07-09-2010 02:38 PM
I have a 1841 router that travels (remote presentations) connecting to home ASA 5500 using EZVPN.
this problem started after moving the VPN from a 3000 concentrator to ASA5500
home network is 10.1.0.0
remote network is 192.168.224.0
problem is, traffic CAN pass between networks (able to connect to servers on home network),
but cannot ping between networks.
already have "crypto isakmp nat-traversal 60" in config
thought it may be NAT issue, but that shouldn't be issue as other traffic can pass
Possible ACL issue?
here's the (scrubbed) config of the ASA;
: Saved
:
ASA Version 8.2(1)
!
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address *
ospf cost 10
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 10.1.254.1 255.255.255.248 standby 10.1.254.3
ospf cost 10
access-list outside extended permit icmp any any
access-list Inside_nat0_outbound extended permit ip any 10.1.252.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any 192.168.224.0 255.255.255.0
ip local pool Remote_LAN 10.1.252.2-10.1.252.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 192.168.0.0 255.255.0.0
crypto isakmp nat-traversal 60
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy WR_Remote internal
group-policy WR_Remote attributes
wins-server value 10.1.44.6 10.1.44.7
dns-server value 10.1.44.6 10.1.44.7
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_tunnel_ACL
default-domain value law.firm
split-dns value husch.com blackwellsanders.com law.firm huschblackwell.com blkwl.com welshkatz.com lan.welshkatz.com
nem enable
username WR_Remote password rWGBPD2An9YuOnhC encrypted privilege 0
username WR_Remote attributes
vpn-group-policy WR_Remote
tunnel-group WR_Remote type remote-access
tunnel-group WR_Remote general-attributes
address-pool Remote_LAN
default-group-policy WR_Remote
tunnel-group WR_Remote ipsec-attributes
pre-shared-key *
Here's the config for the 1481 Router:
Building configuration...
Current configuration : 7610 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname WR-RTR-2
!
boot-start-marker
boot-end-marker
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
ip tcp synwait-time 10
!
!
no ip bootp server
!
crypto ipsec client ezvpn WR_Remote
connect auto
group WR_Remote key wr_remote@2
mode network-extension
peer *
xauth userid mode interactive
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
ip address 192.168.224.254 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto ipsec client ezvpn WR_Remote inside
!
interface FastEthernet0/1
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address dhcp
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto ipsec client ezvpn WR_Remote
!
ip classless
!
!
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for EzVPN (udp-10000) WR_Remote
access-list 101 permit udp host * any eq 10000
access-list 101 remark Auto generated by SDM for EzVPN (non500-isakmp) WR_Remote
access-list 101 permit udp host * any eq non500-isakmp
access-list 101 remark Auto generated by SDM for EzVPN (isakmp) WR_Remote
access-list 101 permit udp host * any eq isakmp
access-list 101 remark Auto generated by SDM for EzVPN (ahp) WR_Remote
access-list 101 permit esp host * any
access-list 101 remark Auto generated by SDM for EzVPN (esp) WR_Remote
access-list 101 permit ahp host * any
access-list 101 deny ip 192.168.224.0 0.0.0.255 any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any log
access-list 102 remark VTY access-class list
access-list 102 remark SDM_ACL Category=17
access-list 102 permit ip 192.168.224.0 0.0.0.255 any
access-list 102 permit ip 10.1.0.0 0.0.255.255 any
access-list 102 deny ip any any
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 10.11.0.0 0.0.255.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 permit ip host 10.11.10.0 any
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 10.10.0.0 0.0.255.255 any
access-list 106 remark SDM_ACL Category=4
access-list 106 permit ip host 10.10.12.0 any
access-list 107 remark SDM_ACL Category=4
access-list 107 permit ip host 10.10.0.0 any
access-list 179 deny ip 192.168.224.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 179 deny ip 192.168.224.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 179 permit ip 192.168.224.0 0.0.0.255 any
!
route-map EZVPN permit 10
match ip address 179
!
07-17-2012 04:08 PM
Try to enable 'inspect icmp' and check you logs.
Uwe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide