Tunnel is up --> no traffic is passing

Answered Question
Jun 17th, 2009

I have built an ipsec L2L tunnel between the outside interfaces of a pix 515 (7.2.1) and an asa 5520 (8.0.2). I want the inside network of each firewall to be able to communicate with each other through the tunnel, but I cant get any traffic to pass through.


I have configured the nat (inside) 0 access-list nonat on each firewall with the traffic I want to pass through the tunnel and that acl also matches on my crypto map. The only way I can get the tunnel up is to ping my outside interface of each firewall (which I have added as "interesting" traffic) to get the tunnel up.


Any ideas of why my internal lans are not comunicating would be appreciated.

Correct Answer by auraza about 7 years 8 months ago

Remove the second line from access-list 160, and then add the following line to both PIX and ASA:

management-access inside


If you are trying to initiate traffic from the ASA, then you need the management-access command, however, it should come up if you try from a device on the inside network.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
auraza Wed, 06/17/2009 - 09:14

Can you post the configuration of both devices?

mcroberts Wed, 06/17/2009 - 09:57

Here is fw1

hostname ASA-01


!

interface GigabitEthernet0/0

speed 100

duplex full

nameif int

security-level 100

ip address 10.14.60.4 255.255.255.0 standby 10.14.60.5

!

interface GigabitEthernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.14.175.1 255.255.255.0 standby 10.14.175.2

!


same-security-traffic permit inter-interface

access-list 160 extended permit ip 10.14.175.0 255.255.255.0 192.168.175.0 255.255.255.0

access-list 160 extended permit ip host 10.14.60.4 host 192.168.60.4

access-list ib extended permit ip any any

access-list inside extended permit ip 10.14.175.0 255.255.255.0 192.168.60.0 255.255.255.0

access-list inside extended permit ip 10.14.175.0 255.255.255.0 192.168.175.0 255.255.255.0

access-list inside extended permit ip 10.14.175.0 255.255.255.0 10.14.60.0 255.255.255.0

access-list nonat extended permit ip 10.14.175.0 255.255.255.0 192.168.175.0 255.255.255.0


global (int) 1 10.14.60.200-10.14.60.250 netmask 255.255.255.0

nat (inside) 0 access-list nonat

nat (inside) 1 10.14.175.0 255.255.255.0

static (inside,int) 10.14.60.8 10.14.175.8 netmask 255.255.255.255

static (inside,int) 10.14.60.9 10.14.175.9 netmask 255.255.255.255

static (inside,int) 10.14.60.10 10.14.175.10 netmask 255.255.255.255

static (inside,int) 10.14.60.11 10.14.175.11 netmask 255.255.255.255

static (inside,int) 10.14.60.12 10.14.175.12 netmask 255.255.255.255

static (inside,int) 10.14.60.13 10.14.175.13 netmask 255.255.255.255

static (inside,int) 10.14.60.14 10.14.175.14 netmask 255.255.255.255

static (inside,int) 10.14.60.60 10.14.175.60 netmask 255.255.255.255

static (inside,int) 10.14.60.61 10.14.175.61 netmask 255.255.255.255

static (inside,int) 10.14.60.70 10.14.175.70 netmask 255.255.255.255

access-group ib in interface int

access-group inside in interface inside

route int 0.0.0.0 0.0.0.0 10.14.60.1 1


service resetoutside

crypto ipsec transform-set trans esp-aes-192 esp-md5-hmac

crypto map inside 10 match address 160

crypto map inside 10 set peer 192.168.60.4

crypto map inside 10 set transform-set trans

crypto map inside 10 set security-association lifetime seconds 10800

crypto map inside interface int

crypto isakmp enable int

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400


tunnel-group 192.168.60.4 type ipsec-l2l

tunnel-group 192.168.60.4 ipsec-attributes

pre-shared-key *

prompt hostname context a


mcroberts Wed, 06/17/2009 - 09:59

Here is fw2


PIX Version 7.2(1)

!

hostname insideFW-01


!

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address 192.168.60.4 255.255.255.0 standby 192.168.60.5

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 99

ip address 192.168.175.1 255.255.255.0 standby 192.168.175.2

!


same-security-traffic permit inter-interface




access-list inside-IB-new extended permit ip 192.168.175.0 255.255.255.0 10.14.175.0 255.255.255.0

access-list inside-IB-new extended deny ip any any log

access-list outside-IB-new extended permit tcp host 164.185.38.225 object-group inside-outside-SVR eq 4253

access-list outside-IB-new extended permit icmp any 192.168.60.0 255.255.255.0 echo-reply

access-list outside-IB-new extended deny ip any any log

access-list 160 extended permit ip 192.168.175.0 255.255.255.0 10.14.175.0 255.255.255.0

access-list 160 extended permit ip host 192.168.60.4 host 10.14.60.4

access-list nonat extended permit ip 192.168.175.0 255.255.255.0 10.14.175.0 255.255.255.0


mtu outside 1500

mtu inside 1500

mtu sam 1500


global (outside) 2 192.168.60.200-192.168.60.225 netmask 255.255.255.0

nat (inside) 0 access-list nonat

nat (inside) 2 192.168.175.0 255.255.255.0

static (inside,outside) 192.168.60.8 192.168.175.8 netmask 255.255.255.255

static (inside,outside) 192.168.60.9 192.168.175.9 netmask 255.255.255.255

static (inside,outside) 192.168.60.10 192.168.175.10 netmask 255.255.255.255

static (inside,outside) 192.168.60.11 192.168.175.11 netmask 255.255.255.255

static (inside,outside) 192.168.60.12 192.168.175.12 netmask 255.255.255.255

static (inside,outside) 192.168.60.13 192.168.175.13 netmask 255.255.255.255

static (inside,outside) 192.168.60.14 192.168.175.14 netmask 255.255.255.255

static (inside,outside) 192.168.60.41 192.168.175.41 netmask 255.255.255.255

static (inside,outside) 192.168.60.42 192.168.175.42 netmask 255.255.255.255

static (inside,outside) 192.168.60.43 192.168.175.43 netmask 255.255.255.255

static (inside,outside) 192.168.60.251 192.168.175.251 netmask 255.255.255.255

static (inside,outside) 192.168.60.250 192.168.175.250 netmask 255.255.255.255

static (inside,outside) 192.168.60.110 192.168.175.110 netmask 255.255.255.255

static (inside,outside) 192.168.60.111 192.168.175.111 netmask 255.255.255.255

static (inside,outside) 192.168.60.114 192.168.175.114 netmask 255.255.255.255

access-group outside-IB-new in interface outside

access-group inside-IB-new in interface inside

established tcp 80 0

established tcp 443 0

route outside 0.0.0.0 0.0.0.0 192.168.60.1 1


crypto ipsec transform-set trans esp-aes-192 esp-md5-hmac

crypto map inside 10 match address 160

crypto map inside 10 set peer 10.14.60.4

crypto map inside 10 set transform-set trans

crypto map inside 10 set security-association lifetime seconds 10800

crypto map inside interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

tunnel-group 10.14.60.4 type ipsec-l2l

tunnel-group 10.14.60.4 ipsec-attributes

pre-shared-key *


Correct Answer
auraza Wed, 06/17/2009 - 10:06

Remove the second line from access-list 160, and then add the following line to both PIX and ASA:

management-access inside


If you are trying to initiate traffic from the ASA, then you need the management-access command, however, it should come up if you try from a device on the inside network.

mcroberts Wed, 06/17/2009 - 10:44

I have never seen that command before. So - if I understand the command correctly, everything was correct. However, I could not test from the asa until that command was inserted?


Thank you.

auraza Wed, 06/17/2009 - 10:53

That is correct.


This commands allows you to access the ASA's interface specified in the command over the VPN tunnel.


Also, when you're initiating a ping from the ASA going to the other side you should specify the interface you want it to sourt from, so suppose you want to ping a device on a remote network (e.g. 10.1.1.1), you want to do it as such:

ping inside 10.1.1.1


That way the traffic is initiated from the inside interface.

Actions

This Discussion