Solved: can't ping hosts on an l2l ipsec from an asa 5505 firewall to a cisco 8200 router

glegion6790 · ‎05-23-2017

There is something wrong with my configuration and I can't seem to figure out. Below is the output of the cisco8201 router if I try to send a ping from a host behind the asa firewall. Thanks.

router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
72.179.x.x 72.179.x.x QM_IDLE 1280 ACTIVE

IPv6 Crypto ISAKMP SA

router#show crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: vpnSite, local addr 72.179.x.x

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 72.179.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 72.179.191.71, remote crypto endpt.: 72.179.175.78
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

.

taylor.robert · ‎05-24-2017

Hi

You have a mismatched ACL for the VPN "interesting traffic" on the ASA (it needs to be a mirror of the peer's ACL).

So, the following line:

access-list vpnAcl extended permit ip 192.168.1.0 255.255.255.0 any

it should be replaced with the following line:

access-list vpnAcl extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

Hope that has helped.

Kind regards

Rob

View solution in original post

taylor.robert · ‎05-24-2017

Hi