Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
it
New Member

Can't Ping Host Throught Site-to-Site

Both ends are ASA 5510.   The IPsec tunnel is up and running.

show crypto isakmp

Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 50.240.120.233

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

show crypto ipsec

  #pkts encaps: 46, #pkts encrypt: 46, #pkts digest: 46

      #pkts decaps: 45, #pkts decrypt: 45, #pkts verify: 45

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 46, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

I am able to ping from on my side (10.1.20.0/24), but only to the 'inside' interface on the remote ASA (10.2.20.1).  I can't ping any other computers in the remote subnet.  The remote subnet is not able to ping anything on my side.

Here is the config from my side

: Saved

:

ASA Version 8.2(1)

!

hostname asa

names

name 72.xxx.xxx.xxx Telepacific_Gateway

name 184.188.50.225 Cox_Gateway

name 10.1.20.32 VPN

name 10.2.20.0 Jacksonville-Subnet

!

interface Ethernet0/0

description Telepacific 4Mb Internet

nameif WAN_TelePacific

security-level 0

ip address 72.xxx.xxx.xxx 255.255.255.248

!

interface Ethernet0/1

description Cox 10Mb Fiber Internet

speed 100

duplex full

nameif WAN_Cox

security-level 0

ip address 184.xxx.xxx.xxx 255.255.255.248

!

interface Ethernet0/2

nameif VOIP

security-level 49

ip address 10.1.10.1 255.255.255.0

!

interface Ethernet0/3

nameif inside

security-level 50

ip address 10.1.20.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup WAN_TelePacific

dns domain-lookup WAN_Cox

dns server-group DefaultDNS

name-server 209.242.128.100

name-server 209.242.128.101

name-server 8.8.8.8

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type ICMP

icmp-object alternate-address

icmp-object conversion-error

icmp-object echo

icmp-object echo-reply

icmp-object information-reply

icmp-object information-request

icmp-object mask-reply

icmp-object mask-request

icmp-object mobile-redirect

icmp-object parameter-problem

icmp-object redirect

icmp-object router-advertisement

icmp-object router-solicitation

icmp-object source-quench

icmp-object time-exceeded

icmp-object timestamp-reply

icmp-object timestamp-request

icmp-object traceroute

icmp-object unreachable

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list DefaultRAGroup_splitTunnelAcl standard permit 10.1.20.0 255.255.255.0

access-list ragroup_splitTunnelAcl standard permit 10.1.20.0 255.255.255.0

access-list WAN_Cox_1_cryptomap extended permit ip 10.1.20.0 255.255.255.0 Jacksonville-Subnet 255.255.255.0

access-list WAN_access_in extended permit icmp any any

access-list WAN_Cox_access_in extended permit icmp any any

access-list WAN_Cox_access_in extended permit udp VPN 255.255.255.224 10.1.20.0 255.255.255.0

access-list WAN_Cox_access_in extended permit tcp VPN 255.255.255.224 10.1.20.0 255.255.255.0

access-list inside_nat_outbound_1 extended permit ip any any

access-list inside_nat_outbound extended permit ip any any

access-list inside_nat0_outbound extended permit ip 10.1.20.0 255.255.255.0 Jacksonville-Subnet 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.1.20.0 255.255.255.0 VPN 255.255.255.224

pager lines 24

logging enable

logging asdm informational

logging mail critical

mtu WAN_TelePacific 1500

mtu WAN_Cox 1500

mtu VOIP 1500

mtu inside 1500

mtu management 1500

ip local pool RA VPN-10.1.20.49 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp deny any WAN_TelePacific

asdm history enable

arp timeout 14400

global (WAN_TelePacific) 101 interface

global (WAN_Cox) 102 interface

global (inside) 103 interface

nat (WAN_Cox) 103 VPN 255.255.255.224 outside

nat (VOIP) 102 0.0.0.0 0.0.0.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 102 access-list inside_nat_outbound

nat (inside) 101 access-list inside_nat_outbound_1

nat (management) 102 0.0.0.0 0.0.0.0

access-group WAN_access_in in interface WAN_TelePacific

access-group WAN_Cox_access_in in interface WAN_Cox

route WAN_Cox 0.0.0.0 0.0.0.0 Cox_Gateway 1 track 3

route WAN_TelePacific 0.0.0.0 0.0.0.0 Telepacific_Gateway 254

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

ldap attribute-map CISCOMAP

  map-name  msNPAllowDialin IETF-Radius-Class

  map-value msNPAllowDialin FALSE NOACCESS

  map-value msNPAllowDialin TRUE ALLOWACCESS

dynamic-access-policy-record DfltAccessPolicy

aaa-server AD_Group_author protocol ldap

aaa-server AD_Group_author (inside) host 10.1.20.10

server-port 389

ldap-base-dn DC=,DC=LOCAL

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn CN=VPN,CN=Users,DC=,DC=local

server-type microsoft

ldap-attribute-map CISCOMAP

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.1.20.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 WAN_TelePacific

http 0.0.0.0 0.0.0.0 WAN_Cox

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

sla monitor 100

type echo protocol ipIcmpEcho Telepacific_Gateway interface WAN_Cox

num-packets 20

sla monitor schedule 100 life forever start-time now

sla monitor 101

type echo protocol ipIcmpEcho Cox_Gateway interface WAN_Cox

sla monitor schedule 101 life forever start-time now

sla monitor 102

type echo protocol ipIcmpEcho Cox_Gateway interface WAN_Cox

sla monitor schedule 102 life forever start-time now

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map WAN_map interface WAN_TelePacific

crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map management_map interface management

crypto map WAN_Cox_map 1 match address WAN_Cox_1_cryptomap

crypto map WAN_Cox_map 1 set pfs

crypto map WAN_Cox_map 1 set peer 50.240.120.233

crypto map WAN_Cox_map 1 set transform-set ESP-3DES-SHA

crypto map WAN_Cox_map 1 set nat-t-disable

crypto map WAN_Cox_map interface WAN_Cox

crypto ca trustpoint vpn_ssl_cert

fqdn asa

subject-name CN=asa

no client-types

crl configure

crypto isakmp enable WAN_Cox

crypto isakmp enable inside

crypto isakmp enable management

crypto isakmp policy 10

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 1 rtr 100 reachability

!

track 2 rtr 101 reachability

!

track 3 rtr 102 reachability

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet timeout 5

ssh 10.1.20.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 5

management-access inside

dhcpd address 10.1.10.51-10.1.10.254 VOIP

dhcpd dns 216.70.224.17 8.8.8.8 interface VOIP

dhcpd enable VOIP

!

dhcpd address 10.1.20.100-10.1.20.254 inside

dhcpd dns 216.70.224.17 8.8.8.8 interface inside

dhcpd wins 10.1.20.10 1.1.20.11 interface inside

dhcpd domain local interface inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 10.1.20.0 255.255.255.0

threat-detection scanning-threat shun except ip-address 10.1.20.10 255.255.255.255

threat-detection scanning-threat shun except ip-address 10.1.20.12 255.255.255.255

threat-detection scanning-threat shun duration 3600

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.1.20.10 source inside prefer

webvpn

enable WAN_Cox

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2

svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3

svc enable

group-policy NOACCESS internal

group-policy NOACCESS attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol IPSec svc

webvpn

  svc ask none default svc

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value 10.1.20.10

dns-server value 10.1.20.10

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

default-domain value local

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

address-pools value RA

group-policy ragroup internal

group-policy ragroup attributes

wins-server value 10.1.20.1

dns-server value 10.1.20.1

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ragroup_splitTunnelAcl

default-domain value

group-policy ALLOWACCESS internal

group-policy ALLOWACCESS attributes

banner none

wins-server value 10.1.20.10

dns-server value 10.1.20.10

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ragroup_splitTunnelAcl

default-domain value local

webvpn

  svc ask none default svc

tunnel-group DefaultRAGroup general-attributes

address-pool RA

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool RA

authentication-server-group AD_Group_author LOCAL

authorization-server-group AD_Group_author

authorization-required

username-from-certificate use-entire-name

tunnel-group DefaultWEBVPNGroup ppp-attributes

authentication ms-chap-v2

tunnel-group ZRemote type remote-access

tunnel-group ZRemote general-attributes

address-pool RA

authentication-server-group AD_Group_author LOCAL

tunnel-group TunnelGroup1 type remote-access

tunnel-group TunnelGroup1 general-attributes

address-pool RA

authentication-server-group AD_Group_author LOCAL

default-group-policy ALLOWACCESS

tunnel-group 50.240.xxx.xxx type ipsec-l2l

tunnel-group 50.240.xxx.xxx ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

!

service-policy global_policy global

smtp-server 10.1.20.14

prompt hostname context

Cryptochecksum:053e7f169dcfa526b030f5d647cd78e8

: end

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Can't Ping Host Throught Site-to-Site

Configuration on this ASA seems correct to me.

Please check nat-exempt configuration on remote end device.

If possible, upload the config of remote end device as well.

Regards,

Naresh

4 REPLIES
Silver

Can't Ping Host Throught Site-to-Site

Configuration on this ASA seems correct to me.

Please check nat-exempt configuration on remote end device.

If possible, upload the config of remote end device as well.

Regards,

Naresh

VIP Purple

Re: Can't Ping Host Throught Site-to-Site

As already mentioned, a wrong configuration of NAT-Excemption is quite often the reason for these kind of problems. And if you want to test with ping, you should enable ICMP-inspection on both ASAs:

policy-map global_policy
 class inspection_default
  inspect icmp 

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Re: Can't Ping Host Throught Site-to-Site

Try to enable

Inspect Icmp on the global policy on both the firewalls

And also command which will help VPN in all interface
sysopt connection permit-vpn

Sent from Cisco Technical Support iPad App

New Member

Can't Ping Host Throught Site-to-Site

Hi

       Enable "inspect icmp" under your policy map ,Once you enable verify it with "show Service-policy "

policy-map global_policy

class inspection_default

inspect icmp

asa# show service-policy

Global policy:
  Service-policy: global_policy
#########truncated#################
      Inspect: icmp, packet 4882, drop 0, reset-drop 0

Another option is to configure ICMP inspection. This allows a trusted IP address to traverse the firewall and allows replies back to the trusted address only. This way, hosts on all inside interfaces can ping hosts on the outside and the firewall allows the replies to return. This also gives you the advantage of monitoring the ICMP traffic that traverses the firewall. In this example, icmp inspection is added to the default global inspection policy.

For example:

policy-map global_policy
    class inspection_default
     inspect icmp

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

HTH

Santhosh Saravanan

HTH Regards Santhosh Saravanan
744
Views
8
Helpful
4
Replies
CreatePlease to create content