ASA5505 ad ASA5520 Tunnel establish but cannot ping inside hosts.

[mktck]

An IPSec tunnel is established between ASA5505 and ASA5520. Phase 1 and 2 are both completed.

I am able to ping the 'Internal' interface IP of the ASA5520 from the laptop connected to E0/1 of ASA 5505, but I get “Destination Host Unreachable” when I ping a Server connected on an unmanaged switch which is inturn, connected to E0/1 of the ASA5520. I am also able to telnet into the ASA 5520 from the laptop connected to ASA 5505.

I am able to ping ASA 5505 'Inside' interface and the laptop from the 'Internal' interface of ASA 5520 using the 'Ping Internal <ASA 5505 IP>' command.

Kindly advise on what the issue is here. Attached is the respective Show Run with some details omitted.

=================ASA 5505===============
: Saved
:
ASA Version 8.0(4)
!
hostname sg
domain-name xxxx.com
enable password xxxxxxx encrypted
passwd xxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.x.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 67.148.x.x 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone SGT 8
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 205.171.3.65
domain-name xxxx.com
dns server-group allegro
name-server 172.17.x.2
access-list inside_nat0_outbound extended permit ip 67.148.x.x 255.255.255.252 63.237.x.x 255.255.255.0
access-list inside_nat0_outbound extended permit ip interface outside 63.237.x.x 255.255.255.0
access-list inside_nat0_outbound extended permit ip interface inside 63.237.x.x 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.x.0 255.255.255.0 172.17.x.0 255.255.0.0
access-list outside_1_cryptomap extended permit ip 10.10.x.0 255.255.255.0 172.17.x.0 255.255.0.0
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.148.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.x.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 63.237.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.10.x.0 255.255.255.0 inside
telnet 172.17.x.0 255.255.0.0 inside
telnet 63.237.x.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 10.10.x.2-10.10.x.254inside
dhcpd dns 205.171.3.65 interface inside
dhcpd enable inside
!

no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 63.237.x.x type ipsec-l2l
tunnel-group 63.237.x.x ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2662d17a803ebdf0c6c40d00aec345f8
: end
================End ASA 5505============


================ASA 5520===============
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
domain-name xxxx.com
enable password xxxx encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif external
security-level 0
ip address 63.237.x.x 255.255.255.0
!
interface GigabitEthernet0/1
nameif internal
security-level 100
ip address 172.17.x.40 255.255.0.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
passwd xxxx encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup external
dns domain-lookup internal
dns server-group DefaultDNS
name-server 172.17.x.2
name-server 172.17.x.3
domain-name xxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list gigabitether0_access_in extended permit ip any any
access-list internal_1_cryptomap extended permit ip 172.17.x.0 255.255.0.0 63.237.x.x 255.255.0.0
access-list ciscovpn_splitTunnelAcl standard permit any
access-list external_1_cryptomap extended deny ip 172.17.x.0 255.255.0.0 63.237.x.x 255.255.0.0
access-list external_access_in extended permit ip any any
access-list external_access_in_1 extended permit tcp any any
access-list external_access_in_1 extended permit udp any any
access-list external_access_in_1 extended permit icmp any any
access-list capture extended permit gre any any
access-list capture extended permit tcp any any eq pptp
access-list capture extended permit tcp any eq pptp any
access-list external_2_cryptomap extended permit ip 172.17.x.0 255.255.0.0 10.10.x.0 255.255.255.0
access-list internal_nat0_outbound extended permit ip 172.17.x.0 255.255.0.0 10.10.x.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu external 1500
mtu internal 1500
mtu management 1500
ip local pool classCrange 172.17.x.1-172.17.x.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat (external) 101 63.237.x.x 255.255.0.0
access-group external_access_in_1 in interface external
route external 0.0.0.0 0.0.0.0 63.237.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server xxxx protocol radius
accounting-mode simultaneous
aaa-server xxxx (external) host 63.237.x.x
timeout 5
key xxxx
acl-netmask-convert auto-detect
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 10
http server enable
http 192.100.1.0 255.255.255.0 management
http 63.0.0.0 255.0.0.0 external
http 192.168.1.0 255.255.255.0 management
http 172.0.0.0 255.0.0.0 internal
http redirect management 22
http redirect internal 22
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp internal
auth-prompt prompt Verifying user access
auth-prompt accept Welcome to the Allegro Netowork
auth-prompt reject Invalid user name/password
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES-SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 2 set transform-set 3DES-SHA
crypto map gigabitether1_map 40 match address internal_1_cryptomap
crypto map gigabitether1_map 40 set pfs
crypto map gigabitether1_map 40 set peer 172.17.x.40
crypto map gigabitether1_map 40 set transform-set ESP-3DES-SHA
crypto map gigabitether1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map gigabitether1_map interface internal
crypto map external_map 50 match address external_1_cryptomap
crypto map external_map 50 set pfs
crypto map external_map 50 set peer 63.237.x.x
crypto map external_map 50 set transform-set ESP-3DES-SHA
crypto map management_map 2 match address external_2_cryptomap
crypto map management_map 2 set pfs
crypto map management_map 2 set peer 67.148.x.x
crypto map management_map 2 set transform-set ESP-3DES-SHA
crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map management_map interface external
crypto map management_map interface management
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn ciscoasa
subject-name CN=ciscoasa
no client-types
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
30820231 3082019a a0030201 02020131 300d0609 2a864886 f70d0101 04050030
2c311130 0f060355 04031308 63697363 6f617361 31173015 06092a86 4886f70d
01090216 08636973 636f6173 61301e17 0d303831 31313432 30333133 325a170d
31383131 31323230 33313332 5a302c31 11300f06 03550403 13086369 73636f61
73613117 30150609 2a864886 f70d0109 02160863 6973636f 61736130 819f300d
06092a86 4886f70d 01010105 0003818d 00308189 02818100 9cf824ad 69709b1f
156ae40f 53ddb4ea 7bf7cff1 3b049c0b 15bb773a 1a50a7d9 5ef28f0d 36e479b0
89f4f24d 2aadf894 9f55ae86 8e3ea5de b719c300 5efdf026 8557c54b c4ea5786
cf5d0e01 c3b5b9a7 fa73ecbf d2b28409 ce5d8b91 d13940ca 496af3cd 0ccf7ea0
7f1e8a66 03c53a89 1dbb2c09 e58eb61a b18840b8 4be6e617 02030100 01a36330
61300f06 03551d13 0101ff04 05300301 01ff300e 0603551d 0f0101ff 04040302
0186301f 0603551d 23041830 168014af 8dc93279 e9ccc370 165562f6 61b055c9
b10c4030 1d060355 1d0e0416 0414af8d c93279e9 ccc37016 5562f661 b055c9b1
0c40300d 06092a86 4886f70d 01010405 00038181 00019ff6 97efbd17 757a5294
2b09167d 835eed6e caf6dec8 11bfca2c 190b38f7 f1622b67 d92685ab c9bbf17c
fd742ecf 9662cebb 47198b16 adff3c1a 4c4e641f 0b70ca5d 2bb67788 969ad604
7b3d590f e358f8d7 22a0c276 f9ece4c3 a231e5f7 c29ce52d f614cb7c da4afbfd
32079cdd 49c8be65 5d837c80 b64cab37 ff9503f3 d9
quit
crypto isakmp enable external
crypto isakmp enable internal
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 45
telnet 172.17.x.0 255.255.0.0 internal
telnet 10.10.x.0 255.255.255.0 internal
telnet timeout 1440
ssh 0.0.0.0 0.0.0.0 internal
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
management-access internal
dhcpd domain allegrodevelopment.com
dhcpd auto_config internal
!
dhcpd auto_config internal interface external
!
dhcpd auto_config external interface management
!
vpn load-balancing
interface lbpublic external
interface lbprivate external
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable external
enable internal
svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
ipsec-udp enable
split-tunnel-network-list value ciscoasa_splitTunnelAcl
webvpn
svc dpd-interval client none
svc dpd-interval gateway none
group-policy radius internal
group-policy radius attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy ciscoasa internal
group-policy ciscoasa attributes
dns-server value 202.138.96.2
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ciscoasa_splitTunnelAcl
username test password P4ttSyrm33SV8TYp encrypted
username tejinder password azu34DJoq0OU//DQ encrypted privilege 0
username tejinder attributes
vpn-group-policy ciscoasa
tunnel-group DefaultRAGroup general-attributes
address-pool classCrange
authentication-server-group allegroradius
default-group-policy radius
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool (external) classCrange
authentication-server-group allegroradius
authorization-server-group LOCAL
default-group-policy radius
tunnel-group DefaultWEBVPNGroup ipsec-attributes
pre-shared-key *
trust-point ASDM_TrustPoint0
tunnel-group external type remote-access
tunnel-group external general-attributes
address-pool (external) classCrange
authentication-server-group allegroradius
authentication-server-group (external) allegroradius
authorization-server-group allegroradius
authorization-server-group (external) allegroradius
accounting-server-group allegroradius
default-group-policy radius
tunnel-group external ipsec-attributes
pre-shared-key *
trust-point ASDM_TrustPoint0
isakmp ikev1-user-authentication (external) xauth
tunnel-group external ppp-attributes
authentication ms-chap-v2
tunnel-group internal type remote-access
tunnel-group internal general-attributes
address-pool classCrange
authentication-server-group allegroradius
authentication-server-group (internal) allegroradius
authorization-server-group (internal) allegroradius
accounting-server-group allegroradius
default-group-policy radius
tunnel-group internal webvpn-attributes
authentication certificate
tunnel-group internal ipsec-attributes
pre-shared-key *
trust-point ASDM_TrustPoint0
tunnel-group 172.17.x.40 type ipsec-l2l
tunnel-group 63.237.x.x type ipsec-l2l
tunnel-group 63.237.x.x ipsec-attributes
pre-shared-key *
tunnel-group 67.148.x.x type ipsec-l2l
tunnel-group 67.148.x.x ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:d5df8ae30a55683430edeb062cc82b42
: end================End ASA 5520===========

 

[unclerico]

on the 5520 you are missing a nat0 statement for your traffic originating on the 172.17.x.x/16 network destined for the 10.10.x.x/24 network

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[North323]

also add crypto isakmp nat-traversal 120 to both devices

 

[mktck]

Hi Guru unclerico, do you mean these two lines?

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

Hi Guru North323, may you kindly explain to me the usage of this line? I shall add it when i get in to the office.

Thanks in advance, i m more a router guy, never deal with ASA tunnelling before. Will keep posted.

 

[North323]

http://www.tek-tips.com/viewthread.cfm?qid=1533545&page=5

 

[unclerico]

Hi Guru unclerico, do you mean these two lines?
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

correct. except on the 5520 your acl is internal_nat0_outbound

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[mktck]

Hi Gurus,

I have updated as you both advised, still no avail. But I realised something, which I hope can open up more ideas for your advising.

on the 5505, I can ping 172.17.x.40 plus a traceroute of 1 hop, this is done on a laptop (10.10.x.2) connected to F0/1. But as usual, i cannot reach 172.17.x.4 which is my main DB server.

on the 5520, I can only access the ASA remotely, so I am in Cisco CLI. I can run 'ping internal 10.10.x.2' with response. When I do a traceroute 'traceroute 10.10.x.2 source internal', I get a unreacheable response.

addition to that, I can ping 172.17.x.4 from the 5520 CLI, with a traceroute hop of 1. I did a VPN to this 5520 via the Internet address 63.237.x.x. While in this VPN, I also cannot ping 172.17.x.4 but I can ping 10.10.x.2 and 172.17.x.40.

lastly, I RDP into 172.17.x.4, I can ping 172.17.x.40, but not 10.10.x.2. tracert to 172.17.x.40 shows a hop of 1, and tracert to 10.10.x.2 goes to nowhere. Oddly, the Gateway shows 172.17.x.50.

I dun understand how come I managed to ping 172.17.x.4 from ASA5520 but there is no routing to it at all. Any ideas? Thanks.

 

[mktck]

Btw, I have an old line connected to the remote site, we are upgrading to ELL, that is why I have to configure this ASA.

Thanks.

 

[unclerico]

Oddly, the Gateway shows 172.17.x.50.

change it to 172.17.x.40

I dun understand how come I managed to ping 172.17.x.4 from ASA5520 but there is no routing to it at all.

the 172.17.x.x/16 network is directly connected to the 5520 so no routing is needed.

One last thing i'll mention is to move your RA VPN pool out of the 172.17.x.x/24 address space and into something on a completely different network. your internal network is 172.17.x.x/16 and your RA VPN Pool is 172.17.x.x/24 so there's overlap

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[VinceWhirlwind]

This forum is starting to get completely gummed-up with posts about ASAs & Pixs instead of "Cisco - Routers".

You may be missing out on advice from the people who only look at the "Cisco - ASA" and "Cisco - Pix" forums.

 

[mktck]

Hi,

I did some analysing and troubleshooting last few days. here is the development so far, still not resolve.

I am getting the following error at the ASA5520 side when i try to ping 172.17.0.2:

3 Aug 18 2009 00:39:50 713042 IKE Initiator unable to find policy: Intf external, Src: 172.17.0.1, Dst: 63.237.x.x

The following is my crypto map so far:
================================================
crypto map gigabitether1_map 40 match address internal_1_cryptomap
crypto map gigabitether1_map 40 set pfs
crypto map gigabitether1_map 40 set peer 172.17.0.40
crypto map gigabitether1_map 40 set transform-set ESP-3DES-SHA
crypto map gigabitether1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map gigabitether1_map interface internal
crypto map external_map 50 match address external_1_cryptomap
crypto map external_map 50 set pfs
crypto map external_map 50 set peer 63.237.x.x
crypto map external_map 50 set transform-set ESP-3DES-SHA
crypto map management_map 1 match address external_cryptomap
crypto map management_map 1 set peer 38.104.x.x 62.73.x.x
crypto map management_map 1 set transform-set ESP-3DES-SHA
crypto map management_map 2 match address external_2_cryptomap
crypto map management_map 2 set pfs
crypto map management_map 2 set peer 67.148.x.x
crypto map management_map 2 set transform-set ESP-3DES-SHA
crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map management_map interface external
crypto map management_map interface management
crypto ca trustpoint ASDM_TrustPoint0
=======================================================

Could the error be due to issues from my crypto map? noticed management_map have 2 differet tunnels.

 

[unclerico]

go to the Cisco ASA forum on here and post your new configs, it looks like some things might have changed.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[mktck]

The pinging from 10.10.x.0/24 to 172.17.x.0/16 network is solved. It is due to multiple legacy backend routers/contivity box which routing is not configured to allow response to be return via 172.17.x.40. It was attempting to route out another gateway instead. I applied a static route on the server i am trying to ping and managed to get replied.