Cannot ping or do not have DNS over site to site vpn tunnel - Page 2

Michael Romero · ‎10-10-2013

I have a Cisco 5505 and a TZ170 Sonicwall.

I have an IPSec tunnel up but I cannot ping or run DNS over it. Basically no network resources can be accessed between sites on either side.

Here is my configuration (as created by ASDM which I am growing a distaste for after it has screwed much of my original CLI input). Thanks for any help you can give me.

Router# sho run

: Saved

:

ASA Version 8.2(5)

!

hostname PFDowntown

domain-name golds.local

enable password s4sg6AZKKWez7RdB encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.0.3 Server description dns server

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xx.xx.xx.xx255.255.255.252

!

ftp mode passive

dns server-group DefaultDNS

domain-name golds.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network net-local

network-object 192.168.2.0 255.255.255.0

object-group network net-remote

network-object 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 192.168.2.0 255.255.255.0

host 192.168.0.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 ho

st 192.168.0.0

access-list outside_1_cryptomap extended permit ip interface inside any

access-list outside_1_cryptomap extended permit ip any interface inside

access-list outside_1_cryptomap extended permit ip object-group net-local object

-group net-remote

access-list outside_1_cryptomap extended permit ip object-group net-remote objec

t-group net-local

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit udp any any

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit udp any any eq isakmp

access-list inside_access_in_1 extended permit ip any any

access-list outside_access_in extended permit icmp any any

access-list global_mpc extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 0 access-list inside_nat0_outbound outside

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in_1 in interface inside control-plane

access-group outside_access_in in interface outside

!

router rip

network 192.168.0.0

!

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

route inside 0.0.0.0 0.0.0.0 192.168.0.1 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection preserve-vpn-flows

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer xx.xx.xx.xx

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set reverse-route

crypto map outside_map interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

crypto isakmp identity address

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp ipsec-over-tcp port 10000

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcp-client update dns server both

dhcpd auto_config outside

!

dhcpd address 192.168.2.50-192.168.2.100 inside

dhcpd dns xx.xx.xx.xx xx.xx.xx.xx interface inside

dhcpd domain golds.local interface inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-filter value inside_nat0_outbound

vpn-tunnel-protocol IPSec

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol IPSec

username admin password Rras1ufhYNBlonui encrypted

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key xxxxxx

peer-id-validate nocheck

tunnel-group xx.xx.xx.xxtype ipsec-l2l

tunnel-group xx.xx.xx.xxgeneral-attributes

default-group-policy GroupPolicy1

tunnel-group xx.xx.xx.xxipsec-attributes

pre-shared-key *****

peer-id-validate nocheck

isakmp keepalive disable

no tunnel-group-map enable ou

no tunnel-group-map enable ike-id

tunnel-group-map default-group xx.xx.xx.xx

!

class-map global-class

match access-list global_mpc

!

policy-map global-policy

class global-class

inspect icmp

!

service-policy global-policy global

prompt hostname context

call-home reporting anonymous

Cryptochecksum:6782a2577ba1b1b11aaf4b617752a3b6

: end

Router#

Richard Burts · ‎10-15-2013

Thank you for trying the ping from a PC. I believe that we should check on the possibility that there is some mismatch in the VPN config between the ASA and the Sonicwall. Can you get the details of the VPN configuration from the Sonicwall?

Another possibile thing to do would be to run debug for IPSec, try the ping, and post the debug output. Perhaps there would be something there that would point out the issue.

HTH

Rick

HTH

Rick

Michael Romero · ‎10-18-2013

Sorry for the delay had some phone switching nightmares for awhile but now I am back to solving this issue as it has become a sore point for us. (cant access their files on the server each day over vpn tunnel) It seems to be an ACL rule that is preventing it from leaving the ASA. However, I can see that rule in the ASDM but cannot find it in the configuration in CLI, the inside is not permitting traffic to the outside (any any deny) which is an implicit rule....but what globally is this inheriting from? Not sure...ASDM is sometimes more confusing than CLI but to its credit the packet tracer allowed me to see which ACL was dropping my packets. Any help would be appreciated.

Michael Romero · ‎10-18-2013

Michael Romero · ‎10-19-2013

Ok, after working on this a little I have reconfigured the NAT section which allowed me to start pinging ip addresses. I can also browse by ip i.e, \\192.168.0.3 but I cannot ping or browse by hostname i.e.,\\server so I revised the DHCP Server to include the DNS server 192.168.0.3 and renewed ip and ipconfig /all reports the change. I also restarted the PC and still cannot resolve...getting closer. Thanks for all your help on this!

Michael

Michael Romero · ‎10-19-2013

P.S. Packet tracer in ASDM still has the same issue...drops packet at implicit deny rule, nothing ahead stops that???? Weird to be able to ping through that and browse by IP through that???

Michael Romero · ‎10-19-2013

UPDATE: I can ping fqdn from DNS server 192.168.0.3 to .2.50 network. Just not the other way around....soooo close!

Michael Romero · ‎10-21-2013

UPDATE: I can now ping hostnames on both sides of VPN, however, cannot browse the network on either side. I can map drives etc. by hostname or ip...

Thanks for any help anyone can give on this....know I am missing something here. At this point probably opened up the router too much trying to get this far.

Thanks

Michael

Richard Burts · ‎10-24-2013

Michael

I am glad that you can now ping hosthames on both sides and can map drives by name or by ip. When you say that you can not browse the network on either side are we talking about a web browser to a server on the other side or something else?

HTH

Rick

HTH

Rick