10-23-2009 05:21 AM - edited 03-11-2019 09:30 AM
How do you open up a pinhole using port 3001 to devices with a site-to-site VPN?
10-23-2009 07:45 AM
I can only ping the devices from the ASA side not across the tunnel.
10-23-2009 07:51 AM
can you do "show crypto ipsec sa" on both pix and upload the output.
10-23-2009 07:52 AM
can do
10-23-2009 08:00 AM
10-23-2009 08:05 AM
You have no ipsec session from side 2 to side 1
clear the crypto session in side 1
clear crypto ipsec sa peer 65.82.227.138
Then try and ping from side2 to side 1
10-23-2009 08:10 AM
tunnel from ciscoasa to ciscoasa2 is up.. tunnel is built. see below...
Crypto map tag: outside_map, seq num: 2, local addr: 65.82.224.50
access-list outside_2_cryptomap permit ip 192.168.1.0 255.255.255.0 Thibodaux-inside 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (Thibodaux-inside/255.255.255.0/0/0)
current_peer: 65.82.227.138
#pkts encaps: 70966519, #pkts encrypt: 70970711, #pkts digest: 70970711
#pkts decaps: 58306128, #pkts decrypt: 58306128, #pkts verify: 58306128
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 70966519, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 4192, #pre-frag failures: 0, #fragments created: 8384
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 13619
#send errors: 0, #recv errors: 0
local crypto endpt.: 65.82.224.50, remote crypto endpt.: 65.82.227.138
do you have output from ciscoasa2 to ciscoasa. cant see it! unless i am going blind!!!
10-23-2009 08:12 AM
they were in two different notepads.
10-23-2009 08:18 AM
10-23-2009 08:26 AM
OK. I am confused. I thought the ipsec problem is between 65.82.227.138 (ciscoasa2) and 65.82.224.50 (ciscoasa). is that not so?
10-23-2009 08:28 AM
which device is 74.165.244.10?
10-23-2009 08:32 AM
there are three ASAs all with site-to-site VPN tunnels. the IPsec tunnel is between the 65.x.x.x. the 74.x.x.x is the one in which i need to get the pin holes put in.
10-23-2009 08:36 AM
morgan city inside (192.168.3.1)
10-23-2009 09:00 AM
earlier you mentioned the problem is communication between 192.168.2.0 and 192.168.1.0 subnet on port 3001 over the ipsec tunnel between 65.82.224.50 - > 65.85.227.138!!
kevin, for clarity please explain what extactly is the problem.
thanks
francisco
10-23-2009 09:05 AM
I'm sorry Francisco the problem lies between subnets 192.168.3.0/24 & 192.168.1.0/24 on port 3001.
10-23-2009 09:23 AM
your tunnel is up. can you ping inside interfaces from both firewalls through the tunnel. for eaxmple ping 192.168.1.1 (select outside interface)
Crypto map tag: outside_map, seq num: 1, local addr: 65.82.224.50
access-list outside_1_cryptomap permit ip 192.168.1.0 255.255.255.0 MorganCity-inside 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (MorganCity-inside/255.255.255.0/0/0)
current_peer: MorganCityPublic
#pkts encaps: 22361951, #pkts encrypt: 22361955, #pkts digest: 22361955
#pkts decaps: 17685532, #pkts decrypt: 17685532, #pkts verify: 17685532
Crypto map tag: outside_map, seq num: 1, local addr: 74.165.244.10
access-list outside_1_cryptomap permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 65.82.224.50
#pkts encaps: 5499955, #pkts encrypt: 5499955, #pkts digest: 5499955
#pkts decaps: 6493468, #pkts decrypt: 6493468, #pkts verify: 6493468
#pkts compressed: 0, #pkts decompressed: 0
Also
Can you do debug crypto ipsec and debug crypto engine and finally clear crypto ipsec sa.
after clearing crypto ipsec sa, if it doesnt work, send me debugs output
are your hosts sitting behind the ASAs conencted to a switch? can the ASA's ping your hosts?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: