cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
682
Views
25
Helpful
12
Replies

ICMP Issue with adjacent networks to VPN.

robert.acosta
Level 1
Level 1

Last week I had an issue with connectivity to adjacent networks that was resolved, or so I thought.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=Security&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dde8ae1

Once I identified my adjacent network (192.168.1.x) as interesting traffic I was able to somewhat see the other network. I can connect to the other network (10.0.1.x) via Remote Desktop (TCP 3389) and Proxy Remote(UDP 1505) and can also map a drive to a file server at the remote site, what I can't do is ping any of the servers at the remote site (10.0.1.x).

I CAN ping between the 2 L2L VPN sites (10.0.1.x and 172.16.0.x) just can't ping from the 192.168.1.x site (adjacent to 172.16.0.x) to the remote (10.0.1.x) site.

any thoughts?

12 Replies 12

acomiskey
Level 10
Level 10

Is there an access-list applied to the inside of the Corp. ASA?

Here's some ACL info from the configs.

CORP ASA

access-list 140 extended permit ip 172.16.0.0 255.255.248.0 10.0.1.0 255.255.255.0

access-list 140 extended permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list nonat extended permit ip 172.16.0.0 255.255.248.0 10.0.1.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

Remote ASA

access-list 130 extended permit ip 10.0.1.0 255.255.255.0 172.16.0.0 255.255.248.0

access-list 130 extended permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat extended permit ip 10.0.1.0 255.255.255.0 172.16.0.0 255.255.248.0

access-list nonat extended permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

***Reminder***The 192.168.1.0 network is adjacent to the 172.16.0.0 network (routing b/w them is accomplished with 3650 switch) and the 10.0.1.0 network is the remote site.

thanks.

You have these things configured for the encryption access-list. Is there any other access-list applied to the inside interface of these ASA's?

create an access-list from the host you are trying to ping - to the host you are pinging to, on the head end ASA and the remote end ASA.

Then apply that access-list to capture on the inside interface.

Collect the capture to see if the icmp return packets are coming back.

Let us know.

Note: If you need to know how to do the capture, let me know the IP addresses you are trying to ping from and ping to.

Cheers

Gilbert

"Note: If you need to know how to do the capture, let me know the IP addresses you are trying to ping from and ping to."

Ping from 10.0.1.14 to 192.168.1.14

**no other access-list applied to the inside interface of the ASA's. Can you apply more than 1 access-list to the inside interface?

thanks.

you cant apply more then one access-group to the inside interface.

access-list capture permit ip host 10.0.1.14 host 192.168.1.14

access-list capture permit ip host 192.168.1.14 host 10.0.1.14

capture cap access-list capture interface buffer 1500

After applying this, send me the output of "sh cap"

Thanks

Gilbert

C:\Documents and Settings\Administrator.SBS_DOMAIN>ping 10.0.1.14

Pinging 10.0.1.14 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 10.0.1.14:

HeadEnd at CORp

SBSMIA-ASA5510# sh cap

capture cap type raw-data access-list capture buffer 1500 interface inside[Captu

ring - 336 bytes]

Remote ASA

NY-COLO-ASA5510# sh cap

capture cap type raw-data access-list capture buffer 1500 interface inside[Captu

ring - 336 bytes]

thanks.

ok - the reason I asked for sh cap output was to see if the capture command took effect or not.

Issue, the following commands

cle cap cap

Then ping the host 10.0.1.14.

Issue the commands:

sh cap cap

on both the ASA's and send me the output.

Cheers

Gilbert

CORP HeadEnd ASA

SBSMIA-ASA5510# sh cap cap

4 packets captured

1: 15:06:03.245653 192.168.1.14 > 10.0.1.14: icmp: echo request

2: 15:06:08.716576 192.168.1.14 > 10.0.1.14: icmp: echo request

3: 15:06:14.216984 192.168.1.14 > 10.0.1.14: icmp: echo request

4: 15:06:19.718422 192.168.1.14 > 10.0.1.14: icmp: echo request

4 packets shown

Remote ASA

NY-COLO-ASA5510# sh cap cap

4 packets captured

1: 15:06:05.384272 10.0.1.14 > 192.168.1.14: icmp: echo reply

2: 15:06:10.855378 10.0.1.14 > 192.168.1.14: icmp: echo reply

3: 15:06:16.355450 10.0.1.14 > 192.168.1.14: icmp: echo reply

4: 15:06:21.856935 10.0.1.14 > 192.168.1.14: icmp: echo reply

4 packets shown

these were the results of me pinging 10.0.1.14 FROM 192.168.1.14

thanks again.

Robert,

So, this clearly points us back to the issue of ICMP packets not reaching the head end ASA from the remote side or the head end ASA not sending the ICMP packets to the inside interface.

Either one of the two is happening.

What do you see in the output of

"sh asp drop" & "sh log"

Cle the log and issue the command " clea asp drop"

Then try this again.

Issue the commands, "sh log" and " sh asp drop"

See if there are problem with translation or so.

Cheers

Gilbert

I the following:

Remote ASA

NY-COLO-ASA5510# sh log

Syslog logging: enabled

Facility: 20

Timestamp logging: disabled

Standby logging: disabled

Deny Conn when Queue Full: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: disabled

Trap logging: level informational, facility 20, 102 messages logged

History logging: disabled

Device ID: disabled

Mail logging: disabled

ASDM logging: level informational, 104 messages logged

NY-COLO-ASA5510# sh asp drop

Frame drop:

Flow is denied by configured rule 22

TCP DUP and has been ACKed 38

FP L2 rule drop 1

Flow drop:

Head end ASA

SBSMIA-ASA5510# sh log

Syslog logging: enabled

Facility: 20

Timestamp logging: disabled

Standby logging: disabled

Deny Conn when Queue Full: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: disabled

Trap logging: level informational, facility 20, 11191 messages logged

History logging: disabled

Device ID: disabled

Mail logging: disabled

ASDM logging: level informational, 11364 messages logged

SBSMIA-ASA5510# sh asp drop

Frame drop:

Flow is denied by configured rule 52

TCP RST/FIN out of order 1

TCP Out-of-0rder packet buffer full 37

TCP Out-of-Order packet buffer timeout 3

TCP DUP and has been ACKed 73

FP L2 rule drop 25

Flow drop:

thanks

robert

Problem resolved.

Had a route added on the remote ASA back to the adjacent network. Removed the route and problem solved.

thanks.

Excellent!!

Gilbert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: