ICMP problems sourcing from ASA to VPN tunneled addresses

Unanswered Question
May 16th, 2007

We have several ASA5505's at remote offices with ipsec 3des L2L VPN tunnels to our hub ASA5540's. Pings work find from devices behind both endpoints of the VPN tunnels, but pings sourced from the ASA5505's to devices behind the hub ASA5540 fail. In running a debug icmp trace on the ASA5505, I see the source ip being the outside, public ip address.

Other services like aaa tacacs do not work as well because the aaa server, defined with a private ip and located behind the ASA5540, cannot be reached (show aaa-server shows tacacs server as failed, even though config on the ASA5505 points to the aaa server on the outside interface).

Any thoughts on this?

Thanks,

-Scott

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
acomiskey Wed, 05/16/2007 - 11:21

Sure, the outside interface addresses of the 5505's are not defined as interesting traffic on the tunnel. Add the interface ip addresses to the crpto acl's and you should be ok.

Your issue is very similar to this document which explains syslogging over a vpn tunnel, where the remote pix is using it's public ip as source address. It is solved by adding the public ip as described above.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094469.shtml

please rate if it helps

acomiskey Wed, 05/16/2007 - 11:29

5505's

access-list extended permit ip host

5540

access-list extended permit ip host

swharvey Wed, 05/16/2007 - 11:31

Thanks both are good Information. This unfortunatley brings up possible complications. How do I add the outside interface ip address to the crypto acl if the DSL/Cable connections for these soho systems have external interface addresses that are assigned dynamically through dhcp from the ISP?

I would think there is a way to change the source addresses that the ASA's use for things like tacacs, syslog, etc.

acomiskey Wed, 05/16/2007 - 11:53

You would think you would be able to...but more often than not, that means you can't.

Someone chime in here...

swharvey Wed, 06/06/2007 - 09:51

I found the answer to most of my problems. In documentation I read, it stated that you need to define the outside interface as the source, then define that inteface/ip as interesting traffic, and permit that ip through the tunnel. The answer is to change the source to the inside interface. This works for ntp, tacacs+, syslog, and icmp. You can solve the tftp problem as well by defining the tftp server, source interface,a nd filename, but I've put in a request to have the need for the filename removed so you can upload/download various files using the copy tftp disk0: or copy running-config tftp, etc.

See below for actual command syntax to these issues:

icmp to inside asa5505 interface from device behind rmote vpn: acess-management inside

ntp server via vpn tunnel: ntp server x.x.x.x source inside

tacacs+ server via vpn tunnel: aaa-server TACACS+ (inside) host x.x.x.x

**tftp server via vpn tunnel: tftp data x.x.x.x

Hope this helps others. :)

-Scott

Actions

This Discussion