Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1506
Views
0
Helpful
2
Replies

ASA 8.6 - IPsec l2l tunnel established - no ping possible

Go to solution
CryptyTom
Level 1
Level 1

‎12-06-2013 07:03 AM - edited ‎02-21-2020 07:22 PM

Hi everybody,

I have an issue configuring the CISCO ASA 5512-x (IOS 8.6).

The IPsec tunnel is successfully created between ASA and another non-CISCO router (hereinafter "Router"). I can send ping packets from Router to ASA, but ASA is NOT able to reply to those requests. Sending requests from ASA is also NOT possible.

I'm trying to interconnect to LANs 192.168.2.0/24 (CISCO, interface DMZ) and 192.168.3.0/24 (Router).

The CISCO ASA has a static public IP. The Router has a dynamic IP so I'm using dynamic-map option...

Here is the "show run" output:

---------------------------------------------------------------------------------------------------------------------------------------------

ASA Version 8.6(1)2

!

hostname ciscoasa

enable password oBGOJTSctBcCGoTh encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address X.X.X.X 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 192.168.2.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

object network inside-subnet

subnet 192.168.0.0 255.255.255.0

object network webserver-external-ip

host Y.Y.Y.Y

object network webserver

host 192.168.2.100

object network vpn-local-192.168.2.0

subnet 192.168.2.0 255.255.255.0

object network vpn-remote-192.168.3.0

subnet 192.168.3.0 255.255.255.0

access-list outside_acl extended permit tcp any object webserver

access-list outside_acl extended permit tcp any object webserver eq www

access-list l2l-list extended permit ip object vpn-local-192.168.2.0 object vpn-remote-192.168.3.0

access-list dmz_acl extended permit icmp any any echo

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (DMZ,outside) source static vpn-local-192.168.2.0 vpn-local-192.168.2.0 destination static vpn-remote-192.168.3.0 vpn-remote-192.168.3.0

!

object network inside-subnet

nat (inside,outside) dynamic interface

object network webserver

nat (DMZ,outside) static webserver-external-ip service tcp www www

access-group dmz_acl global

route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ikev1-trans-set esp-3des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal 3des-midge

protocol esp encryption 3des

protocol esp integrity md5

crypto dynamic-map dynMidgeMap 1 match address l2l-list

crypto dynamic-map dynMidgeMap 1 set pfs

crypto dynamic-map dynMidgeMap 1 set ikev1 transform-set ikev1-trans-set

crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-midge

crypto dynamic-map dynMidgeMap 1 set security-association lifetime seconds 28800

crypto dynamic-map dynMidgeMap 1 set reverse-route

crypto map midgeMap 1 ipsec-isakmp dynamic dynMidgeMap

crypto map midgeMap interface outside

crypto isakmp identity hostname

crypto ikev2 policy 1

encryption 3des

integrity md5

group 2

prf md5

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy midgeTrialPol internal

group-policy midgeTrialPol attributes

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec

ipsec-udp enable

tunnel-group midgeVpn type ipsec-l2l

tunnel-group midgeVpn general-attributes

default-group-policy midgeTrialPol

tunnel-group midgeVpn ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606

: end

------------------------------------------------------------------------------------------------------------------------------

X.X.X.X - public ASA IP address

Y.Y.Y.Y - some web server

Z.Z.Z.Z - default gateway

-------------------------------------------------------------------------------------------------------------------------------

PING from ASA:

ciscoasa# ping DMZ 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

PING from Router (debug on CISCO):

ciscoasa# nat: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

nat: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

nat: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0

ICMP echo request from outside:192.168.3.1 to DMZ:192.168.2.1 ID=3859 seq=0 len=40

ICMP echo request from outside:192.168.3.1 to DMZ:192.168.2.1 ID=3859 seq=1 len=40

ICMP echo request from outside:192.168.3.1 to DMZ:192.168.2.1 ID=3859 seq=2 len=40

ICMP echo request from outside:192.168.3.1 to DMZ:192.168.2.1 ID=3859 seq=3 len=40

-------------------------------------------------------------------------------------------------------------------------------

ciscoasa# show route outside

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0

C    Z.Z.Z.0 255.255.255.0 is directly connected, outside

S    192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outside

S*   0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outside

-------------------------------------------------------------------------------------------------------------------------------

Don't you have any idea what do I have wrong? Probably some wrong NAT/ACL I guess, but I could always find something  only for 8.4 iOS and not 8.6... Maybe and probably I already messed the configuration with unwanted commands, but I was trying various things...

Please, if you have any idea, let me know! Thanks a lot!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mvsheik123
Level 7
Level 7

‎12-06-2013 11:30 AM

Hi,

I never used 'global' option in ACL but looks like this is causing the issue. From Cisco doc-

"Global access rules are defined as a special ACL that is processed for every interface on the device for traffic entering the interface. Thus, although the ACL is configured once on the device, it acts like a secondary interface-specific ACL defined for the In direction. (Global rules are always for the In direction, never the Out direction.) "

You ACL: access-list dmz_acl extended permit icmp any any echo

So, when you initiate from ASA, there is an echo-reply from router on outside interface --> global may be blocking.

When initiate from Router, the ASA initiates echo-reply being blocked again.

Try adding permit echo-reply as well.

Also, you can as well use 'inspect icmp' in global policy than ACLs.

If none work, you can initiate further t-shoot with packet-tracer command on ASA.

Thx

MS

View solution in original post

0 Helpful
2 Replies 2

Go to solution
mvsheik123
Level 7
Level 7

‎12-06-2013 11:30 AM

Hi,

I never used 'global' option in ACL but looks like this is causing the issue. From Cisco doc-

"Global access rules are defined as a special ACL that is processed for every interface on the device for traffic entering the interface. Thus, although the ACL is configured once on the device, it acts like a secondary interface-specific ACL defined for the In direction. (Global rules are always for the In direction, never the Out direction.) "

You ACL: access-list dmz_acl extended permit icmp any any echo

So, when you initiate from ASA, there is an echo-reply from router on outside interface --> global may be blocking.

When initiate from Router, the ASA initiates echo-reply being blocked again.

Try adding permit echo-reply as well.

Also, you can as well use 'inspect icmp' in global policy than ACLs.

If none work, you can initiate further t-shoot with packet-tracer command on ASA.

Thx

MS

0 Helpful

Go to solution
CryptyTom
Level 1
Level 1
In response to mvsheik123

‎12-09-2013 05:04 AM

Hi,

Thanks for the reply... I have now a functional configuration:

: Saved

:

ASA Version 8.6(1)2

!

hostname ciscoasa

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address X.X.X.X 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 192.168.2.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

object network inside-subnet

subnet 192.168.0.0 255.255.255.0

object network webserver-external-ip

host Y.Y.Y.Y

object network webserver

host 192.168.2.100

object network vpn-local-192.168.2.0

subnet 192.168.2.0 255.255.255.0

object network vpn-remote-192.168.3.0

subnet 192.168.3.0 255.255.255.0

access-list outside_acl extended permit tcp any object webserver

access-list outside_acl extended permit tcp any object webserver eq www

access-list l2l-list extended permit ip object vpn-local-192.168.2.0 object vpn-remote-192.168.3.0

nat (DMZ,outside) source static vpn-local-192.168.2.0 vpn-local-192.168.2.0 destination static vpn-remote-192.168.3.0 vpn-remote-192.168.3.0

!

object network inside-subnet

nat (inside,outside) dynamic interface

object network webserver

nat (DMZ,outside) static webserver-external-ip service tcp www www

route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1

crypto ipsec ikev1 transform-set ikev1-trans-set esp-3des esp-md5-hmac

crypto dynamic-map dynMidgeMap 1 match address l2l-list

crypto dynamic-map dynMidgeMap 1 set pfs

crypto dynamic-map dynMidgeMap 1 set ikev1 transform-set ikev1-trans-set

crypto dynamic-map dynMidgeMap 1 set security-association lifetime seconds 28800

crypto dynamic-map dynMidgeMap 1 set reverse-route

crypto map midgeMap 1 ipsec-isakmp dynamic dynMidgeMap

crypto map midgeMap interface outside

crypto isakmp identity hostname

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

group-policy midgeTrialPol internal

group-policy midgeTrialPol attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec

ipsec-udp enable

tunnel-group midgeVpn type ipsec-l2l

tunnel-group midgeVpn general-attributes

default-group-policy midgeTrialPol

tunnel-group midgeVpn ipsec-attributes

ikev1 pre-shared-key *****

!

(not all lines included)

------------------------------------------------------------------------

I removed almost everything unnecessary. I'm still UNABLE to ping DMZ interface, but I'm able to ping from the Router to the device connected via the DMZ interface (192.168.2.100).

I've tested whether I'm able to ping the device behind the DMZ interface even with the global ACL rule, and I was!

Resolution: I'm able to ping the device behind the DMZ interface, but I'm unable to ping the DMZ interface itself. Or from the DMZ interface to the router.

0 Helpful
Customers Also Viewed These Support Documents