Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cannot ping or do not have DNS over site to site vpn tunnel

                  I have a Cisco 5505 and a TZ170 Sonicwall.

I have an IPSec tunnel up but I cannot ping or run DNS over it. Basically no network resources can be accessed between sites on either side.

Here is my configuration (as created by ASDM which I am growing a distaste for after it has screwed much of my original CLI input). Thanks for any help you can give me.

Router# sho run

: Saved

:

ASA Version 8.2(5)

!

hostname PFDowntown

domain-name golds.local

enable password s4sg6AZKKWez7RdB encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.0.3 Server description dns server

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xx.xx.xx.xx255.255.255.252

!

ftp mode passive

dns server-group DefaultDNS

domain-name golds.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network net-local

network-object 192.168.2.0 255.255.255.0

object-group network net-remote

network-object 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 192.168.2.0 255.255.255.0

host 192.168.0.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 ho

st 192.168.0.0

access-list outside_1_cryptomap extended permit ip interface inside any

access-list outside_1_cryptomap extended permit ip any interface inside

access-list outside_1_cryptomap extended permit ip object-group net-local object

-group net-remote

access-list outside_1_cryptomap extended permit ip object-group net-remote objec

t-group net-local

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit udp any any

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit udp any any eq isakmp

access-list inside_access_in_1 extended permit ip any any

access-list outside_access_in extended permit icmp any any

access-list global_mpc extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 0 access-list inside_nat0_outbound outside

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in_1 in interface inside control-plane

access-group outside_access_in in interface outside

!

router rip

network 192.168.0.0

!

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

route inside 0.0.0.0 0.0.0.0 192.168.0.1 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection preserve-vpn-flows

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer xx.xx.xx.xx

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set reverse-route

crypto map outside_map interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

crypto isakmp identity address

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp ipsec-over-tcp port 10000

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcp-client update dns server both

dhcpd auto_config outside

!

dhcpd address 192.168.2.50-192.168.2.100 inside

dhcpd dns xx.xx.xx.xx xx.xx.xx.xx interface inside

dhcpd domain golds.local interface inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-filter value inside_nat0_outbound

vpn-tunnel-protocol IPSec

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol IPSec

username admin password Rras1ufhYNBlonui encrypted

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key xxxxxx

peer-id-validate nocheck

tunnel-group xx.xx.xx.xxtype ipsec-l2l

tunnel-group xx.xx.xx.xxgeneral-attributes

default-group-policy GroupPolicy1

tunnel-group xx.xx.xx.xxipsec-attributes

pre-shared-key *****

peer-id-validate nocheck

isakmp keepalive disable

no tunnel-group-map enable ou

no tunnel-group-map enable ike-id

tunnel-group-map default-group xx.xx.xx.xx

!

class-map global-class

match access-list global_mpc

!

!

policy-map global-policy

class global-class

inspect icmp

!

service-policy global-policy global

prompt hostname context

call-home reporting anonymous

Cryptochecksum:6782a2577ba1b1b11aaf4b617752a3b6

: end

Router#

Everyone's tags (6)
22 REPLIES
New Member

Cannot ping or do not have DNS over site to site vpn tunnel

Correction: TZ180 Standard Sonicwall on the other end. However, two Sonicwalls were working fine before I added the ASA5505 at the other end. Packet Tracer in ASDM tells me it is getting stuck at the firewall rules where the built in "any any deny" is stopping it from flowing out. However, I do not find those rules in my cli...??? So I have configured new ones fot permit traffic from one to the other. However, they are two different subnets and the site to site VPN is able to tunnel but not move traffic across to the other side...still. Not sure what I am doing wrong. It would seem that this shouldnt be this difficult.

Thanks for any help you could give.

