Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
851
Views
0
Helpful
2
Replies

Connected but can't ping internal LAN

Gerard Gacusan
Level 1
Level 1

‎05-04-2007 01:27 PM

A VPN client is successfully connected, can't ping to any internal network. I got here a show crypto output ... my config was never changed and was working before.

sh crypto ipsec sa | beg 12.193.124.74

current_peer: 12.193.124.74:42679

dynamic allocated peer ip: 172.16.1.105

PERMIT, flags={transport_parent,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 241, #pkts decrypt: 241, #pkts verify 241

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 65.248.74.50, remote crypto endpt.: 12.193.124.74

path mtu 1500, ipsec overhead 64, media mtu 1500

current outbound spi: 53d90a0e

inbound esp sas:

spi: 0xaaa61839(2863011897)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 15, crypto map: outside_map

sa timing: remaining key lifetime (k/sec): (4607974/27671)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

++++++++++++++++++++++++++++++++++++

spi 0, message ID = 1916052501

ISAMKP (0): received DPD_R_U_THERE from peer 12.193.124.74

ISAKMP (0): sending NOTIFY message 36137 protocol 1

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:12.193.124.74, dest:65.248.74.50 spt:42679 dpt:4500

ISAKMP (0): processing NOTIFY payload 36136 protocol 1

spi 0, message ID = 44511908

ISAMKP (0): received DPD_R_U_THERE from peer 12.193.124.74

ISAKMP (0): sending NOTIFY message 36137 protocol 1

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:12.193.124.74, dest:65.248.74.50 spt:42679 dpt:4500

ISAKMP (0): processing NOTIFY payload 36136 protocol 1

spi 0, message ID = 3164594634

ISAMKP (0): received DPD_R_U_THERE from peer 12.193.124.74

ISAKMP (0): sending NOTIFY message 36137 protocol 1

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:12.193.124.74, dest:65.248.74.50 spt:42679 dpt:4500

ISAKMP (0): processing NOTIFY payload 36136 protocol 1

spi 0, message ID = 1976932664

ISAMKP (0): received DPD_R_U_THERE from peer 12.193.124.74

ISAKMP (0): sending NOTIFY message 36137 protocol 1

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:12.193.124.74, dest:65.248.74.50 spt:42679 dpt:4500

ISAKMP (0): processing NOTIFY payload 36136 protocol 1

spi 0, message ID = 180126391

ISAMKP (0): received DPD_R_U_THERE from peer 12.193.124.74

ISAKMP (0): sending NOTIFY message 36137 protocol 1

return status is IKMP_NO_ERR_NO_TRANSu all

Labels:
0 Helpful
2 Replies 2

ggilbert
Cisco Employee
Cisco Employee

‎05-05-2007 08:11 AM

Hi Gerard,

From the output that you had sent, it seems that the packets are reaching the device...Getting decrypted but not returning back.

#pkts encaps: 0, #pkts encrypt: 0,

#pkts decaps: 241, #pkts decrypt: 241,

What is the head end device? Can you check your NAT entries or see if there is any kind of route that is missing on your internal network?

If you could post the config of the head end device, I can take a look at it and let you know.

Cheers

Gilbert

0 Helpful

evelynpm52
Level 1
Level 1
In response to ggilbert

‎08-09-2012 11:40 AM

I have the same problem could you help me to solve it, i have a Pix 515E 6.3 (Dynamic IP) and ASA 5515 (Static IP)

Pix 515E:

access-list 101 permit ip 198.155.164.0 255.255.255.0 198.155.162.0 255.255.255.0

ip address outside dhcp setroute

ip address inside 198.155.164.254 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 198.155.0.0 255.255.0.0 0 0

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 10 ipsec-isakmp

crypto map outside_map 10 match address 101

crypto map outside_map 10 set pfs

crypto map outside_map 10 set peer

crypto map outside_map 10 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

ASA 5510:

interface Ethernet0/0

description Interfase enlace

nameif outside

security-level 0

ip address 255.255.255.240

!

interface Ethernet0/1

description Red KE

nameif inside

security-level 100

ip address 198.155.162.253 255.255.255.0

!

access-list inside_nat0_outbound extended permit ip 198.155.162.0 255.255.255.0 VPNKOBINT 255.255.255.0

access-list inside_nat0_outbound extended permit ip 198.155.162.0 255.255.255.0 VPNKOBINT2 255.255.255.192

access-list inside_nat0_outbound extended permit ip 198.155.162.0 255.255.255.0 198.155.163.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 198.155.162.0 255.255.255.0 198.155.164.0 255.255.255.0

global (outside) 1 netmask 25

global (outside) 1

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set transform-set ESP-3DES-MD5 ESP-DES-MD5

crypto map outside_map 10 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

____________

In the ASA 5510 8.2 have configured 3 tunnel remote-access and they are functioning ok

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents