cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1488
Views
0
Helpful
6
Replies

Problem with ping in site-to-site

pixteam2007
Level 1
Level 1

Hi, I have a tunnel vpn site-to-site with two ASA5505, the tunnel is up but when I try ping between inside lan I have in log file:

Teardown ICMP connection for faddr 192.168.0.100/0 gaddr 192.168.1.159/512 laddr 192.168.1.159/512

Built outbound ICMP connection for faddr 192.168.0.100/0 gaddr 192.168.1.159/512 laddr 192.168.1.159/512

My address space is:

private: 192.168.0.0/24 and 192.168.1.0/24

public: 2.1.44.35 and 1.2.182.42   (this address aren't really)

About vpn I have this configuration:

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object icmp

protocol-object icmp6

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object icmp

protocol-object icmp6

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object icmp

protocol-object icmp6

object-group icmp-type DM_INLINE_ICMP_1

icmp-object echo

icmp-object echo-reply

access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any 1.2.182.40 255.255.255.248

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any host IP_FW

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 1.2.182.46 1

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 2.1.44.35

crypto map outside_map interface outside

crypto isakmp enable outside

tunnel-group 2.1.44.35 type ipsec-l2l

tunnel-group 2.1.44.35 ipsec-attributes

and on the other side:

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object icmp

protocol-object icmp6

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object icmp

protocol-object icmp6

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any

access-list outside_access_in extended permit tcp any host 2.1.44.36 object-group DM_INLINE_TCP_0

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host FW

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.64 255.255.255.224

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 2.1.44.38 1

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer IP_PUB_CIS

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

no crypto isakmp nat-traversal

tunnel-group 1.2.182.42 type ipsec-l2l

tunnel-group 1.2.182.42 ipsec-attributes

Thanks.

-

Salvatore.

6 Replies 6

Herbert Baerten
Cisco Employee
Cisco Employee

These syslogs do not indicate a problem, in fact they show that an ICMP connection is properly being built and being torn down again, which is normal.

So is the ping working or not?

I do spot one possible problem, you have:

access-group inside_access_in in interface inside

but inside_access_in is not defined anywhere on the first ASA.

If that does not help and the ping still fails, check the syslogs and "show crypto ipsec sa" (to see if encrypt/decrypt counters are increasing) on both sides.

hth

Herbert

Hi, in debug I have:

#packet-tracer input outside icmp 192.168.1.159 8 0 192.168.0.100

action drop

drop reason: (rpf violated) reverse-path verify failed

In attach more information

I have verified more times the configuration but I have understood where is the error in my configuration, I have once again the configuration file for both side and the new  configuration is the following:

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 0R2MX4Kk7jsue7zn encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.10 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 2.1.44.35 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 2.1.44.38 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 1.2.182.42

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 1.2.182.42 type ipsec-l2l

tunnel-group 1.2.182.42 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:7b17d4ebbb0e9b605d8f97458554eb46

: end

asdm image disk0:/asdm-621.bin

no asdm history enable

other side:

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password yjWoTDJEsBZjH.DV encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.10 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 1.2.182.42 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 1.2.182.46 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 2.1.44.35

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 2.1.44.35 type ipsec-l2l

tunnel-group 2.1.44.35 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:f9eb6df8a212428a8871873099b98558

: end

asdm image disk0:/asdm-621.bin

no asdm history enable

Thanks.

-

Salvatore.

..pheraps the problem are the static route ? I always used vpn based on openswan and in the site-to-site configuration is needful the parameter:

leftnexthop=x.y.y.z

this ip address is the ip assigned to router.

In cisco ASA configuration I have:

route outside 0.0.0.0 0.0.0.0 1.2.186.46 1

where 1.2.186.46 is router ip address and

1.2.186.42

..is the ip address on wan interface of Cisco ASA.

Sorry but I cannot understand where I am wrong ! :-(

Thanks.

-

Salvatore.

Routing seems ok to me.

But as I mentioned already, can you please check "show crypto ipsec sa" on both sides, before and after trying a ping.

That should tell us where it is going wrong

Please also clarify from which side you were pinging, and on which side you took those packet-tracers earlier (and was that with the config from your original post or with the config from your previous post) .

I have done reset to factory default valuse and then I have made again all configurations (as the  last configuration I sent to forum) and now I do ping with success but unfortunately I understand why in the  first configuration I could not ping.

Thanks.

-

Salvatore.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: