Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA cannot / can Ping remote network of IPSEC LAN

Hi together

we have setup an IPSEC connection and the strange thing is that the IPSEC tunnel goes up well and we can also positively ping a client on the remote LAN of the other site on the ASA itself.

Yet once we try to ping the remote client from our local LAN behind the ASA this fails.

When doing a traceroute on a remote LAN client the client tries to go reach the network over the public gateway, yet this should be routed over the IPSEC tunnel.

I have checked the ACLs and they are all set to allow - allow for these settings, yet it still does not want to work, any ideas?

Cheers

Wolfgang

6 REPLIES
Hall of Fame Super Silver

Cisco ASA cannot / can Ping remote network of IPSEC LAN

On an ASA a good tool to check why something isn't flowing as expected is the packet-tracer command. It will take you through the logic the ASA uses step by step including VPN encapsulation (or lack thereof) and routing.

More details on packet-tracer here and here.

If that doesn't help, please share the relevant ACLs and crypto configurations from both devices for a more definitive answer.

New Member

Cisco ASA cannot / can Ping remote network of IPSEC LAN

Hi,

Yes,I agre with marvin.. Please try to run a packet tracer on the ASA. With the current description, it seems for the Local LAN subnet NAT exempt might not be configured. If yes, try to take captures on the inside interface of the ASA for icmp traffic to see if packets are reaching the inside interface. please try to upload the configs from the VPN end devices as Marvin suggested.

Thanks,

Ankit Sharma

New Member

Cisco ASA cannot / can Ping remote network of IPSEC LAN

Hi together,

thank you very much for your reply and I have gone through the test with the packet tracer. which was all in all positive:

ICMP from inside network to client of remote network

What does yet wonder me is that when I look at the log with the ping requests from a local client to the remote network I see that the asa is trying to router the icmp packet via the public interface, rather than route the packet through the VPN IPSEC Tunnel.

If I do a ping test on the ASA to a client of the remote network this works.

If I do a ping test on the local client to a client of the remote network this fails.

What can I do here?

Thanks

Wolfgang

VIP Green

Cisco ASA cannot / can Ping remote network of IPSEC LAN

The issue is most likely a crypto ACL mismatch or a NAT Exempt misconfiguration on one of the locations.  Would you be able to post a sanitized configuration of both locations?

--

Please remember to rate and select a correct answer
New Member

Cisco ASA cannot / can Ping remote network of IPSEC LAN

Hi Marius,

attached I have the relevant config lines from the local site:

crypto map world_map 2 set peer 1xx.xxx.47.10
crypto map world_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

tunnel-group 1xx.xxx.47.10 type ipsec-l2l
tunnel-group 1xx.xxx.47.10 general-attributes
default-group-policy GroupPolicy2
tunnel-group 1xxx.xxx.47.10 ipsec-attributes
ikev1 pre-shared-key *****


crypto map world_map 2 match address world_cryptomap_2
crypto map world_map 2 set peer 1xx.xxx.47.10
crypto map world_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

tunnel-group 1xx.xxx.47.10 type ipsec-l2l
tunnel-group 1xx.xxx.47.10 general-attributes
default-group-policy GroupPolicy2
tunnel-group 1xx.xxx.47.10 ipsec-attributes
ikev1 pre-shared-key *****

object network VPN-Devices
subnet 10.124.0.0 255.255.0.0

The remote site is managed by a provider and I will post this later.

Thanks

Wolfgang

VIP Green

Re: Cisco ASA cannot / can Ping remote network of IPSEC LAN

Could you also include the ACL configuration of world_cryptomap_2 as this indicates what traffic is to be encrypted.

Also include the NAT Exempt configuration as this prevents the VPN traffic from being NATed out to the internet.

--

Please remember to rate and select a correct answer
1345
Views
0
Helpful
6
Replies
CreatePlease login to create content