Solved: site to site VPN - tunnel up but not getting icmp replies

ict3tcsoftware · ‎05-11-2022

Hi All,

I'm hoping that the more knowledgeable of you can tell me where I'm going wrong.

My local end is a Cisco ASA 5516 and the remote end is a Fortigate 601E

My local subnet is 10.2.0.0/18 which clashes with the remote subnet so we NAT the traffic going over the tunnel to 10.6.22.0/24

The IPs that we connect to on the remote end are in the 43.X.X.X/24 subnet.

Pings from my subnet timeout but the remote end says they can see the ping coming in and a reply is being sent.

My config is (relevant parts)
object-group network Remote-Servers
network-object host 43.X.X.3
network-object host 43.X.X.4

object network LOCAL-TO-REMOTE-XLATE
subnet 10.6.22.0 255.255.255.0

access-list outside_1_cryptomap extended permit icmp object LOCAL-TO-REMOTE-XLATE object-group Remote-Servers log debugging
access-list outside_1_cryptomap extended permit ip object LOCAL-TO-REMOTE-XLATE object-group Remote-Servers log debugging

nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_18 LOCAL-TO-REMOTE-XLATE destination static Remote-Servers Remote-Servers

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 43200

group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
vpn-tunnel-protocol ikev1

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy GroupPolicy_1.1.1.1
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****

Sheraz.Salim · ‎05-11-2022

for my understanding you have address 10.2.0.0/18 is converted into 10.6.22.0/24 (due to remote side is using the 10.2.0.0/18). where is your local subnet is /18 and you x-late in subnet /24.

your config looks fine apart from the subnet /18 and /24.

you said remote side can see the ping are coming but you do not see the reply.

could you show the command output "show crypto ipsec sa peer x.x.x.x" where x.x.x.x is your remote public ip address.

also could you confirm the remote side also have configured 10.6.22.0/24 as remote network?

also add this command.

policy-map global_policy

class inspection_default

inspect icmp

object-group network Remote-Servers
 network-object host 43.X.X.3
 network-object host 43.X.X.4
!
object network LOCAL-TO-REMOTE-XLATE
subnet 10.6.22.0 255.255.255.0
!
access-list outside_1_cryptomap extended permit icmp object LOCAL-TO-REMOTE-XLATE object-group Remote-Servers log debugging
access-list outside_1_cryptomap extended permit ip object LOCAL-TO-REMOTE-XLATE object-group Remote-Servers log debugging
!
nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_18 LOCAL-TO-REMOTE-XLATE destination static Remote-Servers Remote-Servers
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map interface outside
crypto ikev1 enable outside
!
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 43200
!
group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
vpn-tunnel-protocol ikev1
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy GroupPolicy_1.1.1.1
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
!

please do not forget to rate.

View solution in original post

ict3tcsoftware · ‎05-11-2022

Just added the following:

policy-map global_policy
class inspection_default
inspect icmp

All working now.

View solution in original post

MHM Cisco World · ‎05-11-2022

...

ict3tcsoftware · ‎05-11-2022

Thank you for your suggestion.

Although I've been told that my local subnet clashes with the remote end I'm not looking to connect to a remote IP that is the same as one on my subnet.

I'm on 10.2.0.0/18 and need to get to 43.x.x.x. The ICMP traffic is going down the tunnel and is hitting the server and a reply is being sent. It is just I don't see the reply.

Hope this helps.

Sheraz.Salim · ‎05-11-2022

so in your case you see on your firewall there is no encap but there is decap? right.

please do not forget to rate.

ict3tcsoftware · ‎05-11-2022

Sorry, don't follow you.

I'm new to Cisco firewalls.

Sheraz.Salim · ‎05-11-2022

for my understanding you have address 10.2.0.0/18 is converted into 10.6.22.0/24 (due to remote side is using the 10.2.0.0/18). where is your local subnet is /18 and you x-late in subnet /24.

your config looks fine apart from the subnet /18 and /24.

you said remote side can see the ping are coming but you do not see the reply.

could you show the command output "show crypto ipsec sa peer x.x.x.x" where x.x.x.x is your remote public ip address.

also could you confirm the remote side also have configured 10.6.22.0/24 as remote network?

also add this command.

policy-map global_policy

class inspection_default

inspect icmp

object-group network Remote-Servers
 network-object host 43.X.X.3
 network-object host 43.X.X.4
!
object network LOCAL-TO-REMOTE-XLATE
subnet 10.6.22.0 255.255.255.0
!
access-list outside_1_cryptomap extended permit icmp object LOCAL-TO-REMOTE-XLATE object-group Remote-Servers log debugging
access-list outside_1_cryptomap extended permit ip object LOCAL-TO-REMOTE-XLATE object-group Remote-Servers log debugging
!
nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_18 LOCAL-TO-REMOTE-XLATE destination static Remote-Servers Remote-Servers
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map interface outside
crypto ikev1 enable outside
!
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 43200
!
group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
vpn-tunnel-protocol ikev1
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy GroupPolicy_1.1.1.1
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
!

please do not forget to rate.

ict3tcsoftware · ‎05-11-2022

Just added the following:

policy-map global_policy
class inspection_default
inspect icmp

All working now.

MHM Cisco World · ‎05-11-2022

For me and you will check it later not solve,
if the remote peer want to ping to ASA are it success ??
NO
you need NAT for overlapping in both side.

ict3tcsoftware · ‎05-11-2022

It has been fix.

I was missing

policy-map global_policy
class inspection_default
inspect icmp