L2L VPN ASA5505 and Cisco 3825 - cannot ping internal network

smohur123 · ‎03-08-2010

Hi

After setting up an L2L VPN between an ASA 5505 and Cisco 3825, I'm not able to ping the inside network.

My network for the ASA is 172.28.45.0/24 and for the 3825 is 172.28.53.0/24. I've been told that there may be overlapping in the ACL and all.

But when I change the 3825 network to 171.28.53.0/24 the VPN is not up at all. Attached are my configs, please help on both issues as I ould like to have the 172.28.53.0 and other network VPN also to be up.

Thanks

Shameem

slmansfield · ‎03-08-2010

Your inside network definitions were fine, don't change them if they correctly represent your network configuration.

From the output you provided it looks like you are pinging the inside interface of the 3825 from the outside interface of the ASA. The outside interface of the ASA is not in the encryption domain.

Try pinging from another device on the 171.28.45.0/24 subnet to the 3825 interface or to another device on the 171 28.53.0/24 subnet. That will generate "interesting traffic", traffic defined by the encryption domain.

smohur123 · ‎03-08-2010

Hi

Thank you for the support. The VPN is up now but still does not get reply when ping and cannot ssh.

IPv4 Crypto

ISAKMP SA

dst src state conn-id slot status

xx.xx.194.99 xx.94.167.110 QM_IDLE 4022 0 ACTIVE

MAR#sh crypto ipsec sa

interface: GigabitEthernet0/0

Crypto map tag: SDM_CMAP_1, local addr xx.94.167.110

protected vrf: (none)

local ident (addr/mask/prot/port): (171.28.53.0/255.255.255.128/0/0)

remote ident (addr/mask/prot/port): (10.0.4.0/255.255.255.0/0/0)

current_peer 41.72.203.142 port

500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: xx.94.167.110, remote crypto endpt.: 41.72.203.142

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (171.28.53.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.28.45.0/255.255.255.0/0/0)

current_peer xx.xx.194.99 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 285, #pkts encrypt: 285, #pkts digest: 285

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: xx.94.167.110, remote crypto endpt.: xx.xx.194.99

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0x60028D9A(1610780058

)

inbound esp sas:

spi: 0xCBD57743(3419764547

)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 17, flow_id: AIM-VPN/SSL-3:17, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4380728/2031)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x60028D9A(1610780058)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 18, flow_id: AIM-VPN/SSL-3:18, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4380696/2031)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Yudong Wu · ‎03-08-2010

In "show crypto ipsec sa", "decrypt" count is "0", which means the remote end did not send the packet back.

You need check the following at the remote end.

- NAT

- routing

- if you are trying to ping/ssh the inside interface of ASA, you need andd "management-access "

smohur123 · ‎03-11-2010

Thank you very much for the support. It's working fie now.

Now I would like to restrict access from one side of the VPN. Only one ip address and some traffic should be allowed from the 3825 to the ASA.