cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
386
Views
0
Helpful
10
Replies

Can't ping inside ASA IP

Andy White
Level 3
Level 3

Hello,

I have configure an ASA to ASA site-to-site VPN and all is working fine.  However I can't ping or access the ASA via it's inside IP I have to use it's public IP to manage it, any ideas?

Thanks

10 Replies 10

mvsheik123
Level 7
Level 7

Hi Andy,

Any ACLs blocking? Try by adding management-access inside. Pls post configs.

Thx

MS

Make sure you have added the command:

management-access

Where interface name is the name of the interface you want to use to manage the ASA.  So if you want to use the IP on the interface named inside to manage the ASA over the VPN you would enter the following command

management-access inside

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hi guys,

I already had that comand.

Seems to be a NAT issue, if I remove this it works, but stops everything else:

nat (inside,any) source static internal-10.103.10.0 internal-10.103.10.0 destination static Corp-Servers Corp-Servers2 no-proxy-arp

Hi,

Which ASA is this from? The one you are trying to connect to or the ones where you are connecting from?

If this is the ASA behind which you are initiating the management connection to the remote site THEN does the Corp-Servers-2 include the IP address of the remote ASA interface to which you are connecting? Just wondering as it seems you are doing NAT for the destination network in the above command.

Then you probably need to connect to the corresponding NAT IP address configured with Corp-Servers.

- Jouni

This is the remote ASA that has the strange NAT issue..

I'm on the other side where the servers are.  These servers can ping the devices on the LAN, but not the IP of the ASA.  If I remove the NAT they can ping the ASA but lose connectivity to the rest of the LAN which they can currently ping, it does the opposite.

Very confused.

Hi,

Seems strange that it can ICMP anything (even the interface) if you remove that configuration.

Since you have different "object" / "object-group" for the Server networks in the "nat" command are you NATing that network? Is there a particular reason for NATing the server network?

I guess it would make things easier if we could see the configurations and go through them

I wonder if the Remote ASA is having problems forwarding the traffic correctly as its also doing NAT for the actual network that is coming through the VPN? And considering that the NAT configurations ASA dont usually apply to traffic to and from the ASA interface.

Wonder what would happen if you were to add this configurations to the Remote ASA without removing anything

object network CENTRAL-ASA-INTERFACE

host

nat (inside,outside) 1 source static internal-10.103.10.0 internal-10.103.10.0 destination static  CENTRAL-ASA-INTERFACE CENTRAL-ASA-INTERFACE route-lookup

But I have to say this is a guess only since we havent had a look at your configuration so I am not sure if it will help.

- Jouni

If I remove that configuration we can ping the ASA, but the rest of the LAN, it does the reverse.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.02.06 17:25:42 =~=~=~=~=~=~=~=~=~=~=~=
term len         page 0

ASA# sh run
: Saved
:
ASA Version 9.1(3)
!
hostname ASA

enable password NJocue0YBJl0.x encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 99
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
switchport access vlan 10
!
interface Ethernet0/5
switchport access vlan 10
!
interface Ethernet0/6
switchport access vlan 10
!
interface Ethernet0/7
switchport access vlan 10
!
interface Vlan10
nameif inside
security-level 100
ip address 10.196.72.2 255.255.255.0
!
interface Vlan99
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
boot system disk0:/asa913-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Corp-Digi-OrionNPM
subnet 172.23.1.0 255.255.255.0
object network Corp-Digi-Servers
subnet 10.100.1.0 255.255.255.0
object network internal-10.196.72.0
subnet 10.196.72.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object object Corp-Digi-OrionNPM
network-object object Corp-Digi-Servers
object-group network DM_INLINE_NETWORK_2
network-object object Corp-Digi-OrionNPM
network-object object Corp-Digi-Servers
object-group network DM_INLINE_NETWORK_3
network-object object Corp-Digi-OrionNPM
network-object object Corp-Digi-Servers
object-group network DM_INLINE_NETWORK_4
network-object object Corp-Digi-OrionNPM
network-object object Corp-Digi-Servers
access-list outside_cryptomap extended permit ip 10.196.72.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_access_in extended permit ip 10.196.72.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list inside_access_in extended permit icmp 10.196.72.0 255.255.255.0 any
access-list outside_cryptomap_1 extended permit ip object internal-10.196.72.0 object-group DM_INLINE_NETWORK_3
access-list inside_access_in_1 extended permit ip 10.196.72.0 255.255.255.0 any
access-list inside_access_in_1 extended permit icmp 10.196.72.0 255.255.255.0 any
pager lines 24
logging enable
logging console notifications
logging monitor notifications
logging asdm errors
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static internal-10.196.72.0 internal-10.196.72.0 destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 no-proxy-arp
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in_1 in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 10.100.162.21 255.255.255.255 inside
http x.x.x.x 255.255.255.255 outside
snmp-server host inside 172.23.1.3 community ***** version 2c
snmp-server host inside 172.23.1.4 community ***** version 2c
snmp-server location LDO
snmp-server contact EOC
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer x.x.x.x

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.196.72.21 255.255.255.255 inside
ssh x.x.x.x 255.255.255.255 outside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd address 10.196.72.50-10.196.72.150 inside
dhcpd option 3 ip 10.196.72.2 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_x.x.x.x internal
group-policy GroupPolicy_x.x.x.x attributes
vpn-tunnel-protocol ikev1 ikev2

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy GroupPolicy_x.x.x.x

tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ede660301a837ad5401f325046587c07
: end

Logoff

      

Hi,

I was wondering if the additional NAT configuration affected the situation at all. You wouldnt be removing any NAT configuration to test it.

Then again, looking at the above configuration I see no reference to network 10.103.10.0/xx network that you mentioned in the NAT configuration earlier.

- Jouni

in addition to what Jouni has mentioned, in the NAT statement you posted in an earlier post it refers to the destination

Corp-Servers Corp-Servers2 though Corp-Servers2 is not show in the configuration you posted. Could you post the config of the other ASA as well?

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: