 2011|10:35:17|305012|10.23.5.6|52911|67.226.238.43|56470|Teardown dynamic UDP translation from client:10.23.5.6/52911 to DMTS:67.226.238.43/56470 duration 0:02:30
6|Oct 14 2011|10:35:17|305012|10.23.5.6|64294|67.226.238.43|23855|Teardown dynamic UDP translation from client:10.23.5.6/64294 to DMTS:67.226.238.43/23855 duration 0:02:30
6|Oct 14 2011|10:35:17|305012|10.23.5.6|61163|67.226.238.43|48149|Teardown dynamic UDP translation from client:10.23.5.6/61163 to DMTS:67.226.238.43/48149 duration 0:02:30
6|Oct 14 2011|10:35:17|305012|10.23.5.6|55086|67.226.238.43|10175|Teardown dynamic UDP translation from client:10.23.5.6/55086 to DMTS:67.226.238.43/10175 duration 0:02:30
6|Oct 14 2011|10:35:17|305012|10.23.5.6|54442|67.226.238.43|21706|Teardown dynamic UDP translation from client:10.23.5.6/54442 to DMTS:67.226.238.43/21706 duration 0:02:30
6|Oct 14 2011|10:35:17|305012|10.23.5.6|54219|67.226.238.43|61336|Teardown dynamic UDP translation from client:10.23.5.6/54219 to DMTS:67.226.238.43/61336 duration 0:02:30
6|Oct 14 2011|10:35:17|305012|10.23.5.6|58432|67.226.238.43|18389|Teardown dynamic UDP translation from client:10.23.5.6/58432 to DMTS:67.226.238.43/18389 duration 0:02:30
6|Oct 14 2011|10:35:16|305012|10.23.5.6|60792|67.226.238.43|2288|Teardown dynamic UDP translation from client:10.23.5.6/60792 to DMTS:67.226.238.43/2288 duration 0:02:30
6|Oct 14 2011|10:35:15|305012|10.23.5.52|4227|67.226.238.43|10726|Teardown dynamic TCP translation from client:10.23.5.52/4227 to DMTS:67.226.238.43/10726 duration 0:01:30
6|Oct 14 2011|10:35:15|305012|10.23.5.6|52213|67.226.238.43|15935|Teardown dynamic UDP translation from client:10.23.5.6/52213 to DMTS:67.226.238.43/15935 duration 0:02:30
6|Oct 14 2011|10:35:15|305012|10.23.5.6|49505|67.226.238.43|49374|Teardown dynamic UDP translation from client:10.23.5.6/49505 to DMTS:67.226.238.43/49374 duration 0:02:30
6|Oct 14 2011|10:35:15|305012|10.23.5.6|61819|67.226.238.43|38863|Teardown dynamic UDP translation from client:10.23.5.6/61819 to DMTS:67.226.238.43/38863 duration 0:02:30
6|Oct 14 2011|10:35:14|305012|10.23.5.6|50763|67.226.238.43|6015|Teardown dynamic UDP translation from client:10.23.5.6/50763 to DMTS:67.226.238.43/6015 duration 0:02:30
6|Oct 14 2011|10:35:14|305012|10.23.5.6|59386|67.226.238.43|2629|Teardown dynamic UDP translation from client:10.23.5.6/59386 to DMTS:67.226.238.43/2629 duration 0:02:30
6|Oct 14 2011|10:35:14|305012|10.23.5.6|64340|67.226.238.43|63932|Teardown dynamic UDP translation from client:10.23.5.6/64340 to DMTS:67.226.238.43/63932 duration 0:02:30
6|Oct 14 2011|10:35:14|305012|10.23.5.6|49658|67.226.238.43|26334|Teardown dynamic UDP translation from client:10.23.5.6/49658 to DMTS:67.226.238.43/26334 duration 0:02:30
6|Oct 14 2011|10:35:14|305012|10.23.5.6|53642|67.226.238.43|27338|Teardown dynamic UDP translation from client:10.23.5.6/53642 to DMTS:67.226.238.43/27338 duration 0:02:30
6|Oct 14 2011|10:35:14|305012|10.23.5.6|59502|67.226.238.43|54899|Teardown dynamic UDP translation from client:10.23.5.6/59502 to DMTS:67.226.238.43/54899 duration 0:02:30
6|Oct 14 2011|10:35:14|305012|10.23.5.6|51337|67.226.238.43|60564|Teardown dynamic UDP translation from client:10.23.5.6/51337 to DMTS:67.226.238.43/60564 duration 0:02:30
6|Oct 14 2011|10:35:14|305012|10.23.5.6|57315|67.226.238.43|31084|Teardown dynamic UDP translation from client:10.23.5.6/57315 to DMTS:67.226.238.43/31084 duration 0:02:30
6|Oct 14 2011|10:35:14|305012|10.23.5.6|60431|67.226.238.43|48447|Teardown dynamic UDP translation from client:10.23.5.6/60431 to DMTS:67.226.238.43/48447 duration 0:02:30
6|Oct 14 2011|10:35:14|305012|10.23.5.6|62670|67.226.238.43|21429|Teardown dynamic UDP translation from client:10.23.5.6/62670 to DMTS:67.226.238.43/21429 duration 0:02:30
6|Oct 14 2011|10:35:13|305012|10.23.5.6|55905|67.226.238.43|45674|Teardown dynamic TCP translation from client:10.23.5.6/55905 to DMTS:67.226.238.43/45674 duration 0:00:30
6|Oct 14 2011|10:35:13|305012|10.23.5.6|55903|67.226.238.43|17422|Teardown dynamic TCP translation from client:10.23.5.6/55903 to DMTS:67.226.238.43/17422 duration 0:00:30
6|Oct 14 2011|10:35:13|305012|10.23.5.6|54555|67.226.238.43|28658|Teardown dynamic UDP translation from client:10.23.5.6/54555 to DMTS:67.226.238.43/28658 duration 0:02:30
6|Oct 14 2011|10:35:13|305012|10.23.5.6|55901|67.226.238.43|64362|Teardown dynamic TCP translation from client:10.23.5.6/55901 to DMTS:67.226.238.43/64362 duration 0:00:30
