09-12-2011 12:54 PM
Hi
I have a problem with ping in VPN Client,
In this senario, the VPN client should be able to ping PC-4 through ASA-1 (Site-A)but it could not.
The router is able to ping Z.Z.Z.0/24.
The Tunnel and VPN client are working.
-------------------------------------------------------------------------------------------
1. PC-1 can connect to ASA-1 and ping Network 20.20.0.0/16 and 10.10.10.0/24 but cannot ping PC-4.
2. PC-2 can ping PC-1 and PC-3 but cannot ping PC-4.
3. If PC-3 gateway be 10.10.10.1 , It can ping Z.Z.Z.2.
4. If PC-3 gateway be 10.10.10.20 , It cannot ping Z.Z.Z.2.
5. ASA-1 can ping ASA-2 and 10.10.10.1/24 but cannot ping Z.Z.Z.2.
6. ASA-2 can ping ASA-1 and Z.Z.Z.2.
--------------------------------------------------------------------------------------------
This is my config on ASA-1 and ASA-2:
hostname ASA-1
interface G0/0
nameif Outside
security-level 0
ip address x.x.x.1 255.255.255.224
NO SHUT
interface G0/3
nameif Inside
security-level 100
ip address 20.20.0.1 255.255.0.0
NO SHUT
route Outside 0.0.0.0 0.0.0.0 x.x.x.2 1
object-group network DM_INLINE_NETWORK_1
network-object 10.10.10.0 255.255.255.0
network-object 20.20.0.0 255.255.0.0
network-object z.z.z.0 255.255.255.0
ip local pool ATA 20.20.0.20-20.20.20.255 mask 255.255.0.0
access-list 100 extended permit icmp any any
access-group 100 in interface Outside
global (Outside) 1 interface
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp enable Outside
tunnel-group y.y.y.1 type ipsec-l2l
tunnel-group y.y.y.1 ipsec-attributes
pre-shared-key 1234
group-policy ATA internal
group-policy ATA attributes
vpn-tunnel-protocol IPSec
username TEST password TEST privilege 0
username TEST attributes
vpn-group-policy ATA
tunnel-group ATA type remote-access
tunnel-group ATA general-attributes
address-pool ATA
default-group-policy ATA
tunnel-group ATA ipsec-attributes
pre-shared-key 1234
access-list Outside_1_Cryptomap extended permit ip 20.20.0.0 255.255.0.0 z.z.z.0 255.255.255.0
access-list Outside_1_Cryptomap extended permit ip 20.20.0.0 255.255.0.0 10.10.10.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer y.y.y.200
crypto map Outside_map 1 match address Outside_1_Cryptomap
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 1 set security-association lifetime kilobytes 10000
crypto map Outside_map interface Outside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group2
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
access-list Inside_nat0_Outside extended permit ip 20.20.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list Inside_nat0_Outside extended permit ip 20.20.0.0 255.255.0.0 z.z.z.0 255.255.255.0
access-list Inside_nat0_Outside extended permit ip object-group DM_INLINE_NETWORK_1 20.20.0.0 255.255.224.0
nat (Inside) 0 access-list Inside_nat0_Outside
nat (Inside) 1 0.0.0.0 0.0.0.0
policy-map global_policy
class inspection_default
inspect icmp
same-security-traffic permit intra-interface
management-access Inside
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
hostname ASA-2
interface E0/0
nameif Outside
security-level 0
ip address y.y.y.1 255.255.255.192
NO SHUT
interface E0/3
nameif Inside
security-level 100
ip address 10.10.10.20 255.255.255.0
NO SHUT
route Outside 0.0.0.0 0.0.0.0 y.y.y.2 1
route Inside z.z.z.0 255.255.255.0 10.10.10.1 1
access-list 100 extended permit icmp any any
access-group 100 in interface Outside
global (Outside) 1 interface
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp enable Outside
tunnel-group x.x.x.1 type ipsec-l2l
tunnel-group x.x.x.1 ipsec-attributes
pre-shared-key 1234
access-list Outside_1_Cryptomap extended permit ip 10.10.10.0 255.255.255.0 20.20.0.0 255.255.0.0
access-list Outside_1_Cryptomap extended permit ip z.z.z.0 255.255.255.0 20.20.0.0 255.255.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer x.x.x.1
crypto map Outside_map 1 match address Outside_1_Cryptomap
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 1 set security-association lifetime kilobytes 10000
crypto map Outside_map interface Outside
access-list Inside_nat0_Outside extended permit ip 10.10.10.0 255.255.255.0 20.20.0.0 255.255.0.0
access-list Inside_nat0_Outside extended permit ip z.z.z.0 255.255.255.0 20.20.0.0 255.255.0.0
nat (Inside) 0 access-list Inside_nat0_Outside
nat (Inside) 1 0.0.0.0 0.0.0.0
policy-map global_policy
class inspection_default
inspect icmp
same-security-traffic permit intra-interface
management-access Inside
-------------------------------------------------------------------------------------------------------------------------------------------------------
Regards
09-15-2011 11:11 AM
Hi,
My suggestion to your puzzle is to either load your ASDM real time log and observe the logs while one host tries to ping each other and take notes on the log , this should provide you with information and some clues on what the issue could be. You may also try to packet capture in ASA-2 , either way, I would start with easiest one which is realtime log on ASDM.
Could you provide the folloing:
1 - Post output of c:\ipconfig /all from PC-4 z.z.z.2/24
2 - Post output of show ip route from Router where PC-4 subnet is routed from
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide