Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Why i'm not able to ping cisco LAN interface trought IPSEC?

Why i'm not able to ping cisco LAN interface trought IPSEC? 5 years 9 months ago #36236

  • eldo
  • eldo's Avatar
  • Offline
  • New Member
  • Posts: 7
  • Karma: 0
Hello guys, can anybody help?
Why i'm not able to ping cisco LAN interface trought IPSEC?
Ping to PC behind the LAN interface is working fine...


HQ site ASA5510 config
##############################

ASA Version 8.0(4)

interface Ethernet0/0
description Rainside connectivity
nameif outside
security-level 0
ip address 212.89.236.x 255.255.255.240
ospf cost 10

interface Ethernet0/1.2
vlan 200
nameif ds_dmz
security-level 10
ip address 10.16.1.1 255.255.255.240
ospf cost 10

access-list ds_dmz_access_in extended permit icmp any any

access-list cust extended permit udp host 10.16.1.4 10.4.1.8 255.255.255.248

global (outside) 1 interface

nat (ds_dmz) 0 access-list ds_dmz_nat0_outbound

nat (ds_dmz) 1 10.16.1.0 255.255.255.0
nat (ds_dmz) 1 10.16.1.0 255.255.255.0 outside

access-group ds_dmz_access_in in interface ds_dmz

route outside 0.0.0.0 0.0.0.0 212.89.236.x 1 track 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 8 match address cust
crypto map outside_map 8 set peer 194.228.44.x
crypto map outside_map 8 set transform-set ESP-3DES-SHA
crypto map outside_map 8 set security-association lifetime seconds 28800
crypto map outside_map 8 set security-association lifetime kilobytes 4608000

crypto map outside_map interface outside

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 194.228.44.x type ipsec-l2l
tunnel-group 194.228.44.x ipsec-attributes
pre-shared-key *



Cust site ASA5505 config
##############################

ASA Version 8.2(1)

interface Vlan1
nameif inside
security-level 100
ip address 10.4.1.9 255.255.255.248

interface Vlan2
nameif outside
security-level 0
ip address 194.228.44.x 255.255.255.224


access-list outside_cryptomap_1 extended permit ip 10.4.1.8 255.255.255.248 host 10.16.1.4

icmp permit any inside
icmp permit any outside

arp timeout 14400
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 194.228.44.x 1

crypto map outside_map0 2 set peer 212.89.236.x
crypto map outside_map0 2 set transform-set ESP-3DES-SHA
crypto map outside_map0 2 set security-association lifetime seconds 28800
crypto map outside_map0 2 set security-association lifetime kilobytes 4608000
crypto map outside_map0 interface outside

crypto isakmp identity hostname
crypto isakmp enable outside

crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

dhcpd auto_config outside

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group 212.89.236.x type ipsec-l2l
tunnel-group 212.89.236.x ipsec-attributes
pre-shared-key *




ICMP Ping from Customer - eth0/1 - 10.4.1.9 - doesnt work
#############################

ASA5505# packet-tracer input inside icmp 10.4.1.9 0 0 10.16.1.4 detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9581e20, priority=500, domain=permit, deny=true
hits=3, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.4.1.9, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


ASA5505# sh logging asdm

2|Feb 08 2011 17:36:41|106016: Deny IP spoof from (10.4.1.9) to 10.16.1.4 on interface inside
5|Feb 08 2011 17:36:42|111008: User 'dsadmin' executed the 'packet-tracer input inside icmp 10.4.1.9 0 0 10.16.1.4 detailed' command.




ICMP Ping from Customer - PC - 10.4.1.10 - working correctly
#############################



ASA5505# packet-tracer input inside icmp 10.4.1.10 0 0 10.16.1.4 detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc957d690, priority=0, domain=permit-ip-option, deny=true
hits=130015, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc957cd30, priority=66, domain=inspect-icmp-error, deny=false
hits=25417, user_data=0xc957cc28, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc95c7a88, priority=0, domain=host-limit, deny=false
hits=129967, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc92393c8, priority=70, domain=encrypt, deny=false
hits=161, user_data=0x30b44f4, cs_id=0xc9e7e738, reverse, flags=0x0, protocol=0
src ip=10.4.1.8, mask=255.255.255.248, port=0
dst ip=10.16.1.4, mask=255.255.255.255, port=0, dscp=0x0

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 482802, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow


ASA5505# sh logging asdm

6|Feb 08 2011 17:38:24|302020: Built outbound ICMP connection for faddr 10.16.1.4/0 gaddr 10.4.1.10/0 laddr 10.4.1.10/0
5|Feb 08 2011 17:38:25|111008: User 'dsadmin' executed the 'packet-tracer input inside icmp 10.4.1.10 0 0 10.16.1.4 detailed' command.
6|Feb 08 2011 17:38:26|302021: Teardown ICMP connection for faddr 10.16.1.4/0 gaddr 10.4.1.10/0 laddr 10.4.1.10/0



ICMP ping from HQ - server - 10.16.1.4 to cust eth0/1 10.4.1.9 - doesnt work
#############################

eldo@server:~$ ping 10.4.1.9
PING 10.4.1.9 (10.4.1.9) 56(84) bytes of data.
^C
--- 10.4.1.9 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms


ICMP ping from HQ - server - 10.16.1.4 to cust PC 10.4.1.10 - works
#############################


eldo@server:~$ ping 10.4.1.10
PING 10.4.1.10 (10.4.1.10) 56(84) bytes of data.
64 bytes from 10.4.1.10: icmp_seq=1 ttl=128 time=12.8 ms
64 bytes from 10.4.1.10: icmp_seq=2 ttl=128 time=12.8 ms
64 bytes from 10.4.1.10: icmp_seq=3 ttl=128 time=12.6 ms
^C
--- 10.4.1.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 12.680/12.803/12.897/0.129 ms
The administrator has disabled public write access.

Re: Why i'm not able to ping cisco LAN interface trought IPSEC? 5 years 9 months ago #36238

  • eldo
  • eldo's Avatar
  • Offline
  • New Member
  • Posts: 7
  • Karma: 0
The administrator has disabled public write access.

Re: Why i'm not able to ping cisco LAN interface trought IPSEC? 5 years 9 months ago #36245

  • slyride
  • slyride's Avatar
  • Offline
  • New Member
  • Posts: 1
  • Karma: 0
Hello,
You may need to add
[code:1]management-access inside[/code:1]
in global config mode on the ASA you are trying to ping.
HTH
s-
The administrator has disabled public write access.

Re: Why i'm not able to ping cisco LAN interface trought IPSEC? 5 years 9 months ago #36263

  • eldo
  • eldo's Avatar
  • Offline
  • New Member
  • Posts: 7
  • Karma: 0
Hello,
You may need to add
[code:1]management-access inside[/code:1]
in global config mode on the ASA you are trying to ping.
HTH
s-


MANY THANKS! This is it;)
The administrator has disabled public write access.
Time to create page: 0.095 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup