07-17-2008 11:10 PM
Firends,
I'm intested in if did correct to permit ICMP in crypto ???
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Magtigsm_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Magtigsm_1_cryptomap extended permit icmp 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Magtigsm_access_in extended permit ip any any
access-list Magtigsm_access_in extended permit icmp any any
I can not ping remote host but i can connect it with Remote Desktop Conncetions. I configuring it with ASDM.
Advice me
Regards....
Solved! Go to Solution.
07-17-2008 11:35 PM
Hi,
Your configuration is correct.
I suspect the host you try to ping has a personal firewall preventing the ping.
Please rate if this helped.
Regards,
Daniel
07-18-2008 06:19 AM
07-18-2008 09:28 AM
route Magtigsm 192.168.2.0 255.255.255.0 81.x.x.x 3
07-19-2008 12:15 AM
07-17-2008 11:35 PM
Hi,
Your configuration is correct.
I suspect the host you try to ping has a personal firewall preventing the ping.
Please rate if this helped.
Regards,
Daniel
07-17-2008 11:49 PM
Daniel, thanks for advicing :))))
Now i reminding that i did not permit ICMP in crypto of second device and maby that why i can not ping remote host.
Daniel, i configuring VPN with ASDM.
07-17-2008 11:56 PM
Hi
You have to assign access-list Magtigsm_access_in to outside interface
eg:-
access-group Magtigsm_access_in in interface outside
However not recomonded to use ip any any
Thanks ,
Janaka
07-18-2008 12:06 AM
Hi Janaka,
putting the ACL on the outside interface will not solve the problem since the traffic comes over VPN.
Regards,
Daniel
07-18-2008 01:07 AM
Daniel,
Outside interface i'm using for internet connection (Public IP address). Magtigsm interface for VPN (bacouse, ISP gave me IP which is not public). In my head office (ASA 5510) i creat site-to-site VPN on magtigsm interface. Remote side (ASA 5505) also creat site-to-site VPN. Users From ASA 5505 can not ping head officecusers but they can connect with Remote Desktop Cennection. But users of the head office can not even ping and connect using Remote Desktop. And my task is that: to connect from internet (outside) remote PC via VPN ...
ACL
access-list Outside_access_in extended permit ip any any
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in extended permit tcp any interface Outside eq 5445
access-list Dokid_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.20.1.8 255.255.255.248
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Magtigsm_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Magtigsm_1_cryptomap extended permit icmp 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Magtigsm_access_in extended permit ip any any
access-list Magtigsm_access_in extended permit icmp any any
Nat
nat-control
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 192.168.0.0 255.255.255.0
static (Inside,Outside) tcp interface 5445 192.168.2.10 5445 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Magtigsm_access_in in interface Magtigsm
07-18-2008 06:03 AM
turn on icmp inspection.
07-18-2008 06:19 AM
show the configurations on both sides
and
sh run all sysopt
07-18-2008 08:07 AM
My task is to connect from inernet to remote network (192.168.2.0) via VPN. Remote Network (192.168.2.0 is only connected with VPN to center office which configurations is below)
Center-ASA
interface Ethernet0/0
nameif Outside
security-level 0
ip address 62.x.x.x 255.255.255.248
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
nameif Magtigsm
security-level 0
ip address 81.x.x.X 255.255.255.248
access-list Outside_access_in extended permit ip any any
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in extended permit tcp any interface Outside eq 5445
access-list Dokid_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.20.1.8 255.255.255.248
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit icmp 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Magtigsm_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Magtigsm_1_cryptomap extended permit icmp 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Magtigsm_access_in extended permit ip any any
access-list Magtigsm_access_in extended permit icmp any any
icmp permit any Outside
icmp permit any Inside
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 192.168.0.0 255.255.255.0
static (Inside,Outside) tcp interface 5445 192.168.2.10 5445 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Magtigsm_access_in in interface Magtigsm
route Outside 0.0.0.0 0.0.0.0 62.x.x.x 1
route Magtigsm 81.z.z.z 255.255.255.248 81.x.x.x 3
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto map Magtigsm_map 1 match address Magtigsm_1_cryptomap
crypto map Magtigsm_map 1 set pfs
crypto map Magtigsm_map 1 set peer 81.x.x.x
crypto map Magtigsm_map 1 set transform-set ESP-3DES-SHA
crypto map Magtigsm_map interface Magtigsm
crypto isakmp enable Outside
crypto isakmp enable Magtigsm
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
tunnel-group Dokid ipsec-attributes
pre-shared-key *
tunnel-group 81.x.x.x type ipsec-l2l
tunnel-group 81.x.x.x ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:xxx
07-18-2008 09:28 AM
route Magtigsm 192.168.2.0 255.255.255.0 81.x.x.x 3
07-18-2008 11:21 PM
a.alekseev,
Great thanks. U help me very much. Now i can ping eachputher and can connect with RemoteDesktopn Connection. Once more Great Thanka :)))
07-19-2008 12:15 AM
Good,
[Pls RATE if HELPS]
08-21-2008 11:33 AM
This post is helpful, just a follow-up question.
I have a similar L2L IPsec VPN set-up. But for security reasons I want to disable all ICMP on my access-list (below). What are the effects of this?
I just don't want to try this on the live network until I know what to expect.
Thanks.
150 permit icmp any any echo-reply (9 matches)
160 permit icmp any any unreachable (327 matches)
170 permit icmp any any time-exceeded (48 matches)
180 permit udp host 1.1.1.1 eq isakmp host 2.2.2.2 eq isakmp (15852 matches)
190 permit esp host 1.1.1.1 host 2.2.2.2 (2709365 matches)
200 permit gre host 1.1.1.1 host 2.2.2.2 (3621068 matches)
210 permit icmp any any (12673 matches)
215 deny ip any any log (4683 matches)
07-18-2008 08:20 AM
This is my remote network ASA's configurations. I can not ping each outher. From remote network i can connect with Remote Desktopn Connection not ping. But from my center office i can not ping remote network and also can not connect with Remote Desktopn Connection.
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 81.y.y.y 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxx
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit icmp 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 81.y.y.y 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 81.y.y.y
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
!
username ciscoo password xxx encrypted privilege 15
tunnel-group 81.y.y.y type ipsec-l2l
tunnel-group 81.y.y.y ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:xxx
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide