Connected but can't ping internal LAN

Unanswered Question
May 4th, 2007

A VPN client is successfully connected, can't ping to any internal network. I got here a show crypto output ... my config was never changed and was working before.



sh crypto ipsec sa | beg 12.193.124.74

current_peer: 12.193.124.74:42679

dynamic allocated peer ip: 172.16.1.105


PERMIT, flags={transport_parent,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 241, #pkts decrypt: 241, #pkts verify 241

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0


local crypto endpt.: 65.248.74.50, remote crypto endpt.: 12.193.124.74

path mtu 1500, ipsec overhead 64, media mtu 1500

current outbound spi: 53d90a0e


inbound esp sas:

spi: 0xaaa61839(2863011897)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 15, crypto map: outside_map

sa timing: remaining key lifetime (k/sec): (4607974/27671)

IV size: 8 bytes

replay detection support: Y



inbound ah sas:



inbound pcp sas:



++++++++++++++++++++++++++++++++++++

spi 0, message ID = 1916052501

ISAMKP (0): received DPD_R_U_THERE from peer 12.193.124.74

ISAKMP (0): sending NOTIFY message 36137 protocol 1

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:12.193.124.74, dest:65.248.74.50 spt:42679 dpt:4500

ISAKMP (0): processing NOTIFY payload 36136 protocol 1

spi 0, message ID = 44511908

ISAMKP (0): received DPD_R_U_THERE from peer 12.193.124.74

ISAKMP (0): sending NOTIFY message 36137 protocol 1

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:12.193.124.74, dest:65.248.74.50 spt:42679 dpt:4500

ISAKMP (0): processing NOTIFY payload 36136 protocol 1

spi 0, message ID = 3164594634

ISAMKP (0): received DPD_R_U_THERE from peer 12.193.124.74

ISAKMP (0): sending NOTIFY message 36137 protocol 1

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:12.193.124.74, dest:65.248.74.50 spt:42679 dpt:4500

ISAKMP (0): processing NOTIFY payload 36136 protocol 1

spi 0, message ID = 1976932664

ISAMKP (0): received DPD_R_U_THERE from peer 12.193.124.74

ISAKMP (0): sending NOTIFY message 36137 protocol 1

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:12.193.124.74, dest:65.248.74.50 spt:42679 dpt:4500

ISAKMP (0): processing NOTIFY payload 36136 protocol 1

spi 0, message ID = 180126391

ISAMKP (0): received DPD_R_U_THERE from peer 12.193.124.74

ISAKMP (0): sending NOTIFY message 36137 protocol 1

return status is IKMP_NO_ERR_NO_TRANSu all




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ggilbert Sat, 05/05/2007 - 08:11

Hi Gerard,


From the output that you had sent, it seems that the packets are reaching the device...Getting decrypted but not returning back.


#pkts encaps: 0, #pkts encrypt: 0,

#pkts decaps: 241, #pkts decrypt: 241,


What is the head end device? Can you check your NAT entries or see if there is any kind of route that is missing on your internal network?


If you could post the config of the head end device, I can take a look at it and let you know.


Cheers

Gilbert


evelynpm52 Thu, 08/09/2012 - 11:40

I have the same problem could you help me to solve it, i have a Pix 515E 6.3 (Dynamic IP) and ASA 5515 (Static IP)




Pix 515E:




access-list 101 permit ip 198.155.164.0 255.255.255.0 198.155.162.0 255.255.255.0


ip address outside dhcp setroute


ip address inside 198.155.164.254 255.255.255.0


global (outside) 1 interface


nat (inside) 0 access-list 101


nat (inside) 1 198.155.0.0 255.255.0.0 0 0


crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac


crypto map outside_map 10 ipsec-isakmp


crypto map outside_map 10 match address 101


crypto map outside_map 10 set pfs


crypto map outside_map 10 set peer


crypto map outside_map 10 set transform-set ESP-3DES-MD5


crypto map outside_map interface outside


isakmp enable outside


isakmp key ******** address netmask 255.255.255.255


isakmp identity address


isakmp nat-traversal 20


isakmp policy 10 authentication pre-share


isakmp policy 10 encryption 3des


isakmp policy 10 hash md5


isakmp policy 10 group 2


isakmp policy 10 lifetime 86400








ASA 5510:




interface Ethernet0/0


description Interfase enlace


nameif outside


security-level 0


ip address 255.255.255.240


!


interface Ethernet0/1


description Red KE


nameif inside


security-level 100


ip address 198.155.162.253 255.255.255.0


!


access-list inside_nat0_outbound extended permit ip 198.155.162.0 255.255.255.0 VPNKOBINT 255.255.255.0


access-list inside_nat0_outbound extended permit ip 198.155.162.0 255.255.255.0 VPNKOBINT2 255.255.255.192


access-list inside_nat0_outbound extended permit ip 198.155.162.0 255.255.255.0 198.155.163.0 255.255.255.0


access-list inside_nat0_outbound extended permit ip 198.155.162.0 255.255.255.0 198.155.164.0 255.255.255.0


global (outside) 1 netmask 25


global (outside) 1




nat (inside) 0 access-list inside_nat0_outbound


nat (inside) 1 0.0.0.0 0.0.0.0




crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac


crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac


crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac


crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac


crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac


crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac


crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac


crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac


crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


crypto ipsec security-association lifetime seconds 86400


crypto ipsec security-association lifetime kilobytes 4608000


crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set pfs group1


crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set transform-set ESP-3DES-MD5 ESP-DES-MD5


crypto map outside_map 10 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP


crypto map outside_map interface outside


crypto isakmp enable outside


crypto isakmp policy 10


authentication pre-share


encryption 3des


hash md5


group 2


lifetime 86400




tunnel-group DefaultL2LGroup ipsec-attributes


pre-shared-key *




____________




In the ASA 5510 8.2 have configured 3 tunnel remote-access and they are functioning ok

Actions

This Discussion