[SOLVED] Cisco ASA Help IPSEC Tunnel is up but I cant ping remote hosts and Vice Versa

sniper7777777

Honorable
Sep 22, 2014
98
3
10,645
Hey as the title says, this is my first IPSEC tunnel I've set up
it seems like almost everything is good and I have the tunnel active but I cant ping remote hosts I swear its like on config off from working


so very simple set up here at my house (GFIREWALL) I use 192.168.2.0/24 and at the remote house (KFIREWALL) they use 192.168.10.0/24

Also when I ran a packet-tracer from CLI and ASDM both say everything is good???

I'll post the running config at the bottom but here are some of the details on the Tunnel

GFIREWALL# show crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 73.X.X.X
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

----------------------------------------------------------------------------------------------------------
GFIREWALL# show crypto ipsec sa
interface: outside
Crypto map tag: GFIREWALLCRYPTOMAP, seq num: 10, local addr: 24.X.X.X
access-list P2PACL extended permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 73.X.X.X

#pkts encaps: 522, #pkts encrypt: 522, #pkts digest: 522
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 522, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 24.X.X.X/0, remote crypto endpt.: 73.X.X.X/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: DC2819E2
current inbound spi : 5B0CBFF1
inbound esp sas:
spi: 0x5B0CBFF1 (1527562225)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: GFIREWALLCRYPTOMAP
sa timing: remaining key lifetime (kB/sec): (3914999/81732)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000000FF
outbound esp sas:
spi: 0xDC2819E2 (3693615586)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: GFIREWALLCRYPTOMAP
sa timing: remaining key lifetime (kB/sec): (3914969/81732)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:

----------------------------------------------------------------------------------------------
Here is the packet-tracer
GFIREWALL# packet-tracer input inside icmp 192.168.2.2 8 0 192.168.10.254 deta$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 24.X.X.X, outside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static GLAN GLAN destination static KLAN KLAN no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.10.254/0 to 192.168.10.254/0
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static GLAN GLAN destination static KLAN KLAN no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.2.2/0 to 192.168.2.2/0
Forward Flow based lookup yields rule:
in id=0xcb8850c0, priority=6, domain=nat, deny=false
hits=751, user_data=0xcb884770, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb1305a0, priority=0, domain=nat-per-session, deny=true
hits=21671, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb832b98, priority=0, domain=inspect-ip-options, deny=true
hits=20597, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc3f0de8, priority=70, domain=inspect-icmp, deny=false
hits=19812, user_data=0xcc3f0308, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb832638, priority=66, domain=inspect-icmp-error, deny=false
hits=1296, user_data=0xcb831c48, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb3ed428, priority=70, domain=encrypt, deny=false
hits=758, user_data=0xb914, cs_id=0xcc09c3a0, reverse, flags=0x0, protocol=0
src ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static GLAN GLAN destination static KLAN KLAN no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb885960, priority=6, domain=nat-reverse, deny=false
hits=751, user_data=0xcb884828, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc85b8c68, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=756, user_data=0x16cb4, cs_id=0xcc09c3a0, reverse, flags=0x0, protocol=0
src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcb1305a0, priority=0, domain=nat-per-session, deny=true
hits=21673, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcb85dc40, priority=0, domain=inspect-ip-options, deny=true
hits=19806, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 20064, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
------------------------------------------------------------------------

and the running config
GFIREWALL# show running-config
: Saved
:
: Serial Number: JMXXXXXXXX
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(4)33
!
hostname GFIREWALL
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool VPNPool 192.168.100.2-192.168.100.253 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 100
!
interface Ethernet0/1
switchport access vlan 77
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 77
!
interface Vlan77
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
!
interface Vlan100
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network LAN
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
object network GLAN
subnet 192.168.2.0 255.255.255.0
object network KLAN
subnet 192.168.10.0 255.255.255.0
access-list P2PACL extended permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 2PACL extended permit ip 24.0.0.0 255.0.0.0 73.0.0.0 255.0.0.0 log
access-list NONAT extended deny ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0 log
access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static GLAN GLAN destination static KLAN KLAN no-proxy-arp route-lookup
!
object network LAN
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http redirect inside 80
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set GFIREWALLT1 esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map GFIREWALLCRYPTOMAP 10 match address P2PACL
crypto map GFIREWALLCRYPTOMAP 10 set peer 73.X.X.X
crypto map GFIREWALLCRYPTOMAP 10 set ikev1 transform-set GFIREWALLT1
crypto map GFIREWALLCRYPTOMAP 10 set security-association lifetime seconds 86400
crypto map GFIREWALLCRYPTOMAP interface outside
crypto ca trustpool policy
crypto isakmp nat-traversal 10
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 8.8.4.4
!
dhcpd address 192.168.2.2-192.168.2.253 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-linux-3.1.00495-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_MGVPN internal
group-policy GroupPolicy_MGVPN attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ssl-client
default-domain none
username test password P4ttSyrm33SV8TYp encrypted
username admin password Xd4yTLiYyLBfvEdu encrypted privilege 15
tunnel-group MGVPN type remote-access
tunnel-group MGVPN general-attributes
address-pool VPNPool
default-group-policy GroupPolicy_MGVPN
tunnel-group MGVPN webvpn-attributes
group-alias MGVPN enable
tunnel-group 73.X.X.X type ipsec-l2l
tunnel-group 73.X.X.X ipsec-attributes
ikev1 pre-shared-key *
!
class-map icmp
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ebfddec9bfc630fa04ddda338f47a215
: end

0x00000000 0x00000001

<Moderator Note: Edited to add spoiler tags to the wall of text>
 
Last edited by a moderator:
Solution
WOW ok so I resolved the issue basically.... windows firewall was blocking ICMP on both sides and I didn't issue this command

management-access inside

on both firewalls so that's why I couldn't ping the firewalls either

sniper7777777

Honorable
Sep 22, 2014
98
3
10,645
You get encaps/decaps, so your tunnel parameters are alright.

Probably getting caught in an ACL
Well the packets sent to KFirewall (Site B) from GFirewall (Site A) are the encap packets
and the packets sent vice versa are the decaps from pings I initiated (7 of them)


also here is NAT
GFIREWALL# show nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static GLAN GLAN destination static KLAN KLAN no-proxy-arp route-lookup
translate_hits = 1844, untranslate_hits = 1864
Source - Origin: 192.168.2.0/24, Translated: 192.168.2.0/24
Destination - Origin: 192.168.10.0/24, Translated: 192.168.10.0/24
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic LAN interface
translate_hits = 61381, untranslate_hits = 21455
Source - Origin: 192.168.2.0/24, Translated: 24.X.X.X/20
 

beers

Distinguished
BANNED
Oct 4, 2012
261
53
18,790
Do you permit icmp echo reply on GFirewall from the subnets behind KFirewall? It may be returning via the tunnel but then getting dumped after decapsulation.

What does your tcp, ip or icmp permit policy look like for those?

You might have to throw in a rule for 192.168.10.0/24 -> 192.168.2.0/24 between zones on GFirewall
 

beers

Distinguished
BANNED
Oct 4, 2012
261
53
18,790
from my understanding "access-group" would be to limit access using remote administration protocols like telnet and SSH am I mistaken?
That would bind an ACL to your interface. Currently you're just permitting a higher security zone to a lower one (inside to outside), which will return route stateful traffic. Otherwise everything inbound from outside to inside is implicitly denied.
 

sniper7777777

Honorable
Sep 22, 2014
98
3
10,645
WOW ok so I resolved the issue basically.... windows firewall was blocking ICMP on both sides and I didn't issue this command

management-access inside

on both firewalls so that's why I couldn't ping the firewalls either
 
Solution