Site to site VPN tunnel - cannot ping the second interface of the firewall peer inside2

I have two ASA 5505 firewall each with a basic license: FWa and FWb. currently there is a VPN tunnel between them work. I added a second (inside2) interface to the firewall, FWb, but I can't ping firewall FWa, so that I can ping the inside interface of FWa.

I can ping the FWb inside interface 192.168.20.1 from the FWa inside 172.16.1.1 interface, but I can not ping to the 10.52.100.10 of the FWa FWb inside2 interface. I can not ping the gateway host FWa 10.52.100.1.

I show the essential configuration of two firewalls as well as the debug icmp output on the two firewalls that I ping the internal interfaces and of FWa FWb inside2.
=========================================================

Here is a skeleton of the FWa configuration:

name 172.16.1.0 network-inside
name 192.168.20.0 HprCnc Thesys
name 10.52.100.0 ring52-network
name 10.53.100.0 ring53-network
name S.S.S.S outside-interface

interface Vlan1
nameif inside
security-level 100
IP 172.16.1.1 255.255.255.0
!
interface Vlan2
Description Connection to 777 VLAN to work around static Comast external Modem and IP address.
nameif outside
security-level 0
outside interface IP address 255.255.255.240

the DM_INLINE_NETWORK_5 object-group network
network-object HprCnc Thesys 255.255.255.0
ring52-network 255.255.255.0 network-object
ring53-network 255.255.255.0 network-object

the DM_INLINE_NETWORK_3 object-group network
ring52-network 255.255.255.0 network-object
network-object HprCnc Thesys 255.255.255.0
ring53-network 255.255.255.0 network-object

outside-interface of the access-list extended permitted Outside_5_cryptomap ip host object-group DM_INLINE_NETWORK_3
inside_nat_outbound list extended access allowed inside-network ip, 255.255.255.0 DM_INLINE_NETWORK_5 object-group
permit access list extended ip host 173.162.149.72 Outside_nat0_outbound aus_asx_uat 255.255.255.0

NAT (inside) 0 access-list sheep
NAT (inside) 101-list of access inside_nat_outbound
NAT (inside) 101 0.0.0.0 0.0.0.0
NAT (outside) 0-list of access Outside_nat0_outbound

card crypto VPN 5 corresponds to the address Outside_5_cryptomap
card crypto VPN 5 set pfs Group1
VPN 5 set peer D.D.D.D crypto card
VPN 5 value transform-set VPN crypto card
tunnel-group D.D.D.D type ipsec-l2l
IPSec-attributes tunnel-Group D.D.D.D
pre-shared key *.

=========================================================

FWb:

name 10.52.100.0 ring52-network
name 10.53.100.0 ring53-network
name 10.51.100.0 ring51-network
name 10.54.100.0 ring54-network

interface Vlan1
nameif inside
security-level 100
address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP D.D.D.D 255.255.255.240
!
interface Vlan52
prior to interface Vlan1
nameif inside2
security-level 100
IP 10.52.100.10 255.255.255.0

the DM_INLINE_NETWORK_3 object-group network
ring52-network 255.255.255.0 network-object
ring53-network 255.255.255.0 network-object

the DM_INLINE_NETWORK_2 object-group network
ring52-network 255.255.255.0 network-object
object-network 192.168.20.0 255.255.255.0
ring53-network 255.255.255.0 network-object

inside_nat0_outbound to access extended list ip 192.168.20.0 allow 255.255.255.0 host S.S.S.S
inside2_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_3 S.S.S.S ip host

outside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_2 S.S.S.S ip host

NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
inside2_nat0_outbound (inside2) NAT 0 access list
NAT (inside2) 1 0.0.0.0 0.0.0.0

Route inside2 network ring51 255.255.255.0 10.52.100.1 1
Route inside2 network ring53 255.255.255.0 10.52.100.1 1
Route inside2 network ring54 255.255.255.0 10.52.100.1 1

card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
outside_map game 1 card crypto peer S.S.S.S
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside

tunnel-group S.S.S.S type ipsec-l2l
IPSec-attributes tunnel-group S.S.S.S
pre-shared key *.

=========================================================================
I'm Tournai on icmp trace debugging on both firewalls and could see the traffic arriving at the inside2 interface, but never return to FWa.

Ping Successul FWa inside the interface on FWb

FWa # ping 192.168.20.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.20.1, time-out is 2 seconds:
Echo request ICMP from outside-interface to 192.168.20.1 ID = 32068 seq = 23510 len = 72
! ICMP echo reply to 192.168.20.1 in outside-interface ID = 32068 seq = 23510 len = 72
....

FWb #.
Echo ICMP of S.S.S.S to 192.168.20.1 ID request = 32068 seq = 23510 len = 72
ICMP echo reply 192.168.20.1 S.S.S.S ID = 32068 seq = 23510 len = 72
==============================================================================
Successful ping of Fwa on a host connected to the inside interface on FWb

FWa # ping 192.168.20.15
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.20.15, wait time is 2 seconds:
Echo request ICMP from outside-interface to 192.168.20.15 ID = seq 50862 = 18608 len = 72
! ICMP echo reply to 192.168.20.15 in outside-interface ID = seq 50862 = 18608 len = 72
...

FWb #.
Inside outside:S.S.S.S ICMP echo request: 192.168.20.15 ID = seq 50862 = 18608 len = 72
ICMP echo reply to Interior: 192.168.20.15 outside:S.S.S.S ID = seq 50862 = 18608 len = 72

===========================
Unsuccessful ping of FWa to inside2 on FWb interface

FWa # ping 10.52.100.10
Send 5, echoes ICMP 100 bytes to 10.52.100.10, wait time is 2 seconds:
Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
? Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
...

FWb #.
10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
....

==================================================================================

Unsuccessful ping of Fwa to a host of related UI inside2 on FWb

FWa # ping 10.52.100.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.52.100.1, wait time is 2 seconds:
Echo request ICMP from outside-interface to 10.52.100.1 ID = 11842 seq = 15799 len = 72

FWb #.
Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72
Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72

=======================

Thank you

Hi odelaporte2,

Is very probably the "access management" command is not applied in the second inside, only inside primary (see the race management) which will confirm.

This command can be applied to an interface at a time, for example, if the law is now applied to the inside, it can not be applied to the inside2 at the same time.

It may be useful

-Randy-

Tags: Cisco Security

Similar Questions

  • ASA 5505 and ASA 5510 Site to Site VPN Tunnel cannot be established

    Hi all experts

    We are now plan to form an IPSec VPN tunnel from site to site between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failed, would you please show me how to establish? A reference guide?

    I got error syslog 713902 and 713903, how to fix?

    I got the following, when I type "sh crypto isakmp his."

    Type: user role: initiator

    Generate a new key: no State: MM_WAIT_MSG2

    Hugo

    Hello

    This State is reached when the policies of the phase 1 do not correspond to the two ends.

    Please confirm that you have the same settings of phase 1 on both sides with the following commands:

    See the isakmp crypto race

    See the race ikev1 crypto

    Also make sure that port UDP 500 and 4500 are open for communication between your device and the remote peer.

    Finally, make sure you have a route suitable for the remote VPN endpoint device.

    Hope that helps.

    Kind regards

    Dinesh Moudgil

  • Using the same set processing on several site to site VPN tunnels

    Hi all. I have a rather strange situation about site-to-site VPN tunnel.

    On the one hand, I have a PIX 501 and on the other end an ASA5505 and a tunnel set up between them.

    The problem is that on the side of the PIX, I can't establish a tunnel, but when the traffic starts on the side of the ASA the tunnel established as usual.

    I checked the configurations on both ends and keys, passwords, mirror that LCD seems OK. The only thing that comes to my attention, it's that I have the same set of transformation used for 2 different tunnel on the side of PIX.

    Can I use the same set of transformation on several tunnels or should I set a different transformation for each tunnel? Could be the source of the problem?

    Use it on PIX

    card crypto set pfs group2

    Or on ASA, use:

    card crypto set pfs Group1

  • SA520w routing through site-to-site VPN tunnels

    I have several offices that are connected using site-to-site VPN tunnels and all will use the SA520W (firmware 2.1.18). I currently have 3 routers in place, router tunnels created for the router B and c of router. I need assistance with the configuration to allow the guests to router site B get to the router site C. I have attempted to add a static route, but get a destination unreachable host trying to ping. Also, if I connect to the router site has via the Cisco VPN client, I'm not able to get resources on each site, B, or C.

    A - the site 10.10.0.0/24

    Site B - 10.0.0.0/24

    Site of the C - 10.25.0.0/24

    Any help is greatly appreciated.

    So, that's what you have configured correctly?

    RTR_A

    ||

    _____________ || ___________

    ||                                            ||

    RTR_B                                RTR_C

    Since there is no tunnel between B and C there is no way for us past that traffic through RTR_A for two reasons. The most important reason is that subnet 10.25.0.0/24 (rtr_c) is not allowed to pass through the IPSec tunnel (it's okay to IPSec?) of rtr_a ==> rtr_b. You can't just add a statement of road because your addresses are not routable which is the reason why it fails.

    Your only option is to create another tunnel between rtr_b and rtr_c. This may not be the ONLY option, but you should get what you need.

    I hope this helps.

  • Keep Site to Site VPN Tunnel active for monitoring

    Hi all

    I have a configured site-to-site VPN tunnel only happen when the traffic generated from the remote peer. is it possible to keep the still active tunnel once after the tunnel is established.

    My requirement is to monitor VPN to see availability, so need to ping one of the natd(8) ip on the remote end, but it will come only when the traffic generated end peer.  currently the timers of default on SA is configured

    Help, please...

    Thank you

    Mikael

    TARGET_GP group policy attributes

    VPN-idle-timeout no

  • SBS 2008 office1 Serv2008 Office 2 need to share assets between them via a site to site VPN tunnel

    Hi all.

    I really need help on this one.

    The office 1 installer running SBS2008 Office 2 running Server 2008.

    Each firm has its own FQDN Office 1 CompanyABC 2 A_B_C of the company office.

    Each firm has its own internal IP address pool Office 1 192.168.69.xxx and office 192.168.20.xxx 2.

    Site to site VPN tunnel between 2 office routers Netgear SRX5308 1 and 2 Netgear FVS318G Office established and working.

    Each firm has its own DNS server and acts as a domain controller

    How to configure the 2 networks to see each other and be able to use assets on every network (files, printers)?

    Is it so simple that the addition of another pool internal IP for each DNS server?

    Thanks in advance for your help.

    Hello

    Your Question is beyond the scope of this community.

    I suggest that repost you your question in the Forums of SBS.

    https://social.technet.Microsoft.com/forums/en-us/home?Forum=smallbusinessserver

    "Windows Small Business Server 2011 Essentials online help"

    https://msdn.Microsoft.com/en-us/library/home-client.aspx

    TechNet Server forums.

    http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

    See you soon.

  • After that stright connected to iSCSI (initiator) Host cannot ping the server iSCSI (target), but the target can, why?

    After that host on vSHere 4.0 strightly connected to iSCSI (initiator) host cannot ping the server iSCSI (target), but target can.  And iSCSI works well. I mean I can create and use the iSCSI disk, why? It makes me confused.

    Thank you!

    Geoarge,

    iSCSI traffic uses a VMkernel port, instead of using the command 'ping', use 'vmkping '.

    André

  • Cannot ping the Virtual Machine by host

    Hi all,

    Please help, I use VMWare Workstation 6.5 and I have a physical operating system which is Windows XP SP2, I have a network card, but not connected to a physical switch, the IP address is 192.168.0.1. I installed a Virtual Machine using Microsoft Windows 2003 server as the operating system, promote as domain controller, install the DHCP, DNS service and assign an IP 192.168.0.2, no default gateway.

    My VMnet1 on physical operating system has an IP 192.168.204.1 and VMNet8 has an IP 192.168.126.1.

    The host, I cannot ping the 192.168.0.2 which is the IP address of the Virtual Machine. Even in the Virtual Machine, I can not ping 192.168.0.1 is the IP address of the host. From what I read, the physical and the virtual machine were connected with a virtual switch. Am I wrong?

    Any advice?

    Thanks in advance.

    They SEEM to be in different networks, you need search routing between them,... since they differnet networks...

    on the other

    they do host and the virtual machine on the same subnet / network for EXAMPLE: class C class network 192.168.200.0/24

    granting of points if my answer was helpful... Thank you > > > > > > > >

    concerning

    Joe

  • Error - because of unidentified problem, Windows cannot display the firewall settings

    Original title: Firewall Windows are not accessible to stop?

    Recently installed MSE.  Now, I can't launch Samsung Allshare to view files on the Samsung TV.  Firewall Windows is not accessible to stop temporarily so that Allshare can run.  All that is shown is "Because of problem not identified, Windows cannot display the firewall settings."  It seems that MSE has hidden and I can't determine how to communicate with them without going through the process of uninstalling and re-installing.

    Hello

    1 Windows operating system you are using?

    2. when exactly you get the error message?

    Important: this section, method, or task contains steps that tell you how to modify the registry. However, serious problems can occur if you modify the registry incorrectly. Therefore, make sure that you proceed with caution. For added protection, back up the registry before you edit it. Then you can restore the registry if a problem occurs.

    For more information about how to back up the registry, see the link:

    Back up the registry

    http://support.Microsoft.com/kb/322756

    See the article and check if that helps:

    You cannot start the Windows Firewall service in Windows XP SP2

    http://support.Microsoft.com/kb/920074

    If the problem is not resolved, please provide more information to help you best.

  • "An undentified problem, windows cannot display the firewall settings" during a turn on the firewall.

    Original title:

    Windows firewall error desabaled

    I have windows xp - help mechanic iolo - my firewall is deactivated automatically - when I click on activate up to a mistake pop [there was a firewall of windows activation error] and then I click on the top of the pop - windows firewall - Open button error [due to an undentified problem, windows cannot display the firewall settings].

    my firewall won't come to help me.

    Hello
    1. You did changes to the computer before the show?
    2. What service pack is installed on the computer?
    Method 1:
    You can run the fixit from following link and check the issue:
    Diagnose and automatically fix problems of Windows Firewall service
    Method 2:
    Important: This section, method, or task contains steps that tell you how to modify the registry. However, serious problems can occur if you modify the registry incorrectly. Therefore, make sure that you proceed with caution. For added protection, back up the registry before you edit it. Then you can restore the registry if a problem occurs.

    For more information about how to back up the registry, see the link:

    Back up the registry

    http://support.Microsoft.com/kb/322756

    See the article and check if that helps:

    You cannot start the Windows Firewall service in Windows XP SP2

    http://support.Microsoft.com/kb/920074

    Let us know if it helps!

  • Removed the Trojan.Dropper.PE4 and now windows cannot display the firewall settings.

    XP SP3.  MalwareBytes removed Trojan.Dropper.PE4 today.  Now, "due to an unidentified problem, windows cannot display the firewall settings".  I've also scanned with SuperAntiSyware and Spybot.  Also, when I open Windows Explorer, Control Panel, etc. the display settings have changed.  Help, please.

    Hello
    Try the sequence of steps 1 and 2 in this virus/malware removal guide: http://www.selectrealsecurity.com/malware-removal-guide
    It provides simple instructions on how to remove malware from a computer. If you have any questions, just ask. I hope this helps you.
    Brian

  • When I try to turn on the Windows Firewall, I get a sign message that says "Due to a problem not identified, Windows cannot display the firewall settings."

    When I try to turn on the Windows Firewall, I get a sign message that says "Due to a problem not identified, Windows cannot display the firewall settings."

    I found another thread in Microsoft Answers relating to this problem, but who said to go into Services and see if the firewall is configured to automatically start.  However, I can't find a Windows Firewall item in the Services Menu.

    I have the PC Tools Spyware Doctor antivirus.

    I had to do a complete recovery system... which sets just need to make sure that you back up your files.

  • Windows cannot start the firewall service.

    Original title: my firewall stopped working and it won't let me turn it back on.

    My computer has alerted my that my firewall was off this morning. The alert came with the possibility to reactivate after having used the option of tis, another box emerged stating that it cannot be turned on again and try to activate it manually. I tried to turn it on manually and it still doesn't work. He is said to be the first "Windows Firewall settings cannot be displayed because the associated service is not running. You want to start the Windows Firewall Service? "after you press 'Yes', it says"Windows cannot start the firewall service. No error message is given. Any ideas?

    Hey, bed,.

    File system (CFS) auditor scan and see if it finds a breach of integrity. If so, System File Checker will try to replace missing or damaged files.

    Information available at:

     

    How to use the System File Checker tool to fix the system files missing or corrupted on Windows Vista or Windows 7

    http://support.Microsoft.com/kb/929833

    Kind regards

    Shinmila H - Microsoft Support

    Visit our Microsoft answers feedback Forum and let us know what you think.

  • VPN Site-to-Site - cannot ping the router's internal IP address

    Hi guys,.

    I configured a VPN site-to site between two routers, everything works well except ping the internal (LAN) IP of a router.

    Everything works fine: ping the hosts through the tunnel in both feel.

    Routers that I use:

    -IOS 1841: M3 15.0 (1)

    -2811 IOS: 15.0 (1) M5-> here is the problem. I can't ping the inside interface of the router.

    I checked its ipsec counters and it seems that it does not send packets through the tunnel when I ping from the LAN interface.

    #pkts program is not incrementing.

    Anyone had this problem before?

    Thank you very much.

    Best regards

    I think that happens because when the router responds to icmp request he gets is outside interface IP (not the IP Address of the inside interface, wich you are trying to ping) as the source of a package. If icmp-response does not go in the tunnel, because the IP address in the router's external interface is not included in the crypto-acl.

    Solution to this, if it's correct guess, is to add the router's external IP to the crypto-acl.

  • cannot ping remote ip on ASA no firewall (VPN site to site on SAA) configired no proxy, icmp not inspect, no chance

    some help me

    (Q) ping remote ip unable on ASA is not Firewall not on pc (VPN site to site on SAA) configired no proxy, icmp not inspect, no chance

    Note - I can ping PC but not the same subnet ip on ASA2 L3

    PC---> > ASA1 - ASA2<>

    Hi Matt,

    Let me answer your question in two points:

    • You cannot ping an ASA on another interface other than the one where you are connected to the ASA of.

    For example, ASA1 and ASA2 are connected through their interfaces 'outside '. ASA1 (or any other device on the external interface) can not ping/access ASA2 on his (ASA2) within the interface. The only time wherever this can be substituted is a tunnel VPN with the command "access management" configured for other interface, for example management-access inside

    • Traffic ASA1 ping to a remote client behind ASA2 won't over the VPN tunnel and as such is not encrypted. That's because ASA1 will forward traffic based on its routing table that probably this way through its 'outside' interface Except that traffic is allowed with the ASA2 (using the ACL), it will fail.

    We can do on the routers of sourcing our ping to another interface, but it will not work on the SAA.

Maybe you are looking for

  • Restart the Ipad Mini 4?

    How to restart Ipad Mini 4? After an accident?

  • I lost my taskbar with file, Edition, bookmarks, etc.. How can I get that back?

    I have lost the tools/taskbar toolbar that says file, Edition, bookmarks, etc., which is usually at the top of the screen.  How can I get that back?

  • Question about refurbished Aspire V5-122P-0889

    I have a refurbished Aspire V5-122P-0889 having only a 30 day warranty when I got it.  I received it via the eMachines class action floppy drive.  Everything good with the computer and it works fine.  In fact, I actually upgraded to a Samsung 840 250

  • Want 5530: the printer does not

    Printing problems.  Cannot print from Word (Office 10) or PDF.  Worked fine purchased months ago just, but no luck.  I can copy, I can scan e-mail so certainly know it communicates with the computer.  I'm on a wireless router.  Printer status report

  • All print roses

    Have a Deskjet HP832C printer (around 2000, but works very well, normally used to print in grayscale or black and white only). Tried to print some pictures multicolored, and just kept pink print. Changed the color cartridge.  Always pink printing.  S