Hall of Fame Super Silver

Cannot ping or do not have DNS over site to site vpn tunnel

Michael

There are several things that I wonder about in the config. Probably the most serious is your configuration of nat0 on the inside interface. Why do you have two nat0 commands? And why do both of them use a host for the destination instead of a network?

access-list inside_nat0_outbound_1 extended permit ip 192.168.2.0 255.255.255.0 host 192.168.0.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 host 192.168.0.0

What you have got here will result in the ASA doing address translation of traffic going through the VPN and is likely the reason why no traffic goes through. So my first suggestion would be to simplify to one nat0 and having it look something like this

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

I also suggest that you remove these lines from the crypto ACL

access-list outside_1_cryptomap extended permit ip interface inside any

access-list outside_1_cryptomap extended permit ip any interface inside

and I question why this line is in the crypto ACL

access-list outside_1_cryptomap extended permit ip object-group net-remote object-group net-local

In setting up site to site VPN the crypto ACL on each side should mirror the ACL on the other side and keeping extraneous entries out of the ACL will simplify accomplishing this.

While I do not think that it impacts the VPN I will suggest that since you are not using this ACL that it should be removed from the config.

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit udp any any

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit udp any any eq isakmp

And I find your outside ACL to be quite strange

access-list outside_access_in extended permit icmp any any

I do not think that it impacts the VPN but suggest that you might want to permit more than just ICMP traffic.

HTH

Rick

New Member

Re: Cannot ping or do not have DNS over site to site vpn tunnel

I added the nat command you suggested. However when I removed the command...

       access-list outside_1_cryptomap extended permit ip interface inside any, I lost my remote connection into the network...have to go down to site physically tomorrow and reboot to startup config...

New Member

Re: Cannot ping or do not have DNS over site to site vpn tunnel

Here is the config with the changes...I did permit ip, udp, and tcp outside traffic as well that may not be reflected in here. However, still cannot ping or resolve dns to see my network and domain.

Thanks for all your help...I have been dealing with this for 3 weeks!

User Access Verification

Password:
Type help or '?' for a list of available commands.
PFDowntown> enable
Password: **************
PFDowntown# sho run
: Saved
:
ASA Version 8.2(5)
!
hostname PFDowntown
domain-name golds.local
enable password s4sg6AZKKWez7RdB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.3 Server description dns server
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
ftp mode passive
dns server-group DefaultDNS
domain-name golds.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network net-local
network-object 192.168.2.0 255.255.255.0
object-group network net-remote
network-object 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 19
2.168.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group net-local object
-group net-remote
access-list outside_1_cryptomap extended permit ip object-group net-remote objec
t-group net-local
access-list inside_access_in_1 extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list global_mpc extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in_1 in interface inside control-plane
access-group outside_access_in in interface outside
!
router rip
network 192.168.0.0
!
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
route inside 0.0.0.0 0.0.0.0 192.168.0.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection preserve-vpn-flows
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer xx.xx.xx.xx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA

quit
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcp-client update dns server both
dhcpd auto_config outside
!
dhcpd address 192.168.2.50-192.168.2.100 inside
dhcpd dns xx.xx.xx.xx xx.xx.xx.xx interface inside
dhcpd domain golds.local interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-filter value inside_nat0_outbound
vpn-tunnel-protocol IPSec
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec
username admin password Rras1ufhYNBlonui encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx general-attributes
default-group-policy GroupPolicy1
tunnel-group xx.xx.xx.xx ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
isakmp keepalive disable
no tunnel-group-map enable ou
no tunnel-group-map enable ike-id
tunnel-group-map default-group xx.xx.xx.xx
!
class-map global-class
match access-list global_mpc
!
!
policy-map global-policy
class global-class
  inspect icmp
!
service-policy global-policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:79078712b2dcc28a1c653dbbb42d825f
: end

--

Hall of Fame Super Silver

Cannot ping or do not have DNS over site to site vpn tunnel

Thanks for posting the updated config. Since you seem to be able to login to the ASA again do I assume that you were able to resolve the problem that you mentioned in your previous post?

One issue that I see is in this route statement

route inside 0.0.0.0 0.0.0.0 192.168.0.1 tunneled

You are routing through the inside interface but the next hop that you specify is in the remote network. And I see a similar issue in your configuration of rip

router rip
network 192.168.0.0

If you address these and still have I problem then I suggest that (as a test) you remove this line from the config and let us know if it makes a difference

vpn-filter value inside_nat0_outbound

HTH

Rick

New Member

Cannot ping or do not have DNS over site to site vpn tunnel


I thought about these route statements as well. Should I remove the one or change it? What about the rip statement?

router rip

network 0.0.0.0

Thanks for helping us on this forum...sure is nice to have experienced people help you through the tough issues.

Hall of Fame Super Silver

Cannot ping or do not have DNS over site to site vpn tunnel

It is easier to look at the config and to find things that are inconsistent with what is in the config. That is how I identified these two problems. It is a bit more difficult to know what to do about them without knowing more about the network to which you are connected.

As far as the first prblem of

route inside 0.0.0.0 0.0.0.0 192.168.0.1 tunneled

the tunneled routes are typically used with Remote Access VPN. The config indicates that you are not running Remote Access VPN. If that is correct then just remove this line.

As far as network 0.0.0.0 under router rip is concerned, the result of using this would be that you would run rip on the outside interface as well as the inside interface. Unless there are things that you have not yet told us, I believe that running rip on the outside interface would be pretty bad and I suggest that you not do this.

I would suggest that the first question should be do you really need to run rip on this ASA? Perhaps the best way to answer this would be for you to tell us whether there is a router connected to the 192.168.2.0 network to share rip updates and are there other networks/subnets that the router knows about and that it needs to advertise to the ASA. If there is then you probably do need router rip and need to find an appropriate network statement. If there is no router connected through the inside interface and no other network/subnets that the ASA needs to learn then you do not need router rip at all.

HTH

Rick

New Member

Cannot ping or do not have DNS over site to site vpn tunnel

Hi Rick,

The scenario is that I have one corporate site, 3 remote sites. All are needing to connect site-to-site vpn tunnel with DNS capabilities for accessing servers at corporate, they previously had sonicwalls configured as VPN and moving toward Cisco. Corporate will eventually get a 5510 installed, but for now the ASA5505 at each site is being installed to connect to a sonicwall TZ180.

There will be an eventual need for them to be a part of the same network through VPN and intercommunication will be essential. However for now inside network at corporate is 192.168.0.1 and all remote sites are 2.1, 20.1, and 200.1. All with varying service providers according to area.

There are no other routers other than these ASA firewalls on any of the subnets that are routing. (other than internal wireless access points).

So if my understanding is correct, no I am not running Remote Access VPN but Site-to-Site VPN...so I will remove this statement. Also, I have no need that I can think of for running RIP on outside interface at this point as it is just a simple firewall to firewall routing scenario with VPN tunnels, no routers behind ASA's at all....so I will remove this statement.

Still not sure why ping or DNS is not working through tunnel. I cannot get to my DNS server by ip or name resolution.

Hall of Fame Super Silver

Cannot ping or do not have DNS over site to site vpn tunnel

So do go ahead and remove both the route tunneled and the router rip statements. I am not optimistic that it will fix your problem but it will remove some issues of incompatibility in the configuration. If ping still does not work and if DNS still does not work then please provide some details of these problems:

- for ping what ip address is initiating the ping and what address is it attempting to ping.

- for DNS where is the server, where is the client? I see that in the configuration of DHCP that some DNS server is specified - is this the one that does not work? Id so we will need some detail about where it is (dhcpd dns xx.xx.xx.xx xx.xx.xx.xx interface inside in the config does not give us much to work with).

HTH

Rick

New Member

Cannot ping or do not have DNS over site to site vpn tunnel

I am attempting to ping from the ASA 192.168.2.1 to the DNS server 192.168.0.3 accross the tunnel. DHCP for this remote site comes from the ASA. DHCP for the Corporate site 0.1 is done by the DNS server for that local subnet. DNS server is at corporate location and client is at remote location. Yes, the DNS server that is specified is the one that is not working for this remote site. I don't need DNS from the router only from the server at a remote location (corp).

RIP and route tunneled have both been removed. Thanks for your reply.

Hall of Fame Super Silver

Cannot ping or do not have DNS over site to site vpn tunnel

Can you verify that the VPN tunnel is being established correctly from the ASA to the Sonicwall? Can you post the output of the show command for the IPSec Security Associations?

HTH

Rick

New Member

Cannot ping or do not have DNS over site to site vpn tunnel

PFDowntown(config)# show ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: xx.xx.xx.74

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255
.0 192.168.0.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer: xx.xx.xx.65

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 12432, #pkts decrypt: 12432, #pkts verify: 12432
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: xx.xx.xx.74, remote crypto endpt.: xx.xx.xx.65

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 1F0AA8CB
current inbound spi : 2EB562AA

inbound esp sas:
spi: 0x2EB562AA (783639210)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 106496, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 16023
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x1F0AA8CB (520792267)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 106496, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 16022
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Hall of Fame Super Silver

Cannot ping or do not have DNS over site to site vpn tunnel

Thank you for the additional information. I believe that these 2 lines are key in understanding what is going on

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 12432, #pkts decrypt: 12432, #pkts verify: 12432

These indicate that you are receiving data over the tunnel but are not sending any data over the tunnel. It is not clear what is causing this but I suspect that there may be some mismatch between your ASA and the corporate Sonicwall. What happens if you attempt to ping 192.168.0.3 from a PC connected in the LAN of the ASA?

HTH

Rick

New Member

Cannot ping or do not have DNS over site to site vpn tunnel

Request times out...

Hall of Fame Super Silver

Cannot ping or do not have DNS over site to site vpn tunnel

Thank you for trying the ping from a PC. I believe that we should check on the possibility that there is some mismatch in the VPN config between the ASA and the Sonicwall. Can you get the details of the VPN configuration from the Sonicwall?

Another possibile thing to do would be to run debug for IPSec, try the ping, and post the debug output. Perhaps there would be something there that would point out the issue.

HTH

Rick

New Member

Cannot ping or do not have DNS over site to site vpn tunnel

Sorry for the delay had some phone switching nightmares for awhile but now I am back to solving this issue as it has become a sore point for us. (cant access their files on the server each day over vpn tunnel) It seems to be an ACL rule that is preventing it from leaving the ASA. However, I can see that rule in the ASDM but cannot find it in the configuration in CLI, the inside is not permitting traffic to the outside (any any deny) which is an implicit rule....but what globally is this inheriting from? Not sure...ASDM is sometimes more confusing than CLI but to its credit the packet tracer allowed me to see which ACL was dropping my packets. Any help would be appreciated.

New Member

Cannot ping or do not have DNS over site to site vpn tunnel

New Member

Cannot ping or do not have DNS over site to site vpn tunnel

Ok, after working on this a little I have reconfigured the NAT section which allowed me to start pinging ip addresses. I can also browse by ip i.e, \\192.168.0.3 but I cannot ping or browse by hostname i.e.,\\server so I revised the DHCP Server to include the DNS server 192.168.0.3 and renewed ip and ipconfig /all reports the change. I also restarted the PC and still cannot resolve...getting closer. Thanks for all your help on this!

Michael

New Member

Cannot ping or do not have DNS over site to site vpn tunnel

P.S. Packet tracer in ASDM still has the same issue...drops packet at implicit deny rule, nothing ahead stops that???? Weird to be able to ping through that and browse by IP through that???

New Member

Cannot ping or do not have DNS over site to site vpn tunnel

UPDATE: I can ping fqdn from DNS server 192.168.0.3 to .2.50 network. Just not the other way around....soooo close!

New Member

Cannot ping or do not have DNS over site to site vpn tunnel

UPDATE: I can now ping hostnames on both sides of VPN, however, cannot browse the network on either side. I can map drives etc. by hostname or ip...

Thanks for any help anyone can give on this....know I am missing something here. At this point probably opened up the router too much trying to get this far.

Thanks

Michael

Hall of Fame Super Silver

Cannot ping or do not have DNS over site to site vpn tunnel

Michael

I am glad that you can now ping hosthames on both sides and can map drives by name or by ip. When you say that you can not browse the network on either side are we talking about a web browser to a server on the other side or something else?

HTH

Rick

6824
Views
4
Helpful
22
Replies
CreatePlease to create content