6|Oct 14 2011|10:35:12|302014|184.25.52.176|443|10.23.5.52|4227|Teardown TCP connection 25249 for DMTS:184.25.52.176/443 to client:10.23.5.52/4227 duration 0:01:26 bytes 30713 TCP Reset-I
6|Oct 14 2011|10:35:12|302014|184.25.52.176|443|10.23.5.52|4230|Teardown TCP connection 25264 for DMTS:184.25.52.176/443 to client:10.23.5.52/4230 duration 0:01:21 bytes 10467 TCP Reset-I
6|Oct 14 2011|10:35:09|305012|10.23.5.6|55897|67.226.238.43|30854|Teardown dynamic TCP translation from client:10.23.5.6/55897 to DMTS:67.226.238.43/30854 duration 0:00:30
6|Oct 14 2011|10:35:09|305012|10.23.5.6|55895|67.226.238.43|22312|Teardown dynamic TCP translation from client:10.23.5.6/55895 to DMTS:67.226.238.43/22312 duration 0:00:30
6|Oct 14 2011|10:35:05|302016|64.202.144.72|53|10.23.5.6|65098|Teardown UDP connection 25242 for DMTS:64.202.144.72/53 to client:10.23.5.6/65098 duration 0:02:02 bytes 181
6|Oct 14 2011|10:35:04|302016|64.202.144.72|53|10.23.5.6|52608|Teardown UDP connection 25239 for DMTS:64.202.144.72/53 to client:10.23.5.6/52608 duration 0:02:01 bytes 181
6|Oct 14 2011|10:35:04|302016|64.202.144.72|53|10.23.5.6|54201|Teardown UDP connection 25238 for DMTS:64.202.144.72/53 to client:10.23.5.6/54201 duration 0:02:01 bytes 86
6|Oct 14 2011|10:35:04|302016|64.202.144.72|53|10.23.5.6|55418|Teardown UDP connection 25237 for DMTS:64.202.144.72/53 to client:10.23.5.6/55418 duration 0:02:01 bytes 98
6|Oct 14 2011|10:35:02|302016|64.202.144.72|53|10.23.5.6|52117|Teardown UDP connection 25235 for DMTS:64.202.144.72/53 to client:10.23.5.6/52117 duration 0:02:02 bytes 105
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2011 12:38 PM
Hi,
Is this the output on ASA console when you enable 'debug icmp trace'?
Thx
MS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2011 08:43 PM
Hi
If the tunnel is up then we can run packet tracer on both the sides to check where is it getting blocked. Run this command on FW-SAS
" packet-tracer input client icmp 10.23.5.10 8 8 10.22.5.10 detailed ".
Paste the ouptut if possible. After running this command do check if the relevent crypto acl is getting the hit or not.
Thanks,
Rohan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2011 09:02 AM
Here is the output...
Result of the command: "packet-tracer input client icmp 10.23.5.10 8 8 10.22.5.10 detailed"
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9579680, priority=1, domain=permit, deny=false
hits=1371942, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 DMTS
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc957be90, priority=0, domain=permit-ip-option, deny=true
hits=34527, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc957b530, priority=66, domain=inspect-icmp-error, deny=false
hits=328, user_data=0xc957b428, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip client 10.23.5.0 255.255.255.0 DMTS DrydenFirefly 255.255.255.0
NAT exempt
translate_hits = 2486, untranslate_hits = 9
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9e1ecc0, priority=6, domain=nat-exempt, deny=false
hits=2485, user_data=0xc97480c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=10.23.5.0, mask=255.255.255.0, port=0
dst ip=DrydenFirefly, mask=255.255.255.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (client) 1 0.0.0.0 0.0.0.0
match ip client any DMTS any
dynamic translation to pool 1 (67.226.238.43 [Interface PAT])
translate_hits = 31027, untranslate_hits = 1349
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc6b9e228, priority=1, domain=nat, deny=false
hits=33855, user_data=0xc6b9e168, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (client) 1 0.0.0.0 0.0.0.0
match ip client any client any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc95e2618, priority=1, domain=host, deny=false
hits=34821, user_data=0xc95e2200, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc95c6098, priority=0, domain=host-limit, deny=false
hits=13801, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc9af3588, priority=70, domain=encrypt, deny=false
hits=123, user_data=0x33af64, cs_id=0xc66a5848, reverse, flags=0x0, protocol=0
src ip=10.23.5.0, mask=255.255.255.0, port=0
dst ip=DrydenFirefly, mask=255.255.255.0, port=0, dscp=0x0
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 35564, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: client
input-status: up
input-line-status: up
output-interface: DMTS
output-status: up
output-line-status: up
Action: allow
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide