05-29-2007 08:28 AM
Last week I had an issue with connectivity to adjacent networks that was resolved, or so I thought.
Once I identified my adjacent network (192.168.1.x) as interesting traffic I was able to somewhat see the other network. I can connect to the other network (10.0.1.x) via Remote Desktop (TCP 3389) and Proxy Remote(UDP 1505) and can also map a drive to a file server at the remote site, what I can't do is ping any of the servers at the remote site (10.0.1.x).
I CAN ping between the 2 L2L VPN sites (10.0.1.x and 172.16.0.x) just can't ping from the 192.168.1.x site (adjacent to 172.16.0.x) to the remote (10.0.1.x) site.
any thoughts?
05-29-2007 08:34 AM
Is there an access-list applied to the inside of the Corp. ASA?
05-29-2007 08:46 AM
Here's some ACL info from the configs.
CORP ASA
access-list 140 extended permit ip 172.16.0.0 255.255.248.0 10.0.1.0 255.255.255.0
access-list 140 extended permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list nonat extended permit ip 172.16.0.0 255.255.248.0 10.0.1.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
Remote ASA
access-list 130 extended permit ip 10.0.1.0 255.255.255.0 172.16.0.0 255.255.248.0
access-list 130 extended permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 10.0.1.0 255.255.255.0 172.16.0.0 255.255.248.0
access-list nonat extended permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
***Reminder***The 192.168.1.0 network is adjacent to the 172.16.0.0 network (routing b/w them is accomplished with 3650 switch) and the 10.0.1.0 network is the remote site.
thanks.
05-29-2007 09:29 AM
You have these things configured for the encryption access-list. Is there any other access-list applied to the inside interface of these ASA's?
create an access-list from the host you are trying to ping - to the host you are pinging to, on the head end ASA and the remote end ASA.
Then apply that access-list to capture on the inside interface.
Collect the capture to see if the icmp return packets are coming back.
Let us know.
Note: If you need to know how to do the capture, let me know the IP addresses you are trying to ping from and ping to.
Cheers
Gilbert
05-29-2007 09:31 AM
"Note: If you need to know how to do the capture, let me know the IP addresses you are trying to ping from and ping to."
Ping from 10.0.1.14 to 192.168.1.14
**no other access-list applied to the inside interface of the ASA's. Can you apply more than 1 access-list to the inside interface?
thanks.
05-29-2007 09:38 AM
you cant apply more then one access-group to the inside interface.
access-list capture permit ip host 10.0.1.14 host 192.168.1.14
access-list capture permit ip host 192.168.1.14 host 10.0.1.14
capture cap access-list capture interface
After applying this, send me the output of "sh cap"
Thanks
Gilbert
05-29-2007 09:46 AM
C:\Documents and Settings\Administrator.SBS_DOMAIN>ping 10.0.1.14
Pinging 10.0.1.14 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.0.1.14:
HeadEnd at CORp
SBSMIA-ASA5510# sh cap
capture cap type raw-data access-list capture buffer 1500 interface inside[Captu
ring - 336 bytes]
Remote ASA
NY-COLO-ASA5510# sh cap
capture cap type raw-data access-list capture buffer 1500 interface inside[Captu
ring - 336 bytes]
thanks.
05-29-2007 10:43 AM
ok - the reason I asked for sh cap output was to see if the capture command took effect or not.
Issue, the following commands
cle cap cap
Then ping the host 10.0.1.14.
Issue the commands:
sh cap cap
on both the ASA's and send me the output.
Cheers
Gilbert
05-29-2007 11:11 AM
CORP HeadEnd ASA
SBSMIA-ASA5510# sh cap cap
4 packets captured
1: 15:06:03.245653 192.168.1.14 > 10.0.1.14: icmp: echo request
2: 15:06:08.716576 192.168.1.14 > 10.0.1.14: icmp: echo request
3: 15:06:14.216984 192.168.1.14 > 10.0.1.14: icmp: echo request
4: 15:06:19.718422 192.168.1.14 > 10.0.1.14: icmp: echo request
4 packets shown
Remote ASA
NY-COLO-ASA5510# sh cap cap
4 packets captured
1: 15:06:05.384272 10.0.1.14 > 192.168.1.14: icmp: echo reply
2: 15:06:10.855378 10.0.1.14 > 192.168.1.14: icmp: echo reply
3: 15:06:16.355450 10.0.1.14 > 192.168.1.14: icmp: echo reply
4: 15:06:21.856935 10.0.1.14 > 192.168.1.14: icmp: echo reply
4 packets shown
these were the results of me pinging 10.0.1.14 FROM 192.168.1.14
thanks again.
05-29-2007 11:35 AM
Robert,
So, this clearly points us back to the issue of ICMP packets not reaching the head end ASA from the remote side or the head end ASA not sending the ICMP packets to the inside interface.
Either one of the two is happening.
What do you see in the output of
"sh asp drop" & "sh log"
Cle the log and issue the command " clea asp drop"
Then try this again.
Issue the commands, "sh log" and " sh asp drop"
See if there are problem with translation or so.
Cheers
Gilbert
05-29-2007 12:03 PM
I the following:
Remote ASA
NY-COLO-ASA5510# sh log
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level informational, facility 20, 102 messages logged
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 104 messages logged
NY-COLO-ASA5510# sh asp drop
Frame drop:
Flow is denied by configured rule 22
TCP DUP and has been ACKed 38
FP L2 rule drop 1
Flow drop:
Head end ASA
SBSMIA-ASA5510# sh log
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level informational, facility 20, 11191 messages logged
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 11364 messages logged
SBSMIA-ASA5510# sh asp drop
Frame drop:
Flow is denied by configured rule 52
TCP RST/FIN out of order 1
TCP Out-of-0rder packet buffer full 37
TCP Out-of-Order packet buffer timeout 3
TCP DUP and has been ACKed 73
FP L2 rule drop 25
Flow drop:
thanks
robert
05-30-2007 07:18 AM
Problem resolved.
Had a route added on the remote ASA back to the adjacent network. Removed the route and problem solved.
thanks.
05-30-2007 08:30 AM
Excellent!!
Gilbert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: