- Posts: 7
- Thank you received: 0
Why i'm not able to ping cisco LAN interface trought IPSEC?
13 years 10 months ago #36236
by eldo
Why i'm not able to ping cisco LAN interface trought IPSEC? was created by eldo
Hello guys, can anybody help?
Why i'm not able to ping cisco LAN interface trought IPSEC?
Ping to PC behind the LAN interface is working fine...
HQ site ASA5510 config
##############################
ASA Version 8.0(4)
interface Ethernet0/0
description Rainside connectivity
nameif outside
security-level 0
ip address 212.89.236.x 255.255.255.240
ospf cost 10
interface Ethernet0/1.2
vlan 200
nameif ds_dmz
security-level 10
ip address 10.16.1.1 255.255.255.240
ospf cost 10
access-list ds_dmz_access_in extended permit icmp any any
access-list cust extended permit udp host 10.16.1.4 10.4.1.8 255.255.255.248
global (outside) 1 interface
nat (ds_dmz) 0 access-list ds_dmz_nat0_outbound
nat (ds_dmz) 1 10.16.1.0 255.255.255.0
nat (ds_dmz) 1 10.16.1.0 255.255.255.0 outside
access-group ds_dmz_access_in in interface ds_dmz
route outside 0.0.0.0 0.0.0.0 212.89.236.x 1 track 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 8 match address cust
crypto map outside_map 8 set peer 194.228.44.x
crypto map outside_map 8 set transform-set ESP-3DES-SHA
crypto map outside_map 8 set security-association lifetime seconds 28800
crypto map outside_map 8 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 194.228.44.x type ipsec-l2l
tunnel-group 194.228.44.x ipsec-attributes
pre-shared-key *
Cust site ASA5505 config
##############################
ASA Version 8.2(1)
interface Vlan1
nameif inside
security-level 100
ip address 10.4.1.9 255.255.255.248
interface Vlan2
nameif outside
security-level 0
ip address 194.228.44.x 255.255.255.224
access-list outside_cryptomap_1 extended permit ip 10.4.1.8 255.255.255.248 host 10.16.1.4
icmp permit any inside
icmp permit any outside
arp timeout 14400
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 194.228.44.x 1
crypto map outside_map0 2 set peer 212.89.236.x
crypto map outside_map0 2 set transform-set ESP-3DES-SHA
crypto map outside_map0 2 set security-association lifetime seconds 28800
crypto map outside_map0 2 set security-association lifetime kilobytes 4608000
crypto map outside_map0 interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
dhcpd auto_config outside
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group 212.89.236.x type ipsec-l2l
tunnel-group 212.89.236.x ipsec-attributes
pre-shared-key *
ICMP Ping from Customer - eth0/1 - 10.4.1.9 - doesnt work
#############################
ASA5505# packet-tracer input inside icmp 10.4.1.9 0 0 10.16.1.4 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9581e20, priority=500, domain=permit, deny=true
hits=3, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.4.1.9, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA5505# sh logging asdm
2|Feb 08 2011 17:36:41|106016: Deny IP spoof from (10.4.1.9) to 10.16.1.4 on interface inside
5|Feb 08 2011 17:36:42|111008: User 'dsadmin' executed the 'packet-tracer input inside icmp 10.4.1.9 0 0 10.16.1.4 detailed' command.
ICMP Ping from Customer - PC - 10.4.1.10 - working correctly
#############################
ASA5505# packet-tracer input inside icmp 10.4.1.10 0 0 10.16.1.4 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc957d690, priority=0, domain=permit-ip-option, deny=true
hits=130015, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc957cd30, priority=66, domain=inspect-icmp-error, deny=false
hits=25417, user_data=0xc957cc28, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc95c7a88, priority=0, domain=host-limit, deny=false
hits=129967, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc92393c8, priority=70, domain=encrypt, deny=false
hits=161, user_data=0x30b44f4, cs_id=0xc9e7e738, reverse, flags=0x0, protocol=0
src ip=10.4.1.8, mask=255.255.255.248, port=0
dst ip=10.16.1.4, mask=255.255.255.255, port=0, dscp=0x0
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 482802, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
ASA5505# sh logging asdm
6|Feb 08 2011 17:38:24|302020: Built outbound ICMP connection for faddr 10.16.1.4/0 gaddr 10.4.1.10/0 laddr 10.4.1.10/0
5|Feb 08 2011 17:38:25|111008: User 'dsadmin' executed the 'packet-tracer input inside icmp 10.4.1.10 0 0 10.16.1.4 detailed' command.
6|Feb 08 2011 17:38:26|302021: Teardown ICMP connection for faddr 10.16.1.4/0 gaddr 10.4.1.10/0 laddr 10.4.1.10/0
ICMP ping from HQ - server - 10.16.1.4 to cust eth0/1 10.4.1.9 - doesnt work
#############################
eldo@server:~$ ping 10.4.1.9
PING 10.4.1.9 (10.4.1.9) 56(84) bytes of data.
^C
--- 10.4.1.9 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
ICMP ping from HQ - server - 10.16.1.4 to cust PC 10.4.1.10 - works
#############################
eldo@server:~$ ping 10.4.1.10
PING 10.4.1.10 (10.4.1.10) 56(84) bytes of data.
64 bytes from 10.4.1.10: icmp_seq=1 ttl=128 time=12.8 ms
64 bytes from 10.4.1.10: icmp_seq=2 ttl=128 time=12.8 ms
64 bytes from 10.4.1.10: icmp_seq=3 ttl=128 time=12.6 ms
^C
--- 10.4.1.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 12.680/12.803/12.897/0.129 ms
Why i'm not able to ping cisco LAN interface trought IPSEC?
Ping to PC behind the LAN interface is working fine...
HQ site ASA5510 config
##############################
ASA Version 8.0(4)
interface Ethernet0/0
description Rainside connectivity
nameif outside
security-level 0
ip address 212.89.236.x 255.255.255.240
ospf cost 10
interface Ethernet0/1.2
vlan 200
nameif ds_dmz
security-level 10
ip address 10.16.1.1 255.255.255.240
ospf cost 10
access-list ds_dmz_access_in extended permit icmp any any
access-list cust extended permit udp host 10.16.1.4 10.4.1.8 255.255.255.248
global (outside) 1 interface
nat (ds_dmz) 0 access-list ds_dmz_nat0_outbound
nat (ds_dmz) 1 10.16.1.0 255.255.255.0
nat (ds_dmz) 1 10.16.1.0 255.255.255.0 outside
access-group ds_dmz_access_in in interface ds_dmz
route outside 0.0.0.0 0.0.0.0 212.89.236.x 1 track 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 8 match address cust
crypto map outside_map 8 set peer 194.228.44.x
crypto map outside_map 8 set transform-set ESP-3DES-SHA
crypto map outside_map 8 set security-association lifetime seconds 28800
crypto map outside_map 8 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 194.228.44.x type ipsec-l2l
tunnel-group 194.228.44.x ipsec-attributes
pre-shared-key *
Cust site ASA5505 config
##############################
ASA Version 8.2(1)
interface Vlan1
nameif inside
security-level 100
ip address 10.4.1.9 255.255.255.248
interface Vlan2
nameif outside
security-level 0
ip address 194.228.44.x 255.255.255.224
access-list outside_cryptomap_1 extended permit ip 10.4.1.8 255.255.255.248 host 10.16.1.4
icmp permit any inside
icmp permit any outside
arp timeout 14400
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 194.228.44.x 1
crypto map outside_map0 2 set peer 212.89.236.x
crypto map outside_map0 2 set transform-set ESP-3DES-SHA
crypto map outside_map0 2 set security-association lifetime seconds 28800
crypto map outside_map0 2 set security-association lifetime kilobytes 4608000
crypto map outside_map0 interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
dhcpd auto_config outside
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group 212.89.236.x type ipsec-l2l
tunnel-group 212.89.236.x ipsec-attributes
pre-shared-key *
ICMP Ping from Customer - eth0/1 - 10.4.1.9 - doesnt work
#############################
ASA5505# packet-tracer input inside icmp 10.4.1.9 0 0 10.16.1.4 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9581e20, priority=500, domain=permit, deny=true
hits=3, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.4.1.9, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA5505# sh logging asdm
2|Feb 08 2011 17:36:41|106016: Deny IP spoof from (10.4.1.9) to 10.16.1.4 on interface inside
5|Feb 08 2011 17:36:42|111008: User 'dsadmin' executed the 'packet-tracer input inside icmp 10.4.1.9 0 0 10.16.1.4 detailed' command.
ICMP Ping from Customer - PC - 10.4.1.10 - working correctly
#############################
ASA5505# packet-tracer input inside icmp 10.4.1.10 0 0 10.16.1.4 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc957d690, priority=0, domain=permit-ip-option, deny=true
hits=130015, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc957cd30, priority=66, domain=inspect-icmp-error, deny=false
hits=25417, user_data=0xc957cc28, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc95c7a88, priority=0, domain=host-limit, deny=false
hits=129967, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc92393c8, priority=70, domain=encrypt, deny=false
hits=161, user_data=0x30b44f4, cs_id=0xc9e7e738, reverse, flags=0x0, protocol=0
src ip=10.4.1.8, mask=255.255.255.248, port=0
dst ip=10.16.1.4, mask=255.255.255.255, port=0, dscp=0x0
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 482802, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
ASA5505# sh logging asdm
6|Feb 08 2011 17:38:24|302020: Built outbound ICMP connection for faddr 10.16.1.4/0 gaddr 10.4.1.10/0 laddr 10.4.1.10/0
5|Feb 08 2011 17:38:25|111008: User 'dsadmin' executed the 'packet-tracer input inside icmp 10.4.1.10 0 0 10.16.1.4 detailed' command.
6|Feb 08 2011 17:38:26|302021: Teardown ICMP connection for faddr 10.16.1.4/0 gaddr 10.4.1.10/0 laddr 10.4.1.10/0
ICMP ping from HQ - server - 10.16.1.4 to cust eth0/1 10.4.1.9 - doesnt work
#############################
eldo@server:~$ ping 10.4.1.9
PING 10.4.1.9 (10.4.1.9) 56(84) bytes of data.
^C
--- 10.4.1.9 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
ICMP ping from HQ - server - 10.16.1.4 to cust PC 10.4.1.10 - works
#############################
eldo@server:~$ ping 10.4.1.10
PING 10.4.1.10 (10.4.1.10) 56(84) bytes of data.
64 bytes from 10.4.1.10: icmp_seq=1 ttl=128 time=12.8 ms
64 bytes from 10.4.1.10: icmp_seq=2 ttl=128 time=12.8 ms
64 bytes from 10.4.1.10: icmp_seq=3 ttl=128 time=12.6 ms
^C
--- 10.4.1.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 12.680/12.803/12.897/0.129 ms
13 years 10 months ago #36238
by eldo
Replied by eldo on topic Re: Why i'm not able to ping cisco LAN interface trought IPSEC?
13 years 10 months ago #36245
by slyride
Replied by slyride on topic Re: Why i'm not able to ping cisco LAN interface trought IPSEC?
Hello,
You may need to add
[code:1]management-access inside[/code:1]
in global config mode on the ASA you are trying to ping.
HTH
s-
You may need to add
[code:1]management-access inside[/code:1]
in global config mode on the ASA you are trying to ping.
HTH
s-
13 years 10 months ago #36263
by eldo
MANY THANKS! This is it;)
Replied by eldo on topic Re: Why i'm not able to ping cisco LAN interface trought IPSEC?
Hello,
You may need to add
[code:1]management-access inside[/code:1]
in global config mode on the ASA you are trying to ping.
HTH
s-
MANY THANKS! This is it;)
Time to create page: 0.122 seconds