05-07-2010 08:45 AM
Hi all,
I have a config with a VPN site to site working (ASA on one side and IOS on the other), I can connect from one side to the other and vice versa, the problem is I am unable to ping the other side using the inside interface of the router and this interface is the h.323 gateway and needs to connect to the other side.
Here's the config I have on the router:
version 15.0
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
supplementary-service h450.12
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
no update-callerid
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key VPN#LSB@Her*Grp/ address xxx.xxx.xxx.xxx no-xauth
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map Her local-address Dialer0
crypto map Her 1 ipsec-isakmp
description VPN Grp Her
set peer xxx.xxx.xxx.xxx
set transform-set ESP-3DES-SHA
set pfs group2
match address 199
!
!
!
!
!
interface Loopback0
description $FW_INSIDE$
ip address 10.1.10.2 255.255.255.252
ip nat inside
ip virtual-reassembly
!
!
interface FastEthernet0/0
description $FW_OUTSIDE$
no ip address
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
!
interface Integrated-Service-Engine0/0
description cue is initialized with default IMAP group
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
!
!
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
!
!
interface Vlan100
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip access-group 103 in
ip helper-address 192.168.10.10
ip virtual-reassembly
h323-gateway voip interface
h323-gateway voip bind srcaddr 10.1.1.1
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxx
ppp chap password xxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxx
ppp ipcp route default
ppp ipcp address accept
crypto map Her
!
!
ip forward-protocol nd
!
ip nat inside source list 1 interface Dialer0 overload
ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.3
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 deny ip 192.168.10.0 0.0.0.255 any
access-list 101 deny ip 10.1.1.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip 10.1.10.0 0.0.0.3 any
access-list 102 deny ip 10.1.1.0 0.0.0.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp any 10.1.10.0 0.0.0.3 range 16384 32767
access-list 103 permit udp 10.1.10.0 0.0.0.3 range 16384 32767 any
access-list 103 deny ip 192.168.10.0 0.0.0.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 199 permit ip 10.1.1.0 0.0.0.255 192.168.200.0 0.0.0.255
dialer-list 1 protocol ip permit
05-07-2010 09:19 AM
Hi,
You need to communicate to the ASA's side from the router's interface correct?
The interface of the IOS is VLAN 100 (10.1.1.1)?
The VPN traffic is defined from 10.1.1.0/24 to 192.168.200.0/24
so, you should have communication between those networks.
Can you communicate with the PIX LAN from any other device on the 10.1.1.0/24 network?
Make sure that you permit the traffic on ACL 103.
Federico.
05-07-2010 09:47 AM
You will also want to make sure that the inside interface of the ASA is enabled for management using the "managent-access inside" and that ICMP is not being explicitly denied. I have also run int some strange situations where ICMP will not work correctly unless ICMP inspection is enabled in the global inspection policy.
05-08-2010 09:53 AM
Hi,
I can comunicate from one side to the other but I need 10.1.1.1 to comunicate to the other side and the other internal LAN to comunicate with the 10.1.1.1
I don't need to comunicate with the ASA interfaces only the inside LAN on the other side.
Regards
05-08-2010 01:25 PM
Understood.
Can you test the following...
Router# ping 192.168.200.x source 10.1.1.1
See if you get the replies.
Try 192.168.200.x being a device on the ASA's side and also the ASA inside IP (with the command management-access inside)
Federico.
05-10-2010 10:56 AM
Hi,
That was exactly the test I tried and I don't get an answer and the VPN doesn't get up with that ping, but if I ping from any other host on the inside the VPN comes right up and the ping succeds.
The network 192.168.200.xxx is the one on the ASA side. Do you think the management interface does anything on this cenario?
I don't manage the ASA but I can ask them to change that.
Isn't this kind of strange? One of the tests to do on a VPN config is to ping using the inside interface (the network we want to tunnel), right?
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: