01-10-2008 05:09 AM - edited 02-21-2020 01:51 AM
I'm using a Cisco ASA5505 and a Linksys RV042 to establish a VPN tunnel betwen two subnets. VPN tunnel sets up ok - main screen on ASA shows IKE=1 and IPSec=1. But I'm not able to ping bewtween hosts on subnets connected by VPN tunnel.
When I try to ping from host on remote NW to the private IP address of the ASA5505 I get no reply. I've attached details of the NW setup and also a dump of the ASA config file.
Any help would be greatly appreciated!
01-10-2008 08:22 AM
What is the IP Address that you are trying to ping. Does that ip in the 10.126.172.x know that it has to send the response back to the ASA to go to 192.168.1.x.
Also, did you do a clear xlate after configuring IPSEC and NAT 0 Commands.
Can you also post the output of "show crypto ipsec sa" when the tunnel is up and you are trying to access something behind the ASA from the Linksys.
Regards,
Arul
01-10-2008 08:46 AM
Hi Arul,
Thanks for the quick reply. I am trying to ping the private IP address of the Cisco box. From the diagram this is 10.126.172.68. I'm now home but will try your other suggestions in the morning.
Thanks again,
Sean.
01-10-2008 09:04 AM
Sean,
If you want to ping the inside interface of the ASA across an IPSEC Tunnel, you need to configure "management-access inside" on the ASA.
Please refer the below URL for details:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.html#wp1794331
Regards,
Arul
01-10-2008 09:53 AM
Well, ultimately I want to be able to access the private LAN (10.126.172.xx) via the VPN connection from the remote machine(192.168.1.101). But at the moment I am not even able to ping any host on this LAN.
One issue I might be enountering is that a host machine on the private LAN does not know to reply to the ping request via the Cisco ASA box, and instead tries via the private LAN's Default Gateway. To bypass this possible issue I was trying to ping only as far as the inside interface on the Cisco ASA box from the remote machine.
I'm new to the world of VPN/NAT/Routing so am not too sure what even the 'possible' issues might be...
01-11-2008 04:35 AM
Hi Arul,
I tried the clear xlate command but the behaviour is still the same. When I try to ping a machine behind the ASA from a host on the NW behind the Linksys, I get the following in the log:
6 Jan 11 2008 12:32:26 302015 10.126.172.31 239.255.255.250 Built inbound UDP connection 26578 for inside:10.126.172.31/1024 (10.126.172.31/1024) to NP Identity Ifc:239.255.255.250/1900 (239.255.255.250/1900)
6 Jan 11 2008 12:32:26 302016 10.126.172.31 239.255.255.250 Teardown UDP connection 26578 for inside:10.126.172.31/1024 to NP Identity Ifc:239.255.255.250/1900 duration 0:00:00 bytes 313
Also, here's the output result of the command: "show crypto ipsec sa"
---------------------------------------
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 83.141.76.42
access-list outside_1_cryptomap permit ip 10.126.172.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (10.126.172.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 83.141.76.41
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 83.141.76.42, remote crypto endpt.: 83.141.76.41
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: F1100B08
inbound esp sas:
spi: 0x4229320A (1109996042)
transform: esp-des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 30, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 3350
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xF1100B08 (4044360456)
transform: esp-des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 30, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 3350
IV size: 8 bytes
replay detection support: Y
01-14-2008 09:53 AM
Can you post the current configuration from the ASA. What is the default gateway on the ASA and does the 10.126.172.0 255.255.255.0 know that they need to route the traffic to the ASA to reach the 192.168.1.0 255.255.255.0 network.
Regards,
Arul
01-15-2008 08:46 AM
Hi Arul,
Attached is the running-config from the ASA:
Not too sure what you mean by 'what is the defualt gateway on the ASA. Its outside I/P is 83.141.76.42 and its inside i/p is 10.126.172.68. When configuring the interfaces I didnt ever need to specify a default gateway...
WRT to routing, I'm not certain that the 10.126.172.0 255.255.255.0 boxes know they need to route traffic to ASA to reach the 192.168.1.0 255.255.255.0 network. How do I verify this?
Cheers,
Sean.
01-15-2008 09:08 AM
Couple of things that I notice in your configuration.
There is no default gateway configured on the ASA. For example,
route outside 0.0.0.0 0.0.0.0 83.141.76.XXX.
Also, pick a router, Layer 3 switch or a host on the 10.126.172.0/24 and look at their routing table to see if that in order to reach 192.168.1.0/24 they are sending the traffic to the ASA. If the hosts on the 10.126.172.0/24 default gateway is pointing to the ASA, then there should be no need to configure additional routing on those hosts.
Regards,
Arul
01-16-2008 08:12 AM
Hi Arul,
Thats fantastic!! I added the default gateway to the ASA and also pointed the 10.126.172.0/24 hosts default gateway to the ASA and I'm now able to gain full access to the internal LAN from the 'remote' machine.
Your help is much appreciated on this :-)
Cheers
Sean.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide