VPN ICMP Issue

[brianinms]

Alright this one has stumped me for sure and I think I have looked at it for so long I have gotten tunnel vision. I have a site to site vpn between a pix and an ASA. The tunnel works completely fine, but I can't ping across the tunnel. I have conducted multiple experiments and the problem appears to be on the host side.

Host ASA = 8.0.2 ... 192.168.1.253

Host Router 12.4. ... 192.168.1.254

Remote Pix 6.3.5

Remote Client 5.001

Here are the ICMP debugs


Site to Site .... Host 192.168.60.235 ping to 192.168.1.254


Host ASA

ICMP echo request from outside:192.168.60.235 to inside:192.168.1.254 ID=512 seq=33281 len=32
ICMP echo request from outside:192.168.60.235 to inside:192.168.1.254 ID=512 seq=33537 len=32
ICMP echo request from outside:192.168.60.235 to inside:192.168.1.254 ID=512 seq=33793 len=32
ICMP echo request from outside:192.168.60.235 to inside:192.168.1.254 ID=512 seq=34049 len=32
ICMP echo request from outside:192.168.60.235 to inside:192.168.1.254 ID=512 seq=34305 len=32
ICMP echo request from outside:192.168.60.235 to inside:192.168.1.254 ID=512 seq=34561 len=32
ICMP echo request from outside:192.168.60.235 to inside:192.168.1.254 ID=512 seq=34817 len=32
ICMP echo request from outside:192.168.60.235 to inside:192.168.1.254 ID=512 seq=35073 len=32
ICMP echo request from outside:192.168.60.235 to inside:192.168.1.254 ID=512 seq=35329 len=32
ICMP echo request from outside:192.168.60.235 to inside:192.168.1.254 ID=512 seq=35585 len=32


Host Internal router

1w3d: ICMP: echo reply sent, src 192.168.1.254, dst 192.168.60.235
1w3d: ICMP: echo reply sent, src 192.168.1.254, dst 192.168.60.235
1w3d: ICMP: echo reply sent, src 192.168.1.254, dst 192.168.60.235
1w3d: ICMP: echo reply sent, src 192.168.1.254, dst 192.168.60.235
1w3d: ICMP: echo reply sent, src 192.168.1.254, dst 192.168.60.235
1w3d: ICMP: echo reply sent, src 192.168.1.254, dst 192.168.60.235
1w3d: ICMP: echo reply sent, src 192.168.1.254, dst 192.168.60.235
1w3d: ICMP: echo reply sent, src 192.168.1.254, dst 192.168.60.235
1w3d: ICMP: echo reply sent, src 192.168.1.254, dst 192.168.60.235
1w3d: ICMP: echo reply sent, src 192.168.1.254, dst 192.168.60.235






Remote Access ... host 192.168.253.17 ping to 192.168.1.254

ASA

ICMP echo request from outside:192.168.253.17 to inside:192.168.1.254 ID=1792 seq=10496 len=32
ICMP echo reply from inside:192.168.1.254 to outside:192.168.253.17 ID=1792 seq=10496 len=32
ICMP echo request from outside:192.168.253.17 to inside:192.168.1.254 ID=1792 seq=10752 len=32
ICMP echo reply from inside:192.168.1.254 to outside:192.168.253.17 ID=1792 seq=10752 len=32
ICMP echo request from outside:192.168.253.17 to inside:192.168.1.254 ID=1792 seq=11008 len=32
ICMP echo reply from inside:192.168.1.254 to outside:192.168.253.17 ID=1792 seq=11008 len=32
ICMP echo request from outside:192.168.253.17 to inside:192.168.1.254 ID=1792 seq=11264 len=32
ICMP echo reply from inside:192.168.1.254 to outside:192.168.253.17 ID=1792 seq=11264 len=32


Router

1w3d: ICMP: echo reply sent, src 192.168.1.254, dst 192.168.253.17
1w3d: ICMP: echo reply sent, src 192.168.1.254, dst 192.168.253.17
1w3d: ICMP: echo reply sent, src 192.168.1.254, dst 192.168.253.17
1w3d: ICMP: echo reply sent, src 192.168.1.254, dst 192.168.253.17

So basically it works perfect from the remote client but not from the remote site. Like I said I have full connectivity from 192.168.60.x to 192.168.1.x ... I just cant seem to get icmp from 192.168.1.254 back to the ASA which is 192.168.1.253.

 

[NetworkGhost]

What does the routing table look like on the router? Are there any ACLs or match address issues on the ASA? Can you post a scrubbed config?

http://www.wr-mem.com

 

[brianinms]

The router merely has 3 routes and its default route is to send its traffic to the ASA. If I do a show ip route 192.168.60.x it indicates no route in table which means it would take the default route.


names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.239 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.253 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name .Com
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.253.0 255.255.255.0
access-list nonat extended permit ip 192.168.60.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list nonat extended permit ip 192.168.254.60 255.255.255.252 192.168.253.0 255.255.255.0
access-list split-vpn extended permit ip 192.168.1.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list split-vpn extended permit ip 192.168.17.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list split-vpn extended permit ip 192.168.33.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list split-vpn extended permit ip 192.168.254.4 255.255.255.252 192.168.253.0 255.255.255.0
access-list split-vpn extended permit ip 192.168.254.8 255.255.255.252 192.168.253.0 255.255.255.0
access-list split-vpn extended permit ip 192.168.254.12 255.255.255.252 192.168.253.0 255.255.255.0
access-list split-vpn extended permit ip 192.168.1.0 255.255.255.0 172.24.253.0 255.255.255.0
access-list split-vpn extended permit ip 192.168.17.0 255.255.255.0 172.24.253.0 255.255.255.0
access-list split-vpn extended permit ip 192.168.33.0 255.255.255.0 172.24.253.0 255.255.255.0
access-list split-vpn extended permit ip 192.168.48.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list split-vpn extended permit ip 192.168.48.0 255.255.255.0 172.24.253.0 255.255.255.0
access-list split-vpn extended permit ip 192.168.49.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list split-vpn extended permit ip 192.168.254.32 255.255.255.252 192.168.253.0 255.255.255.0
access-list split-vpn extended permit ip 192.168.50.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list split-vpn extended permit ip 192.168.51.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list split-vpn extended permit ip 192.168.254.40 255.255.255.252 192.168.253.0 255.255.255.0
access-list split-vpn extended permit ip 192.168.2.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list split-vpn extended permit ip 192.168.61.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list split-vpn extended permit ip 192.168.254.60 255.255.255.252 192.168.253.0 255.255.255.0
access-list outside-inbound extended permit icmp any any echo
access-list outside-inbound extended permit icmp any any echo-reply
access-list outside-inbound extended permit icmp any any time-exceeded
access-list Batonrouge extended permit ip 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 10000
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool remote 192.168.253.1-192.168.253.254
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.254.4 255.255.255.252
nat (inside) 1 192.168.254.8 255.255.255.252
nat (inside) 1 192.168.254.12 255.255.255.252
nat (inside) 1 192.168.254.32 255.255.255.252
nat (inside) 1 192.168.254.40 255.255.255.252
nat (inside) 1 192.168.254.60 255.255.255.252
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.17.0 255.255.255.0
nat (inside) 1 192.168.33.0 255.255.255.0
nat (inside) 1 192.168.48.0 255.255.255.0
nat (inside) 1 192.168.49.0 255.255.255.0
nat (inside) 1 192.168.50.0 255.255.255.0
nat (inside) 1 192.168.51.0 255.255.255.0
access-group outside-inbound in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.225 1
route inside 192.168.17.0 255.255.255.0 192.168.1.254 1
route inside 192.168.33.0 255.255.255.0 192.168.1.254 1
route inside 192.168.48.0 255.255.255.0 192.168.1.254 1
route inside 192.168.49.0 255.255.255.0 192.168.1.254 1
route inside 192.168.50.0 255.255.255.0 192.168.1.254 1
route inside 192.168.51.0 255.255.255.0 192.168.1.254 1
route inside 192.168.61.0 255.255.255.0 192.168.1.252 1
route inside 192.168.253.0 255.255.255.0 192.168.1.254 1
route inside 192.168.254.4 255.255.255.252 192.168.1.254 1
route inside 192.168.254.8 255.255.255.252 192.168.1.254 1
route inside 192.168.254.12 255.255.255.252 192.168.1.254 1
route inside 192.168.254.32 255.255.255.252 192.168.1.254 1
route inside 192.168.254.40 255.255.255.252 192.168.1.254 1
route inside 192.168.254.60 255.255.255.252 192.168.1.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPN protocol radius
aaa-server VPN host 192.168.1.3
timeout 5
key khU8JpKP
aaa-server VPN host 192.168.17.2
timeout 15
key khU8JpKP
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
aaa authorization exec authentication-server
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set ESP-AES128-SHA ESP-3DES-MD5
crypto map outside 10 match address Batonrouge
crypto map outside 10 set peer x.x.x.132
crypto map outside 10 set transform-set ESP-AES128-SHA
crypto map outside 65535 ipsec-isakmp dynamic dynmap
crypto map outside interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy 3000 internal
group-policy 3000 attributes
wins-server value 192.168.1.3 192.168.17.2
dns-server value 192.168.1.3 192.168.17.2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-vpn

tunnel-group 3000 type remote-access
tunnel-group 3000 general-attributes
address-pool remote
authentication-server-group VPN
default-group-policy 3000
tunnel-group 3000 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.132 type ipsec-l2l
tunnel-group x.x.x.132 ipsec-attributes
pre-shared-key *