L2L VPN ASA5505 and Cisco 3825 - cannot ping internal network

Unanswered Question
Mar 8th, 2010
User Badges:

Hi


After setting up an L2L VPN between an ASA 5505 and Cisco 3825, I'm not able to ping the inside network.

My network for the ASA is 172.28.45.0/24 and for the 3825 is 172.28.53.0/24. I've been told that there may be overlapping in the ACL and all.

But when I change the 3825  network to 171.28.53.0/24 the VPN is not up at all. Attached are my configs, please help on both issues as I ould like to have the 172.28.53.0 and other network VPN also to be up.


Thanks

Shameem

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
slmansfield Mon, 03/08/2010 - 06:54
User Badges:
  • Silver, 250 points or more

Your inside network definitions were fine, don't change them if they correctly represent your network configuration.


From the output you provided it looks like you are pinging the inside interface of the 3825 from the outside interface of the ASA.  The outside interface of the ASA is not in the encryption domain.


Try pinging from another device on the 171.28.45.0/24 subnet to the 3825 interface or to another device on the 171 28.53.0/24 subnet.  That will generate "interesting traffic", traffic defined by the encryption domain.

smohur123 Mon, 03/08/2010 - 22:49
User Badges:

Hi


Thank you for the support. The VPN is up now but still does not get reply when ping and cannot ssh.


IPv4 Crypto

ISAKMP SA

dst                         src             state          conn-id slot status

xx.xx.194.99  xx.94.167.110  QM_IDLE           4022    0 ACTIVE


MAR#sh crypto ipsec sa


interface: GigabitEthernet0/0

    Crypto map tag: SDM_CMAP_1, local addr xx.94.167.110


   protected vrf: (none)

   local  ident (addr/mask/prot/port): (171.28.53.0/255.255.255.128/0/0)

   remote ident  (addr/mask/prot/port): (10.0.4.0/255.255.255.0/0/0)

   current_peer 41.72.203.142 port

500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0


     local crypto endpt.: xx.94.167.110, remote crypto endpt.: 41.72.203.142

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

     current outbound spi: 0x0(0)


     inbound esp sas:


     inbound ah sas:


     inbound pcp  sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:


   protected vrf: (none)

   local  ident (addr/mask/prot/port): (171.28.53.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (172.28.45.0/255.255.255.0/0/0)

   current_peer xx.xx.194.99 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 285, #pkts encrypt: 285, #pkts digest: 285

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0


     local crypto endpt.: xx.94.167.110,  remote crypto endpt.: xx.xx.194.99

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

     current outbound spi: 0x60028D9A(1610780058

)


     inbound esp sas:

      spi: 0xCBD57743(3419764547

)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 17, flow_id: AIM-VPN/SSL-3:17, crypto map: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (4380728/2031)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE


     inbound ah sas:


     inbound pcp  sas:


     outbound esp sas:

      spi: 0x60028D9A(1610780058)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 18, flow_id: AIM-VPN/SSL-3:18, crypto map: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (4380696/2031)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE


     outbound ah sas:


     outbound pcp sas:

Yudong Wu Mon, 03/08/2010 - 23:26
User Badges:
  • Gold, 750 points or more

In "show crypto ipsec sa", "decrypt" count is "0", which means the remote end did not send the packet back.

You need check the following at the remote end.

- NAT

- routing

- if you are trying to ping/ssh the inside interface of ASA, you need andd "management-access "

smohur123 Thu, 03/11/2010 - 06:30
User Badges:

Thank you very much for the support. It's working fie now.

Now I would like to restrict access from one side of the VPN. Only one ip address and some traffic should be allowed from the 3825 to the ASA.

Actions

This Discussion