10-07-2010 01:52 PM
i have a L2L VPN tunnel from a 5520 to a 5510 with Cisco 2941's on each end of the ASA's. I cannot ping from my local 2941 to the remote 2941. The tunnel doesnt block ICMP and i have mutiple other sites configured with the same equipment working. i have setup a debug icmp trace and i can see on both ASA's when the ping is initiated it makes it to the ASA it is connected to but never gets across. Please help this is the last step in finishing my project....
10-07-2010 02:02 PM
Is your traffic included in the NAT-0 ACL?
10-07-2010 02:11 PM
doesnt have one. the setup is the 5520 carries individual VPN's to multiple 5510's. there is a default access-list 100 extended permit ip any any. then i build access lists based on the cryptomaps to each individual 5510. i have the same exact configuration on other tunnels on the 5520 going to different 5510's with 2941's on the opposite side and it works fine. from what i can tell the configuration for this one is exactly the same yet no ping response. when i ping from my local 2941 to the local 5520 this is the icmp debug print
YPG-ASA5520-1(config)# ICMP echo request from inside:10.10.10.4 to outside:10.10.50.2 ID=40 seq=0 len=72
ICMP echo request from inside:10.10.10.4 to outside:10.10.50.2 ID=40 seq=1 len=72
ICMP echo request from inside:10.10.10.4 to outside:10.10.50.2 ID=40 seq=2 len=72
ICMP echo request from inside:10.10.10.4 to outside:10.10.50.2 ID=40 seq=3 len=72
ICMP echo request from inside:10.10.10.4 to outside:10.10.50.2 ID=40 seq=4 len=72
so it sees the request coming in and it shows it sending the request to the outside interface. but no respone. i get the same thing from the opposite end. so the 2941 to local ASA seems to be getting the request it just doesnt seem to be getting across the tunnel, or able to find its way back.
10-07-2010 02:16 PM
Is it possible for you to post the configuration for both sides & interesting traffic definations ?
Manish
10-07-2010 02:25 PM
the one i am having a issue with is the outside_3_cryptomap going to peer 140.32.132.73. from the local side i have a 2941 with a 10.10.10.0 /24 address and on the remote end i have a 2941 with 10.10.50.0 /24 ip address. i should be able to ping from local side to remote sides 10.10.50.2 address but i cannot.
~~ LOCAL END !!
YPG-ASA5520-1# show run
: Saved
:
ASA Version 8.2(1)
!
hostname YPG-ASA5520-1
names
name 10.1.25.18 test
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 6.7.0.13 255.255.254.0
!
interface GigabitEthernet0/1
nameif internal
security-level 0
ip address 10.0.2.166 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list 100 extended permit ip any any
access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.25.0 255.255.255.0 10.1.27.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.25.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.1.27.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.30.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.1.25.0 255.255.255.0 10.1.26.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.1.25.0 255.255.255.0 10.10.30.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.1.26.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.50.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1522
mtu internal 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 6.7.0.1 1
route inside 10.1.25.0 255.255.255.0 10.10.10.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.2.0 255.255.255.0 inside
http 10.0.2.0 255.255.255.0 internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 140.32.167.58
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 140.32.171.2
crypto map outside_map 2 set transform-set ESP-DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 140.32.132.73
crypto map outside_map 3 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 140.32.167.58 type ipsec-l2l
tunnel-group 140.32.167.58 ipsec-attributes
pre-shared-key *
tunnel-group 140.32.171.2 type ipsec-l2l
tunnel-group 140.32.171.2 ipsec-attributes
pre-shared-key *
tunnel-group 131.120.38.2 type ipsec-l2l
tunnel-group 131.120.38.2 ipsec-attributes
pre-shared-key *
tunnel-group 140.32.132.73 type ipsec-l2l
tunnel-group 140.32.132.73 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e1d9cd4c9ae0fbe643d031975c48cbd0
: end
YPG-ASA5520-1#
~~~ REMOTE END ~~~
NPS-ASA5510# show run
: Saved
:
ASA Version 8.2(1)
!
hostname NPS-ASA5510
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 140.32.132.73 255.255.255.224
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
nameif internal
security-level 0
ip address 192.168.103.2 255.255.255.0
!
interface Ethernet0/3
nameif inside
security-level 100
ip address 10.10.50.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list 100 extended permit ip any any
access-list outside_1_cryptomap extended permit ip 140.32.132.0 255.255.255.0 6.7.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.40.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.50.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging console debugging
logging asdm informational
mtu outside 1500
mtu internal 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 140.32.132.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.103.0 255.255.255.0 internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 10 match address outside_1_cryptomap
crypto map outside_map 10 set peer 6.7.0.13
crypto map outside_map 10 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 6.7.0.13 type ipsec-l2l
tunnel-group 6.7.0.13 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a073c919957e60ffea64717b4e8e4097
: end
10-07-2010 02:20 PM
I would use packet tracer to troubleshoot this. Its much more accurate at finding the problem. You can simulate the traffic and watch what phase it phails on as it passes through the firewall. This will identify if it is a NAT problem or ACL typo or what ever.
I found a good little intro demo in case your not familiar with it:
http://www.cisco.com/E-Learning/bulk/public/celc/QLM_ASA_72_01_Final/course_skin.html
10-07-2010 02:35 PM
I'm thinking the problem is at the new remote site as the other remotes are all working.
This line stands out as being not correct.
access-list outside_1_cryptomap extended permit ip 140.32.132.0 255.255.255.0 6.7.0.0 255.255.255.0
Probably causing your FW to encrypt the traffic it needs to send ISAKMP in clear text with. Try removing that line.
10-07-2010 02:40 PM
ok i erased that line and also the one like it on the remote end. still no success. the 2941 on the
remote side has a default route of 10.10.50.1 which is the inside interface of the ASA. it seems like the ASA isnt routing the request to the 2941?
10-07-2010 02:46 PM
I only saw that line on the remote site. Are you saying it was configured on the hub router too?
Try using the packet tracer. That will tell us right off the bat where our problem lies.
10-07-2010 02:58 PM
ok i initiated the packet tracker, i have never done this before but here is how i set it up. for interface type i selected inside and then for source IP i put the IP of the 2941 from my local side. for the destination i put the IP of the 2941 on the remote side. i selected ICMP and hit start. when it was finished it said for the result " the packet is allowed" but when i initiate this ping from the actual 2941. it does not work.
for the remote ASA the ASDM is not setup so i do not know how to do the packet tracker from that side.
10-07-2010 03:03 PM
hmmm, strange...
The command from the CLI is: packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port detailed
Give that a shot for the other office.
ASA's and PIX are a bit buggy with VPN. Try reloading the remote firewall. I know this sounds stupid, but I have pulled my hair out before for hours and had a reload do the trick.
10-07-2010 03:06 PM
ok i will give it a shot, is it true that you cannot SSH or TELNET from a ASA to another router?
10-07-2010 03:09 PM
that is true. They also will not respond to pings on their outside
interfaces by default and block traceroutes.
10-07-2010 03:14 PM
no success with the reload. this really has me baffled. im going to have the techs on the remote side send me a printout of the 2941 configuration. i am pretty sure their default route is set to the ASA but i should double check.....
10-07-2010 03:50 PM
default routes on the 2941's are set. do not understand why i cannot ping across my VPN. anyone have any ideas or solutions to test?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide