Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Unable to Ping Hosts Through IPSec Tunnel

I have a home lab setup with a PIX 515 running 8.03 code.  I have made several changes over the past week and now when I terminate a VPN connection to the outside interface I am unable to hit any internal resources.  My VPN connection is coming from a 10.22.254.0/24 trying to hit internal nodes at 10.22.1.0/24, see below.  When I terminate a VPN connection against the inside interface it works, so I take it I'm dealing with a NAT issue?   I don't have a clue why Phase 9 is failing:-\  Any help would be great!

-------

access-list nonat extended permit ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0

nat (inside) 0 access-list nonat

-------

global (outside) 1 interface

-------

access-list split extended permit ip 10.22.1.0 255.255.255.0 10.22.254.0 255.255.255.0

-------

packet-tracer input inside tcp 10.22.1.15 1025 10.22.254.15 3389 detailed

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2bb3450, priority=0, domain=permit-ip-option, deny=true

        hits=17005, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 4

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x304ae48, priority=12, domain=ipsec-tunnel-flow, deny=true

        hits=17005, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat (inside) 0 access-list nonat

nat-control

  match ip inside 10.22.1.0 255.255.255.0 outside 10.22.254.0 255.255.255.0

    NAT exempt

    translate_hits = 6, untranslate_hits = 5

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2be2a00, priority=6, domain=nat-exempt, deny=false

        hits=5, user_data=0x2be2960, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip=10.22.1.0, mask=255.255.255.0, port=0

        dst ip=10.22.254.0, mask=255.255.255.0, port=0

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,DMZ) 10.22.1.0 10.22.1.0 netmask 255.255.255.0

nat-control

  match ip inside 10.22.1.0 255.255.255.0 DMZ any

    static translation to 10.22.1.0

    translate_hits = 10, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2d52800, priority=5, domain=host, deny=false

        hits=21654, user_data=0x2d51dc8, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=10.22.1.0, mask=255.255.255.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

  match ip inside any outside any

    dynamic translation to pool 1 (192.168.20.20 [Interface PAT])

    translate_hits = 2909, untranslate_hits = 9

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2d4a7d0, priority=1, domain=nat, deny=false

        hits=16973, user_data=0x2d4a730, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 8

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x3328000, priority=70, domain=encrypt, deny=false

        hits=0, user_data=0x1efa0cc, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=10.22.1.0, mask=255.255.255.0, port=0

        dst ip=10.0.0.0, mask=255.0.0.0, port=0

Phase: 9

Type: ACCESS-LIST

Subtype: ipsec-user

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x3329a48, priority=69, domain=ipsec-user, deny=true

        hits=37, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=10.0.0.0, mask=255.0.0.0, port=0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Unable to Ping Hosts Through IPSec Tunnel

No, the nonat ACL only requires defining traffic from the internal network to the

VPN pool.  You should remove the other entries.

Remove:

access-list nonat line 8 extended permit ip 10.22.254.0 255.255.255.0 object-group DM_INLINE_NETWORK_18
access-list nonat line 8 extended permit ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0

29 REPLIES
Silver

Re: Unable to Ping Hosts Through IPSec Tunnel

Could you check up with your vpn filter for the tunnel? It must be within your group-policy with the command vpn-filter value. If it is present, remove the same with the command vpn-filter none.

For more info on vpn-filter:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

New Member

Re: Unable to Ping Hosts Through IPSec Tunnel

I did not configuered a VPN filter for this Group Policy, see below.

group-policy vpnclient internal
group-policy vpnclient attributes
dns-server value 4.2.2.2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split

I am receiving the following error when I ping into the tunnel, is this not a NAT issue?
3  Jul 27 2010    05:36:54    106014    Deny inbound icmp src outside:10.22.254.51 dst inside:10.22.1.15 (type 8, code 0)

New Member

Re: Unable to Ping Hosts Through IPSec Tunnel

It's very strange...  If I do a continuous ping to the IP and it will eventually start responding after 10 minutes or so?

------------
c:\>ping 10.22.1.15 /t

Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 10.22.1.15: bytes=32 time=25ms TTL=127
Reply from 10.22.1.15: bytes=32 time=26ms TTL=127
Reply from 10.22.1.15: bytes=32 time=26ms TTL=127
Reply from 10.22.1.15: bytes=32 time=25ms TTL=127
Reply from 10.22.1.15: bytes=32 time=25ms TTL=127
Reply from 10.22.1.15: bytes=32 time=61ms TTL=127
Reply from 10.22.1.15: bytes=32 time=52ms TTL=127
Reply from 10.22.1.15: bytes=32 time=98ms TTL=127

------------
Deny when telnetting to a port:

c:\>telnet 10.22.1.15 3389
Connecting To 10.22.1.15...

------------

2 Jul 27 2010 05:59:15    106001    10.22.254.51    3083    10.22.1.15    3389    Inbound TCP connection denied from 10.22.254.51/3083 to 10.22.1.15/3389 flags SYN  on interface outside

------------

Cisco Employee

Re: Unable to Ping Hosts Through IPSec Tunnel

can you attach your entire config if its not a prob, u can mask the pub ip's

New Member

Re: Unable to Ping Hosts Through IPSec Tunnel

Thanks for the quick responses!!

Sorry it took so long I had to scrub the config and make a few changes.

Silver

Re: Unable to Ping Hosts Through IPSec Tunnel

Can you post the "show run all group-policy" output?

Re: Unable to Ping Hosts Through IPSec Tunnel

can you run the following command and post the output of:

show run all | grep sysopt

Thanks.

New Member

Re: Unable to Ping Hosts Through IPSec Tunnel

Nothing displays.

# show run all | grep sysopt
#

The complete config is listed above.

New Member

Re: Unable to Ping Hosts Through IPSec Tunnel

Try configuring ICMP inspection...

policy-map global_policy
class inspection_default
  inspect icmp

New Member

Re: Unable to Ping Hosts Through IPSec Tunnel

It is not an inspection rule.  I can't hit any resources on the inside once I terminate my IPSec connection.

c:\>telnet 10.22.1.15 3389
Connecting To 10.22.1.15...

2    Jul 27 2010    12:13:52    106001    10.22.254.51    2936    10.22.1.15    3389    Inbound TCP connection denied from 10.22.254.51/2936 to 10.22.1.15/3389 flags SYN  on interface outside

I added your policy commands and they did not fix the issue.

Re: Unable to Ping Hosts Through IPSec Tunnel

It looks like at phase 9 your traffic is blocked by an ACL.  Your VPN traffic should not be subjected to ACLs.  This command may help you here:

sysopt connection permit-vpn

Here's more on the command:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1412217

Good luck.

New Member

Re: Unable to Ping Hosts Through IPSec Tunnel

I enabled the command and I'm still being denied.

#sh run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
no sysopt connection reclassify-vpn

New Member

Re: Unable to Ping Hosts Through IPSec Tunnel

Can you disable nat-control?

New Member

Re: Unable to Ping Hosts Through IPSec Tunnel

#no nat-control

Same issue..

New Member

Re: Unable to Ping Hosts Through IPSec Tunnel

What other troubleshooting steps can I perform?  What should I rule out?  I'm leaning towards a NAT issue.  I did some testing on the inside interface of my PIX, when I removed the Exempt NAT policy on the interface with traffic sourcing from 10.22.254.0/24 I received the same deny message below that I was receiving on the outside interface.  This data leads me to believe this is a NAT issue, thoughts?  How do you truly troubleshoot a NAT issue?

Jul 27 2010  18:58:07  106014 Deny inbound icmp src inside:10.22.254.50 dst outside:10.22.1.15 (type 8, code 0)

Silver

Re: Unable to Ping Hosts Through IPSec Tunnel

I am still kinda leaning towards the vpn filter coz i have seen the phase 9 drop for vpn filters before. Can you post the out put of show run all group-policy ? that will have all the settings in the default and other group policies which i would like to see. It is not present in the show run commnd which u had posted.

Re: Unable to Ping Hosts Through IPSec Tunnel

I agree that this is probably a filter isssue.  if you have 'sysopt connection permit-vpn' configured, then your IPSec traffic is ignored by interface ACLs.  That leaves the VPN filter ACL as the only ACL in place that can see and drop your traffic.  I would look there next as well.  Please post the 'sh run all group-policy' as requested by rahgovin.rahgovin

New Member

Re: Unable to Ping Hosts Through IPSec Tunnel

I have tried lo-vpn and DfltGrpPolicy with no luck.

# sh run all group-policy
group-policy test-vpn internal
group-policy test-vpn attributes
dns-server value  4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test-vpn_splitTunnelAcl
group-policy ASA5505-S2S internal
group-policy ASA5505-S2S attributes
vpn-filter value ASA5505-VPN-Filter
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ASA5505-S2S
nem enable
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
msie-proxy pac-url none
vlan none
nac-settings none
address-pools none
ipv6-address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
group-policy lo-vpn internal
group-policy lo-vpn attributes
dns-server value  4.2.2.2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
group-policy group-policy-default internal
group-policy group-policy-default attributes
banner value Welcome to test.com
dns-server value  4.2.2.2
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
re-xauth disable
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value internal.test.com

New Member

Re: Unable to Ping Hosts Through IPSec Tunnel

What else can I do?

Silver

Re: Unable to Ping Hosts Through IPSec Tunnel

Can you post the output for the sh vpn-sessiondb remote (just the one having your user entry) when you are connected through the vpn client?

Silver

Re: Unable to Ping Hosts Through IPSec Tunnel

Also a show asp table classify domain ipsec-user output if possible

New Member

Re: Unable to Ping Hosts Through IPSec Tunnel

Username        : test                 Index        : 1794
Assigned IP     : 10.22.254.51           Public IP    : 66.*.*.*
Protocol           : IKE IPsecOverNatT
License           : IPsec
Encryption       : 3DES                   Hashing      : MD5 SHA1
Bytes Tx          : 0                      Bytes Rx     : 0
Group Policy    : group-policy-default   Tunnel Group : vpnclient
Login Time       : 06:12:51 UTC Thu Jul 29 2010
Duration           : 0h:00m:45s
NAC Result      : Unknown
VLAN Mapping  : N/A                    VLAN         : none


# show asp table classify domain ipsec-user

Interface DMZ:

Interface inside:

Interface outside:
in  id=0x3402bf8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.1.15, mask=255.255.255.255, port=0
in  id=0x2d47fb8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.38.1.0, mask=255.255.255.0, port=0
in  id=0x33c7700, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=192.168.5.0, mask=255.255.255.0, port=0
in  id=0x3354cc8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.254.0, mask=255.255.255.0, port=0
in  id=0x2d40888, priority=70, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.1.20, mask=255.255.255.255, port=0
in  id=0x343d1e0, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.1.15, mask=255.255.255.255, port=0
in  id=0x32cd460, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.38.1.0, mask=255.255.255.0, port=0
in  id=0x34a45b0, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=192.168.5.0, mask=255.255.255.0, port=0
in  id=0x3425928, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.254.0, mask=255.255.255.0, port=0
in  id=0x33b24c0, priority=70, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.1.20, mask=255.255.255.255, port=0
in  id=0x33749e8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.1.15, mask=255.255.255.255, port=0
in  id=0x3339ab0, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.38.1.0, mask=255.255.255.0, port=0
in  id=0x332ebc0, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=192.168.5.0, mask=255.255.255.0, port=0
in  id=0x2fc1630, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.254.0, mask=255.255.255.0, port=0
in  id=0x3374be0, priority=70, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.1.20, mask=255.255.255.255, port=0
in  id=0x344e5f8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.1.15, mask=255.255.255.255, port=0
in  id=0x33df148, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.38.1.0, mask=255.255.255.0, port=0
in  id=0x33715a8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=192.168.5.0, mask=255.255.255.0, port=0
in  id=0x2bdc9a8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.254.0, mask=255.255.255.0, port=0
in  id=0x333a918, priority=70, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=10.22.1.20, mask=255.255.255.255, port=0
in  id=0x3317380, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
in  id=0x34ad298, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
in  id=0x33dee80, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
in  id=0x332e7c8, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.168.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
in  id=0x2faf340, priority=69, domain=ipsec-user, deny=true
        hits=6, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.0.0.0, mask=255.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
in  id=0x33c2d90, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.0.0.0, mask=255.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
in  id=0x3370b48, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.0.0.0, mask=255.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
in  id=0x3336678, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.0.0.0, mask=255.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
out id=0x2fab9f0, priority=70, domain=ipsec-user, deny=false
        hits=187, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.1.15, mask=255.255.255.255, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x333e698, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.38.1.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x34251a8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.5.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x3410bd8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.254.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x2fc33a8, priority=70, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.1.20, mask=255.255.255.255, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x3440528, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.1.15, mask=255.255.255.255, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x3444690, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.38.1.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x3347730, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.5.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x331abd8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.254.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x333a270, priority=70, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.1.20, mask=255.255.255.255, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x304f948, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.1.15, mask=255.255.255.255, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x331ec18, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.38.1.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x2f92f40, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.5.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x331d740, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.254.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x2fcc340, priority=70, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.1.20, mask=255.255.255.255, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x34ad318, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.1.15, mask=255.255.255.255, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x334f8a0, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.38.1.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x332f200, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.5.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x3391be8, priority=70, domain=ipsec-user, deny=false
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.254.0, mask=255.255.255.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x33670e8, priority=70, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.22.1.20, mask=255.255.255.255, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x2fd1590, priority=69, domain=ipsec-user, deny=true
        hits=10, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x3404530, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x2bd17e8, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x330aed8, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=192.168.168.0, mask=255.255.255.0, port=0
out id=0x3228e48, priority=69, domain=ipsec-user, deny=true
        hits=33, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.0.0.0, mask=255.0.0.0, port=0
out id=0x2f84160, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.0.0.0, mask=255.0.0.0, port=0
out id=0x33c9658, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.0.0.0, mask=255.0.0.0, port=0
out id=0x344db30, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.0.0.0, mask=255.0.0.0, port=0

New Member

Re: Unable to Ping Hosts Through IPSec Tunnel

I'm transmitting packets TX but the return packets RX never make it back, see attached screen shot of the client.

Silver

Re: Unable to Ping Hosts Through IPSec Tunnel

hey just to confirm...ur inside network is 10.22.1/24 and pool is 10.22.254/24

from what i see in the nonat access-list

access-list nonat extended permit ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0

nat (inside) 0 access-list nonat

please change the access-list to access-list nonat extended permit ip 10.22.1.0 255.255.255.0 10.22.254.0 255.255.255.0 and test.

also after the changes are you getting the same packet tracer output?

New Member

Re: Unable to Ping Hosts Through IPSec Tunnel

I have traffic natted in both directions?

# nat (inside) 0 access-list nonat

nat (inside) 0 access-list nonat

#sh access-list nonat | i 10.22.254
access-list nonat line 2 extended permit ip 10.22.1.0 255.255.255.0 10.22.254.0 255.255.255.0
access-list nonat line 8 extended permit ip 10.22.254.0 255.255.255.0 object-group DM_INLINE_NETWORK_18
access-list nonat line 8 extended permit ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0

Re: Unable to Ping Hosts Through IPSec Tunnel

No, the nonat ACL only requires defining traffic from the internal network to the

VPN pool.  You should remove the other entries.

Remove:

access-list nonat line 8 extended permit ip 10.22.254.0 255.255.255.0 object-group DM_INLINE_NETWORK_18
access-list nonat line 8 extended permit ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0

New Member

Re: Unable to Ping Hosts Through IPSec Tunnel

The following ACL has to be applied when terminating a VPN connection on the inside interface, because the traffic is traversing the inside interface.  Does this make sense?
access-list nonat extended permit ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0


The following ACL fixed my issue but I had to completely remove all nonat's and start from scratch to see what the issue was.
access-list nonat extended permit ip 10.22.1.0 255.255.255.0 10.22.254.0 255.255.255.0

In short, removing all nonat's and then adding them back one back gave me the ability to find out what the exact issue was.  The post above did fix my issue!!  Thanks everyone!

# sh run | i nonat
access-list nonat extended permit ip 10.22.1.0 255.255.255.0 10.22.254.0 255.255.255.0
access-list nonat extended permit ip 10.22.1.0 255.255.255.0 192.168.168.0 255.255.255.0
access-list nonat extended permit ip 10.22.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0

access-list nonat-dmz extended permit ip 192.168.5.0 255.255.255.0 192.168.168.0 255.255.255.0
access-list nonat-dmz extended permit ip 192.168.5.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat-dmz extended permit ip 192.168.5.0 255.255.255.0 10.22.254.0 255.255.255.0

nat (inside) 0 access-list nonat
nat (DMZ) 0 access-list nonat-dmz

Silver

Re: Unable to Ping Hosts Through IPSec Tunnel

Oh great :-) it was the nat exemption after all....

New Member

Re: Unable to Ping Hosts Through IPSec Tunnel

Yes, it was a NAT exempt policy issue.  I went through and removed all of the NAT entries bound to the inside interface and recreated them one-by-one, which allowed me to narrow down the issue.  Thanks for all of your help!!

1955
Views
0
Helpful
29
Replies
CreatePlease to create content