cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
766
Views
0
Helpful
5
Replies

VPN site to site working but cannot ping from inside interface

rcordeiro
Level 1
Level 1

Hi all,

I have a config with a VPN site to site working (ASA on one side and IOS on the other), I can connect from one side to the other and vice versa, the problem is I am unable to ping the other side using the inside interface of the router and this interface is the h.323 gateway and needs to connect to the other side.

Here's the config I have on the router:

version 15.0

voice service voip

allow-connections h323 to h323

allow-connections h323 to sip

allow-connections sip to h323

allow-connections sip to sip

supplementary-service h450.12

fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none

sip

  no update-callerid

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key VPN#LSB@Her*Grp/ address xxx.xxx.xxx.xxx no-xauth

crypto isakmp keepalive 10 periodic

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec df-bit clear

!

crypto map Her local-address Dialer0

crypto map Her 1 ipsec-isakmp

description VPN Grp Her

set peer xxx.xxx.xxx.xxx

set transform-set ESP-3DES-SHA

set pfs group2

match address 199

!

!

!

!

!

interface Loopback0

description $FW_INSIDE$

ip address 10.1.10.2 255.255.255.252

ip nat inside

ip virtual-reassembly

!

!

interface FastEthernet0/0

description $FW_OUTSIDE$

no ip address

ip virtual-reassembly

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

!

interface Integrated-Service-Engine0/0

description cue is initialized with default IMAP group

ip unnumbered Loopback0

ip nat inside

ip virtual-reassembly

service-module ip address 10.1.10.1 255.255.255.252

service-module ip default-gateway 10.1.10.2

!

!

!

interface Vlan1

description $FW_INSIDE$

ip address 192.168.10.1 255.255.255.0

ip access-group 102 in

ip nat inside

ip virtual-reassembly

!

!

interface Vlan100

description $FW_INSIDE$

ip address 10.1.1.1 255.255.255.0

ip access-group 103 in

ip helper-address 192.168.10.10

ip virtual-reassembly

h323-gateway voip interface

h323-gateway voip bind srcaddr 10.1.1.1

!

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

ip mtu 1452

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxxxxx

ppp chap password xxxxxxxxxxx

ppp pap sent-username xxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxx

ppp ipcp route default

ppp ipcp address accept

crypto map Her

!

!

ip forward-protocol nd

!

ip nat inside source list 1 interface Dialer0 overload

ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.1.1.0 0.0.0.255

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 permit 10.1.10.0 0.0.0.3

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny   ip 192.168.10.0 0.0.0.255 any

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any

access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any

access-list 101 deny   ip 192.168.10.0 0.0.0.255 any

access-list 101 deny   ip 10.1.1.0 0.0.0.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 permit ip any any

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 deny   ip 10.1.10.0 0.0.0.3 any

access-list 102 deny   ip 10.1.1.0 0.0.0.255 any

access-list 102 deny   ip host 255.255.255.255 any

access-list 102 deny   ip 127.0.0.0 0.255.255.255 any

access-list 102 permit ip any any

access-list 103 remark auto generated by SDM firewall configuration

access-list 103 remark SDM_ACL Category=1

access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000

access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000

access-list 103 permit udp any 10.1.10.0 0.0.0.3 range 16384 32767

access-list 103 permit udp 10.1.10.0 0.0.0.3 range 16384 32767 any

access-list 103 deny   ip 192.168.10.0 0.0.0.255 any

access-list 103 deny   ip host 255.255.255.255 any

access-list 103 deny   ip 127.0.0.0 0.255.255.255 any

access-list 103 permit ip any any

access-list 199 permit ip 10.1.1.0 0.0.0.255 192.168.200.0 0.0.0.255

dialer-list 1 protocol ip permit

Like I said the VPN is working I have access from one side to the other but not from the IP address of the router interface.
Any help is appreciated.
Regards

5 Replies 5

Hi,

You need to communicate to the ASA's side from the router's interface correct?
The interface of the IOS is VLAN 100 (10.1.1.1)?

The VPN traffic is defined from 10.1.1.0/24 to 192.168.200.0/24
so, you should have communication between those networks.

Can you communicate with the PIX LAN from any other device on the 10.1.1.0/24 network?
Make sure that you permit the traffic on ACL 103.

Federico.

You will also want to make sure that the inside interface of the ASA is enabled for management using the "managent-access inside" and that ICMP is not being explicitly denied.  I have also run int some strange situations where ICMP will not work correctly unless ICMP inspection is enabled in the global inspection policy.

Hi,

I can comunicate from one side to the other but I need 10.1.1.1 to comunicate to the other side and the other internal LAN to comunicate with the 10.1.1.1

I don't need to comunicate with the ASA interfaces only the inside LAN on the other side.

Regards

Understood.
Can you test the following...
Router# ping 192.168.200.x source 10.1.1.1
See if you get the replies.
Try 192.168.200.x being a device on the ASA's side and also the ASA inside IP (with the command management-access inside)

Federico.

Hi,

That was exactly the test I tried and I don't get an answer and the VPN doesn't get up with that ping, but if I ping from any other host on the inside the VPN comes right up and the ping succeds.

The network 192.168.200.xxx is the one on the ASA side. Do you think the management interface does anything on this cenario?

I don't manage the ASA but I can ask them to change that.

Isn't this kind of strange? One of the tests to do on a VPN config is to ping using the inside interface (the network we want to tunnel), right?

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: