cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1023
Views
5
Helpful
9
Replies

Unable to ping remote subnet once VPN tunnel is created

CiscoASA2008
Level 1
Level 1

I'm using a Cisco ASA5505 and a Linksys RV042 to establish a VPN tunnel betwen two subnets. VPN tunnel sets up ok - main screen on ASA shows IKE=1 and IPSec=1. But I'm not able to ping bewtween hosts on subnets connected by VPN tunnel.

When I try to ping from host on remote NW to the private IP address of the ASA5505 I get no reply. I've attached details of the NW setup and also a dump of the ASA config file.

Any help would be greatly appreciated!

9 Replies 9

ajagadee
Cisco Employee
Cisco Employee

What is the IP Address that you are trying to ping. Does that ip in the 10.126.172.x know that it has to send the response back to the ASA to go to 192.168.1.x.

Also, did you do a clear xlate after configuring IPSEC and NAT 0 Commands.

Can you also post the output of "show crypto ipsec sa" when the tunnel is up and you are trying to access something behind the ASA from the Linksys.

Regards,

Arul

Hi Arul,

Thanks for the quick reply. I am trying to ping the private IP address of the Cisco box. From the diagram this is 10.126.172.68. I'm now home but will try your other suggestions in the morning.

Thanks again,

Sean.

Sean,

If you want to ping the inside interface of the ASA across an IPSEC Tunnel, you need to configure "management-access inside" on the ASA.

Please refer the below URL for details:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.html#wp1794331

Regards,

Arul

Well, ultimately I want to be able to access the private LAN (10.126.172.xx) via the VPN connection from the remote machine(192.168.1.101). But at the moment I am not even able to ping any host on this LAN.

One issue I might be enountering is that a host machine on the private LAN does not know to reply to the ping request via the Cisco ASA box, and instead tries via the private LAN's Default Gateway. To bypass this possible issue I was trying to ping only as far as the inside interface on the Cisco ASA box from the remote machine.

I'm new to the world of VPN/NAT/Routing so am not too sure what even the 'possible' issues might be...

Hi Arul,

I tried the clear xlate command but the behaviour is still the same. When I try to ping a machine behind the ASA from a host on the NW behind the Linksys, I get the following in the log:

6 Jan 11 2008 12:32:26 302015 10.126.172.31 239.255.255.250 Built inbound UDP connection 26578 for inside:10.126.172.31/1024 (10.126.172.31/1024) to NP Identity Ifc:239.255.255.250/1900 (239.255.255.250/1900)

6 Jan 11 2008 12:32:26 302016 10.126.172.31 239.255.255.250 Teardown UDP connection 26578 for inside:10.126.172.31/1024 to NP Identity Ifc:239.255.255.250/1900 duration 0:00:00 bytes 313

Also, here's the output result of the command: "show crypto ipsec sa"

---------------------------------------

interface: outside

Crypto map tag: outside_map, seq num: 1, local addr: 83.141.76.42

access-list outside_1_cryptomap permit ip 10.126.172.0 255.255.255.0 192.168.1.0 255.255.255.0

local ident (addr/mask/prot/port): (10.126.172.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: 83.141.76.41

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 83.141.76.42, remote crypto endpt.: 83.141.76.41

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: F1100B08

inbound esp sas:

spi: 0x4229320A (1109996042)

transform: esp-des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 30, crypto-map: outside_map

sa timing: remaining key lifetime (sec): 3350

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0xF1100B08 (4044360456)

transform: esp-des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 30, crypto-map: outside_map

sa timing: remaining key lifetime (sec): 3350

IV size: 8 bytes

replay detection support: Y

Can you post the current configuration from the ASA. What is the default gateway on the ASA and does the 10.126.172.0 255.255.255.0 know that they need to route the traffic to the ASA to reach the 192.168.1.0 255.255.255.0 network.

Regards,

Arul

Hi Arul,

Attached is the running-config from the ASA:

Not too sure what you mean by 'what is the defualt gateway on the ASA. Its outside I/P is 83.141.76.42 and its inside i/p is 10.126.172.68. When configuring the interfaces I didnt ever need to specify a default gateway...

WRT to routing, I'm not certain that the 10.126.172.0 255.255.255.0 boxes know they need to route traffic to ASA to reach the 192.168.1.0 255.255.255.0 network. How do I verify this?

Cheers,

Sean.

Couple of things that I notice in your configuration.

There is no default gateway configured on the ASA. For example,

route outside 0.0.0.0 0.0.0.0 83.141.76.XXX.

Also, pick a router, Layer 3 switch or a host on the 10.126.172.0/24 and look at their routing table to see if that in order to reach 192.168.1.0/24 they are sending the traffic to the ASA. If the hosts on the 10.126.172.0/24 default gateway is pointing to the ASA, then there should be no need to configure additional routing on those hosts.

Regards,

Arul

Hi Arul,

Thats fantastic!! I added the default gateway to the ASA and also pointed the 10.126.172.0/24 hosts default gateway to the ASA and I'm now able to gain full access to the internal LAN from the 'remote' machine.

Your help is much appreciated on this :-)

Cheers

Sean.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: