Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
206
Views
0
Helpful
1
Replies

Site-to-site VPN tunnel - Cannot ping the second inside2 interface of the peer firewall

Go to solution
Olivier Delaporte
Level 1
Level 1

‎12-31-2015 06:32 AM



I have two ASA 5505 firewalls each with a base license: FWa and FWb. Currently there is a working VPN tunnel between them. I added a second interface (inside2) to firewall FWb but I cannot ping it from firewall FWa, whereas I can ping the inside interface  from FWa.

I can ping the FWb inside interface 192.168.20.1 from the FWa inside interface 172.16.1.1, but I cannot ping the FWb inside2 interface 10.52.100.10 from the FWa. I also cannot ping the host gateway 10.52.100.1 from FWa.

I show both firewalls' essential configuration as well as the debug icmp output on both firewalls as I ping the inside and inside2 interfaces of FWb from FWa.
=========================================================

Here is a skeleton of the configuration on FWa:

name 172.16.1.0 inside-network
name 192.168.20.0 HprCnc-At-Thesys
name 10.52.100.0 ring52-network
name 10.53.100.0 ring53-network
name S.S.S.S outside-interface

interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0
!
interface Vlan2
 description Connection to VLAN 777 for bypass to Comast External Modem and Static IP address.
 nameif Outside
 security-level 0
 ip address outside-interface 255.255.255.240

object-group network DM_INLINE_NETWORK_5
 network-object HprCnc-At-Thesys 255.255.255.0
 network-object ring52-network 255.255.255.0
 network-object ring53-network 255.255.255.0

object-group network DM_INLINE_NETWORK_3
 network-object ring52-network 255.255.255.0
 network-object HprCnc-At-Thesys 255.255.255.0
 network-object ring53-network 255.255.255.0

access-list Outside_5_cryptomap extended permit ip host outside-interface object-group DM_INLINE_NETWORK_3
access-list inside_nat_outbound extended permit ip inside-network 255.255.255.0 object-group DM_INLINE_NETWORK_5
access-list Outside_nat0_outbound extended permit ip host 173.162.149.72 aus_asx_uat 255.255.255.0

nat (inside) 0 access-list nonat
nat (inside) 101 access-list inside_nat_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (Outside) 0 access-list Outside_nat0_outbound

crypto map VPN 5 match address Outside_5_cryptomap
crypto map VPN 5 set pfs group1
crypto map VPN 5 set peer D.D.D.D
crypto map VPN 5 set transform-set VPN
tunnel-group D.D.D.D type ipsec-l2l
tunnel-group D.D.D.D ipsec-attributes
 pre-shared-key *****



=========================================================

FWb:

name 10.52.100.0 ring52-network
name 10.53.100.0 ring53-network
name 10.51.100.0 ring51-network
name 10.54.100.0 ring54-network

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address D.D.D.D 255.255.255.240
!
interface Vlan52
 no forward interface Vlan1
 nameif inside2
 security-level 100
 ip address 10.52.100.10 255.255.255.0

object-group network DM_INLINE_NETWORK_3
 network-object ring52-network 255.255.255.0
 network-object ring53-network 255.255.255.0


object-group network DM_INLINE_NETWORK_2
 network-object ring52-network 255.255.255.0
 network-object 192.168.20.0 255.255.255.0
 network-object ring53-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 host S.S.S.S
access-list inside2_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_3 host S.S.S.S

access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 host S.S.S.S

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside2) 0 access-list inside2_nat0_outbound
nat (inside2) 1 0.0.0.0 0.0.0.0

route inside2 ring51-network 255.255.255.0 10.52.100.1 1
route inside2 ring53-network 255.255.255.0 10.52.100.1 1
route inside2 ring54-network 255.255.255.0 10.52.100.1 1

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer S.S.S.S
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside

tunnel-group S.S.S.S type ipsec-l2l
tunnel-group S.S.S.S ipsec-attributes
 pre-shared-key *****

=========================================================================
I turned on debug icmp trace on both firewalls and could see the traffic arriving to the inside2 interface but never coming back to FWa.

Successul ping from FWa to the inside interface on FWb

FWa# ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
ICMP echo request from outside-interface to 192.168.20.1 ID=32068 seq=23510 len=72
!ICMP echo reply from 192.168.20.1 to outside-interface ID=32068 seq=23510 len=72
....

FWb#
ICMP echo request from S.S.S.S to 192.168.20.1 ID=32068 seq=23510 len=72
ICMP echo reply from 192.168.20.1 to S.S.S.S ID=32068 seq=23510 len=72
==============================================================================
Successful ping from Fwa to a host connected to the inside interface on FWb

FWa# ping 192.168.20.15
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.15, timeout is 2 seconds:
ICMP echo request from outside-interface to 192.168.20.15 ID=50862 seq=18608 len=72
!ICMP echo reply from 192.168.20.15 to outside-interface ID=50862 seq=18608 len=72
...

FWb#
ICMP echo request from outside:S.S.S.S to inside:192.168.20.15 ID=50862 seq=18608 len=72
ICMP echo reply from inside:192.168.20.15 to outside:S.S.S.S ID=50862 seq=18608 len=72

===========================
Unsuccessful ping from FWa to the inside2 interface on FWb

FWa# ping 10.52.100.10
Sending 5, 100-byte ICMP Echos to 10.52.100.10, timeout is 2 seconds:
ICMP echo request from outside-interface to 10.52.100.10 ID=19752 seq=63173 len=72
?ICMP echo request from outside-interface to 10.52.100.10 ID=19752 seq=63173 len=72
...

FWb#
ICMP echo request from S.S.S.S to 10.52.100.10 ID=19752 seq=63173 len=72
ICMP echo request from S.S.S.S to 10.52.100.10 ID=19752 seq=63173 len=72
....

==================================================================================

Unsuccessful ping from Fwa to a host connnected to the inside2 interface on FWb

FWa# ping 10.52.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.52.100.1, timeout is 2 seconds:
ICMP echo request from outside-interface to 10.52.100.1 ID=11842 seq=15799 len=72

FWb#
ICMP echo request from outside:S.S.S.S to inside2:10.52.100.1 ID=11842 seq=15799 len=72
ICMP echo request from outside:S.S.S.S to inside2:10.52.100.1 ID=11842 seq=15799 len=72

=======================

Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rvarelac
Level 7
Level 7

‎01-04-2016 04:48 PM

Hi odelaporte2

Most likely is due the command "management-access" is not applied on  second inside, only on the primary inside, (Show run managment) will confirm that.  

This command can only be applied to one interface at the time, for example if right now is applied to the inside, it can't be applied to inside2 simultaneously. 

Hope it helps

-Randy-

View solution in original post

0 Helpful
1 Reply 1

Go to solution
rvarelac
Level 7
Level 7

‎01-04-2016 04:48 PM

Hi odelaporte2

Most likely is due the command "management-access" is not applied on  second inside, only on the primary inside, (Show run managment) will confirm that.  

This command can only be applied to one interface at the time, for example if right now is applied to the inside, it can't be applied to inside2 simultaneously. 

Hope it helps

-Randy-

0 Helpful
Customers Also Viewed These Support Documents