Cannot access inside interface via L2L tunnel to ISR2911.

Unanswered Question

Please see attached config.  I have been configuring a L2L IPSec tunnel between an ASA5510 and an ISR2911.  From the ASA side I can access any hosts in the subnet without issue, which is desired.  The problem is I cannot access the inside interface of the ISR for management purposes.  The access-list 23 has the appropriate entries to allow access, but it does not work.  I cannot ping the inside interface on the ISR either over the L2L tunnel.  How do I configure to allow access to the inside interface over the L2L tunnel to manage the ISR?  Information is most appreciated.

Note that via the EasyVPN remote access tunnel using CiscoVPN client, I can access the ISR inside interface no problem and perform management functions.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Mon, 05/17/2010 - 14:41
User Badges:
  • Green, 3000 points or more


You can access all devices but not the router iself through the tunnel?

Assuming the inside interface of the ASA is part of the interesting traffic, do this on the ASA:

management-access inside

And try a PING from the inside IP to the inside IP of the router:

ping inside

From the router:

ping x.x.x.x source   --> x.x.x.x will be the inside IP of the ASA

I don't see from the configuration why you would not have access to this IP through the Site-to-Site tunnel, please let me know the results of the above tests.


Federico Coto F... Mon, 05/17/2010 - 15:00
User Badges:
  • Green, 3000 points or more

Could be a problem on the ASA, to make sure try the following:

When doing:  ping inside

See if the packet counter increments for the encrypted/decrypted packets (sh cry ips sa peer PUBLIC_IPOFTHE_ROUTER)

Everytime you send PING packets from the ASA's inside interface, you should see the packets being encrypted and decrypted (responses).

If you don't we could see where the problem is.


From ASA sh cry ips sa peer PUBLIC_IPOFTHE_ROUTER

shows the packet encrypt counter going up by 5 when I run "ping inside"

However, the decrypt counter does not change.

Fortunately, this connection is mostly idle at the moment or this would be hard to see.

So, I can see packets encrypted and sent down the tunnel to the router, but nothing comes back.

I'll try to have a look at the router crypto ipsec sa as well.

Federico Coto F... Mon, 05/17/2010 - 15:20
User Badges:
  • Green, 3000 points or more


We know the ASA is sending those packets through the tunnel and not getting them back.

The question is, is the router receiving those packets? If so, is the router sending them back? If so why is the ASA not receiving them?

All the above questions can be answered by looking at the ''sh cry ip sa'' on the router as you mentioned.


More testing reveals:

Router is receiving the packets from ASA.  Router is NOT sending packets back to ASA.

This is only when packets are destined for the inside interface of the router.

Packets pass through router without issue.

Could this have something to do with the zone based firewall configuration?

Do I need to config some policies for inside-self / self-inside?

From what I have read so far about ZPF, it appears that traffic traversal across zones is treated differently from traffic destined for a router interface.


Federico Coto F... Mon, 05/17/2010 - 17:25
User Badges:
  • Green, 3000 points or more


I think it could be related to the ZBF.

Could you do a quick test by removing the ZBF configuration and trying, just to see if it works?


Tried that.  Still does not work.  No access to inside interface of router from remote side of tunnel.

Unfortunately, ASA does not support VTI, which would make this configuration easier.

I'm not going to get too worked up over the situaiton for now.

The ISR2911 is deployed as a temporary solution while we wait for the new ASA to be delivered from backorder.

I'm still open to any further advice.

Federico Coto F... Wed, 05/19/2010 - 20:15
User Badges:
  • Green, 3000 points or more

Just wondering if you continue with this?

I was going to suggest if you can add any other interface of the router in the interesting traffic for the Site-to-Site tunnel and check if you can access that IP.



This Discussion