Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
492
Views
4
Helpful
5
Replies

ICMP problems sourcing from ASA to VPN tunneled addresses

swharvey
Level 3
Level 3

‎05-16-2007 11:19 AM

We have several ASA5505's at remote offices with ipsec 3des L2L VPN tunnels to our hub ASA5540's. Pings work find from devices behind both endpoints of the VPN tunnels, but pings sourced from the ASA5505's to devices behind the hub ASA5540 fail. In running a debug icmp trace on the ASA5505, I see the source ip being the outside, public ip address.

Other services like aaa tacacs do not work as well because the aaa server, defined with a private ip and located behind the ASA5540, cannot be reached (show aaa-server shows tacacs server as failed, even though config on the ASA5505 points to the aaa server on the outside interface).

Any thoughts on this?

Thanks,

-Scott

Labels:
0 Helpful
5 Replies 5

acomiskey
Level 10
Level 10

‎05-16-2007 11:21 AM

Sure, the outside interface addresses of the 5505's are not defined as interesting traffic on the tunnel. Add the interface ip addresses to the crpto acl's and you should be ok.

Your issue is very similar to this document which explains syslogging over a vpn tunnel, where the remote pix is using it's public ip as source address. It is solved by adding the public ip as described above.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094469.shtml

please rate if it helps

acomiskey
Level 10
Level 10
In response to acomiskey

‎05-16-2007 11:29 AM

5505's

access-list extended permit ip host

5540

access-list extended permit ip host

0 Helpful

swharvey
Level 3
Level 3
In response to acomiskey

‎05-16-2007 11:31 AM

Thanks both are good Information. This unfortunatley brings up possible complications. How do I add the outside interface ip address to the crypto acl if the DSL/Cable connections for these soho systems have external interface addresses that are assigned dynamically through dhcp from the ISP?

I would think there is a way to change the source addresses that the ASA's use for things like tacacs, syslog, etc.

0 Helpful

acomiskey
Level 10
Level 10
In response to swharvey

‎05-16-2007 11:53 AM

You would think you would be able to...but more often than not, that means you can't.

Someone chime in here...

0 Helpful

swharvey
Level 3
Level 3
In response to acomiskey

‎06-06-2007 09:51 AM

I found the answer to most of my problems. In documentation I read, it stated that you need to define the outside interface as the source, then define that inteface/ip as interesting traffic, and permit that ip through the tunnel. The answer is to change the source to the inside interface. This works for ntp, tacacs+, syslog, and icmp. You can solve the tftp problem as well by defining the tftp server, source interface,a nd filename, but I've put in a request to have the need for the filename removed so you can upload/download various files using the copy tftp disk0: or copy running-config tftp, etc.

See below for actual command syntax to these issues:

icmp to inside asa5505 interface from device behind rmote vpn: acess-management inside

ntp server via vpn tunnel: ntp server x.x.x.x source inside

tacacs+ server via vpn tunnel: aaa-server TACACS+ (inside) host x.x.x.x

**tftp server via vpn tunnel: tftp data x.x.x.x

Hope this helps others. :)

-Scott

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents