Skip to main content

Why i'm not able to ping cisco LAN interface trought IPSEC?

More
13 years 10 months ago #36236 by eldo
Hello guys, can anybody help?
Why i'm not able to ping cisco LAN interface trought IPSEC?
Ping to PC behind the LAN interface is working fine...


HQ site ASA5510 config
##############################

ASA Version 8.0(4)

interface Ethernet0/0
description Rainside connectivity
nameif outside
security-level 0
ip address 212.89.236.x 255.255.255.240
ospf cost 10

interface Ethernet0/1.2
vlan 200
nameif ds_dmz
security-level 10
ip address 10.16.1.1 255.255.255.240
ospf cost 10

access-list ds_dmz_access_in extended permit icmp any any

access-list cust extended permit udp host 10.16.1.4 10.4.1.8 255.255.255.248

global (outside) 1 interface

nat (ds_dmz) 0 access-list ds_dmz_nat0_outbound

nat (ds_dmz) 1 10.16.1.0 255.255.255.0
nat (ds_dmz) 1 10.16.1.0 255.255.255.0 outside

access-group ds_dmz_access_in in interface ds_dmz

route outside 0.0.0.0 0.0.0.0 212.89.236.x 1 track 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 8 match address cust
crypto map outside_map 8 set peer 194.228.44.x
crypto map outside_map 8 set transform-set ESP-3DES-SHA
crypto map outside_map 8 set security-association lifetime seconds 28800
crypto map outside_map 8 set security-association lifetime kilobytes 4608000

crypto map outside_map interface outside

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 194.228.44.x type ipsec-l2l
tunnel-group 194.228.44.x ipsec-attributes
pre-shared-key *



Cust site ASA5505 config
##############################

ASA Version 8.2(1)

interface Vlan1
nameif inside
security-level 100
ip address 10.4.1.9 255.255.255.248

interface Vlan2
nameif outside
security-level 0
ip address 194.228.44.x 255.255.255.224


access-list outside_cryptomap_1 extended permit ip 10.4.1.8 255.255.255.248 host 10.16.1.4

icmp permit any inside
icmp permit any outside

arp timeout 14400
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 194.228.44.x 1

crypto map outside_map0 2 set peer 212.89.236.x
crypto map outside_map0 2 set transform-set ESP-3DES-SHA
crypto map outside_map0 2 set security-association lifetime seconds 28800
crypto map outside_map0 2 set security-association lifetime kilobytes 4608000
crypto map outside_map0 interface outside

crypto isakmp identity hostname
crypto isakmp enable outside

crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

dhcpd auto_config outside

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group 212.89.236.x type ipsec-l2l
tunnel-group 212.89.236.x ipsec-attributes
pre-shared-key *




ICMP Ping from Customer - eth0/1 - 10.4.1.9 - doesnt work
#############################

ASA5505# packet-tracer input inside icmp 10.4.1.9 0 0 10.16.1.4 detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9581e20, priority=500, domain=permit, deny=true
hits=3, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.4.1.9, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


ASA5505# sh logging asdm

2|Feb 08 2011 17:36:41|106016: Deny IP spoof from (10.4.1.9) to 10.16.1.4 on interface inside
5|Feb 08 2011 17:36:42|111008: User 'dsadmin' executed the 'packet-tracer input inside icmp 10.4.1.9 0 0 10.16.1.4 detailed' command.




ICMP Ping from Customer - PC - 10.4.1.10 - working correctly
#############################



ASA5505# packet-tracer input inside icmp 10.4.1.10 0 0 10.16.1.4 detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc957d690, priority=0, domain=permit-ip-option, deny=true
hits=130015, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc957cd30, priority=66, domain=inspect-icmp-error, deny=false
hits=25417, user_data=0xc957cc28, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc95c7a88, priority=0, domain=host-limit, deny=false
hits=129967, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc92393c8, priority=70, domain=encrypt, deny=false
hits=161, user_data=0x30b44f4, cs_id=0xc9e7e738, reverse, flags=0x0, protocol=0
src ip=10.4.1.8, mask=255.255.255.248, port=0
dst ip=10.16.1.4, mask=255.255.255.255, port=0, dscp=0x0

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 482802, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow


ASA5505# sh logging asdm

6|Feb 08 2011 17:38:24|302020: Built outbound ICMP connection for faddr 10.16.1.4/0 gaddr 10.4.1.10/0 laddr 10.4.1.10/0
5|Feb 08 2011 17:38:25|111008: User 'dsadmin' executed the 'packet-tracer input inside icmp 10.4.1.10 0 0 10.16.1.4 detailed' command.
6|Feb 08 2011 17:38:26|302021: Teardown ICMP connection for faddr 10.16.1.4/0 gaddr 10.4.1.10/0 laddr 10.4.1.10/0



ICMP ping from HQ - server - 10.16.1.4 to cust eth0/1 10.4.1.9 - doesnt work
#############################

eldo@server:~$ ping 10.4.1.9
PING 10.4.1.9 (10.4.1.9) 56(84) bytes of data.
^C
--- 10.4.1.9 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms


ICMP ping from HQ - server - 10.16.1.4 to cust PC 10.4.1.10 - works
#############################


eldo@server:~$ ping 10.4.1.10
PING 10.4.1.10 (10.4.1.10) 56(84) bytes of data.
64 bytes from 10.4.1.10: icmp_seq=1 ttl=128 time=12.8 ms
64 bytes from 10.4.1.10: icmp_seq=2 ttl=128 time=12.8 ms
64 bytes from 10.4.1.10: icmp_seq=3 ttl=128 time=12.6 ms
^C
--- 10.4.1.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 12.680/12.803/12.897/0.129 ms
More
More
13 years 10 months ago #36245 by slyride
Hello,
You may need to add
[code:1]management-access inside[/code:1]
in global config mode on the ASA you are trying to ping.
HTH
s-
More
13 years 10 months ago #36263 by eldo

Hello,
You may need to add
[code:1]management-access inside[/code:1]
in global config mode on the ASA you are trying to ping.
HTH
s-



MANY THANKS! This is it;)
Time to create page: 0.122 seconds