cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1740
Views
0
Helpful
33
Replies

ASA 5505 pinhole to device between site to site VPN.

SNChelpdesk
Level 1
Level 1

How do you open up a pinhole using port 3001 to devices with a site-to-site VPN?

33 Replies 33

I can only ping the devices from the ASA side not across the tunnel.

can you do "show crypto ipsec sa" on both pix and upload the output.

can do

here are the results.

You have no ipsec session from side 2 to side 1

clear the crypto session in side 1

clear crypto ipsec sa peer 65.82.227.138

Then try and ping from side2 to side 1

tunnel from ciscoasa to ciscoasa2 is up.. tunnel is built. see below...

Crypto map tag: outside_map, seq num: 2, local addr: 65.82.224.50

access-list outside_2_cryptomap permit ip 192.168.1.0 255.255.255.0 Thibodaux-inside 255.255.255.0

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (Thibodaux-inside/255.255.255.0/0/0)

current_peer: 65.82.227.138

#pkts encaps: 70966519, #pkts encrypt: 70970711, #pkts digest: 70970711

#pkts decaps: 58306128, #pkts decrypt: 58306128, #pkts verify: 58306128

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 70966519, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 4192, #pre-frag failures: 0, #fragments created: 8384

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 13619

#send errors: 0, #recv errors: 0

local crypto endpt.: 65.82.224.50, remote crypto endpt.: 65.82.227.138

do you have output from ciscoasa2 to ciscoasa. cant see it! unless i am going blind!!!

they were in two different notepads.

Sorry here is the one for the other ASA. However I'm not having the trouble with this one.

OK. I am confused. I thought the ipsec problem is between 65.82.227.138 (ciscoasa2) and 65.82.224.50 (ciscoasa). is that not so?

which device is 74.165.244.10?

there are three ASAs all with site-to-site VPN tunnels. the IPsec tunnel is between the 65.x.x.x. the 74.x.x.x is the one in which i need to get the pin holes put in.

morgan city inside (192.168.3.1)

earlier you mentioned the problem is communication between 192.168.2.0 and 192.168.1.0 subnet on port 3001 over the ipsec tunnel between 65.82.224.50 - > 65.85.227.138!!

kevin, for clarity please explain what extactly is the problem.

thanks

francisco

I'm sorry Francisco the problem lies between subnets 192.168.3.0/24 & 192.168.1.0/24 on port 3001.

your tunnel is up. can you ping inside interfaces from both firewalls through the tunnel. for eaxmple ping 192.168.1.1 (select outside interface)

Crypto map tag: outside_map, seq num: 1, local addr: 65.82.224.50

access-list outside_1_cryptomap permit ip 192.168.1.0 255.255.255.0 MorganCity-inside 255.255.255.0

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (MorganCity-inside/255.255.255.0/0/0)

current_peer: MorganCityPublic

#pkts encaps: 22361951, #pkts encrypt: 22361955, #pkts digest: 22361955

#pkts decaps: 17685532, #pkts decrypt: 17685532, #pkts verify: 17685532

Crypto map tag: outside_map, seq num: 1, local addr: 74.165.244.10

access-list outside_1_cryptomap permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: 65.82.224.50

#pkts encaps: 5499955, #pkts encrypt: 5499955, #pkts digest: 5499955

#pkts decaps: 6493468, #pkts decrypt: 6493468, #pkts verify: 6493468

#pkts compressed: 0, #pkts decompressed: 0

Also

Can you do debug crypto ipsec and debug crypto engine and finally clear crypto ipsec sa.

after clearing crypto ipsec sa, if it doesnt work, send me debugs output

are your hosts sitting behind the ASAs conencted to a switch? can the ASA's ping your hosts?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: