Cisco :: After Tunnel Is Established Can't Ping Anything On Other Side
Jan 20, 2013
i successfully established site to site with 2 two ASA 5010. The problem is that traffic on not passing, This is current setup:1) Left side : only 1 private network 3) Right side : 1 private network, management network, 2 DMZ networks with public IP, On right ASA some netting is setup so servers in DMZ can be reached from private network. The goal would be that VPN client on left side can reach all resources on the right side (except management network, Just to get things going tunnel is built with only left and right private networks, but after tunnel is established i can't ping anything on other side.
I have now the sa`s stablished between SRP527w and cisco 857, but If i ping from a host of Cisco side to a host of SRP side I get only rx traffic on the tunnel, the stats keep tx at 0 and ping is not answered.My tunnel is to send some voice call into IPSEC tunnel keeping DSCP bits, It comunicate SRP voice vlan with Cisco lan.
I have on SRP 2 vlans: 1 Vlan for data on ports 1,2 and 4 1 voice vlan on ports 1,2,3,4.
I connect a netbook to port 3 and I can connect to internet but I cant reach by ping the other side of the tunnel?Maybe traffic from voice vlan is being natted with data vlan ip address?I need all traffic must go into the tunnel without being natted, on cisco side I have a policy to avoid nat but don know if SRP have any problem about it too.All gateways are ok ?
I have two 5510's that I am trying to get a tunnel established. One has an exsistinig tunnel to a 5505 that works but I cant get the next one to get past the first phase. I have sanitized the attached configs
I was hoping that the latest firmware would fix my (2) 'bugs', but it did not. We are using the RV042s at our remote medical clinics as an end-point VPN router to our Nortel 1700 VPN router, replacing our old Nortel Contivity 100s.When I try and do a reset when connected remotely via the WAN interface, the RV042 hangs and will only reset by re-powering.
I'm having some problems getting an ipsec tunnel established between a cisco 887VA router and a cisco srp527w router.I am working from a few text books and some example materials. I have worked through many combinations of what I have got and am still struggling a little bit.I look at debug results and it appears as though the policies do not match between the devices:
Jul 23 05:44:37.759: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (R) MM_NO_STATE broute1# Jul 23 05:44:57.079: ISAKMP:(0):purging SA., sa=85247558, delme=85247558 broute1# Jul 23 05:45:17.031: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (N) NEW SA
Some specific questions:
1) on the SRP in the example's I have used (and I have a few SRP->SRP VPN's that work) I see you need to enter the preshared key, I'm not seeing in the examples I have used anything about the IKE preshared key on the IOS box. Any examples where you use the preshared key for IKE? I wonder if this is my primary issue as it states clearly in the log that there is no Preshared key :|
2) I have used a mish mash of names between the various sections as on the SRP the naming convention isnt the same; ie: which parts of the IPSEC negotiation come from the IKE policy section and which from the IPSEC policy section. Do the names really matter across different ends of the VPN?
3) I notice when I perform this command in the(config-crypto-map)#:
set peer FQDN
It is converted to:
set peer XXX.XXX.XXX.XXX
Is this expected? I want the device to look at the FQDN as this particular host is using DDNS and not use a static IP address.
We try to establish a Site-To-Site- IP Sec- connection between a Cisco 876 (local site) and a Check Point-firewall (remote site). The Cisco 876 is not directly connected to the internet, but is behind a DSL- Router with port-forwarding, forwarding ports 500 and 4500. The running config of the Cisco 876 is appended to this discussion thread. Unfortunately I get no output when debugging the connection with commands "debug crypto isakmp" and "debug crypto ipsec".
From the Checkpoint-firewall point of view the connection seems to establish, but there is no ping answer.
The server on the local site that should be reached from the network behind the Checkpoint-firewall has a routing entry "route -P add [inside ip-net remote] 255.255.255.0 [inside ip local]" (see also appended running config for naming of ip- addresses). Establishing a Cisco VPN- Client connection to the same Cisco 876 router works fine.
I have an ASA 5505 with Base license and a vpn client. The scenario is like this: LAN -- ASA 5505 -- ISP DSL Router---( Internet ) -- Home DSL Router --- LAN -- VPN CLient, The ISP DSL Router gets a public IP address and the ASA gets a private IP address (ISP DSL router doing NAT) and I cant reach the internet with no problem from the LAN´s ASA side but I cant make the vpn tunnel connection from the LAN´s Home side so I told the provider to bridge the ISP DSL Router, to the ASA so the ASA could get the public IP but in order to do that the provider told me to do MAC clonning on the ASA 5505 which I did putting the ISP DSL Router MAC on the ASA. Now the ASA gets the public IP on the outside vlan by DHCP but when I try to make the VPN tunnel I just cannt. I can reach the public IP by ping on the ASA and I can see the pings coming in using debug but I just cant make the vpn client work.
I have recently bought two 1800 cisco routers and have tried to connect them over wan serial link, but I am having problems when trying to access resources on the other side. I am a newbie to cisco and I wonder if the problem is with the configuration or the new routers or the serial link between the sites. Below is the show-running config results I have done on both routers; I can ping the serial interfaces from both sides and remotely, but I can't ping hosts or FE from other side.
I would like to allow PING on RV042 from WAN side only from specific IP address, but when I set the rule, RV042 does not respond on WAN side, because Block WAN Request is Enabled.BUT! When I disable "Block WAN Requests", now any IP can ping my router from WAN side. Although I set access rule to Deny Ping from WAN side to anyone, it still responds.
On the Linksys E4200, the Internet wired connection side, I gave static IP address which is in the same network range as that of LAP2.When tried to ping from LAP1 to LAP2, ping doesnot happen. Any settings by which I can ping from LAP1 to LAP2.
I am just setting up a simple scenario with a 1841. Server @ 172.31.1.1 cannot ping 172.31.0.254 or 172.31.0.105. It can ping 172.31.1.250. The router can, on the other hand, ping devices on both networks. This is just for testing routing theory so I don't know why hosts on either side of the network cannot ping each other.
I am only using the FastEthernet interfaces on Router 1841.
i configured cisco asa 5520 as cisco ezvpn server and cisco 891 as ezvpn client .the configurtion is working fine.i am using client mode on the ezvpn client side.but my quesion is , is it possible to communicate to ezvpn client side internal ip from the ezvpn server side?and one more thing what is the benefit of network extension mode on the client side and how it will work what are possible changes need to do in the server and the client side.
I'm trying to setup an ASA and a UC540 side by side, to utilize the ASA for data networking and the UC540 for voice. This 'should' work fine, I just seem to be having an issue where the ASA seems to be blocking traffic from the voice network as it passes through.So here is the LAN setup:ASA: 18.104.22.168UC540: 22.214.171.124The UC has a voice vlan 10.1.1.1/24 and a service module at 10.1.10.1/30My PC uses the ASA as its default gateway, 126.96.36.199The ASA then has static routes to the UC networksRoute 10.1.1.1/24 188.8.131.52Route 10.1.10.1/30 184.108.40.206Ping from PC to the UC networks works fine. However, ping from the UC networks to PC fails. ASA logs show traffic being denied due to not having an established connection or something.My guess is that the traffic is being blocked because the egress and ingress paths are different? Traffic from the PC goes to the ASA, then gets routed to the UC and it works. However in the other direction, traffic from the UC is going directly to the PC and bypassing the ASA, because its a directly connected network and doesn't have to route through the ASA to get to the PC. The reply traffic from the PC DOES go through the ASA following its route table, thus the issue of the ASA not seeing the established connection?Same-security inter and intra interface is enabled.So I think I see the issue, I just don't know how to fix it. Is there something I can configure on the ASA to allow for this? My only other option would be to configure a /30 on a new vlan to handle the routing between the UC and ASA or something, but that seems like its going to make this simple setup way too complicated with extra networks, vlans, trunks, etc.I am running ASA version 8.4.5?
My E1500 enters a state where the LAN-side (broadcast, etc.) works, but the WAN-side (internet connection) just goes away. If I go unplug and replug the E1500 the internet connectivity comes back.When this happens, the wireless indicator on my desktop (Dell with Intel wifi) says I have an internet connection, but I clearly don't.
I had a pix that had two working tunnels going to one 5510 and one 5520. Today the VPN tunnel to our 5520 stopped working but if I do sh cry isa sa both tunnels have QM_IDLE as the state. (both ends) I tried to debug crypto isakmp 255 but all I get is PEER_REAPER_TIMER and no other output on the pix side.
I have a IPSec tunnel that is working in one direction. Below is the router config from the side that can connect to the other side perfectly. I believe the issue is with this router as while I was waiting on delivery for the ASA I had an SRP527W sitting in it's place and had exactly the same problem.On one side I have a 887VA router and the other an ASA5505.The network behind the 887VA can access the remote site perfectly, backup services are traversing the link as are web interfaces for applications. In the other direction I can ping hosts but cannot connect. What else is interesting is if from the remote site I attempt to connect to a particular device that performs a port redirect the remote site browser gets so far as being redirected to port 5000 but then hangs.
I am seeing some very generic packet drop debug notices on the 887va on the NAT-ACL access list but I think this is as it should be as it is dropping the tunnel traffic from the NAT'ing.The config for the router is here, I will post the ASA config when I get to the other site shortly but I am convinced the issues is on this device, all the crypto configurations match.I have looked at the MTU's on each side, the path MTU on both sides is 1492. The asa does say the media MTU is 1500 but I believe that is the ADSL link so shouldnt matter?I even went so far as installing CCP and testing the VPN. It says the tunnel is up. It did state a failure:A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets. [code]
I am in a test environment using an ASA 55005 and a Cisoc 2611xm router. ASA is running version 8.4 and router is running is ios12.4. My VPN tunnel comes up but I am unable to ping between remote hosts. I used the ASDM and SDM for the configuration. Attached is a copy of both configs.
I have a RVS4000 at one location and a second RVS4000 at home. I have established an IPSec VPN tunnel between them and it is UP. I can ping the routers from each end no problem. I can ping the IPs listed in the "Local Group Setup" and the "Remote Group Setup" from both ends no problem. I can even open up a shared resource from a Win 7 machine (e.g. by typing \10.10.10.100 in start-run from a computer on my home network).
But - i can't ping anything else on one network from the other. What gives? I need to access a 10.10.10.101 machine but can't even ping it.
- both RVS4000 boxes have latest firmware (V220.127.116.11) - home RVS4000 setup with IP 10.10.11.1 - home network has a server with IP 10.10.11.20 - other location RVS4000 setup with IP 10.10.10.1 - other location server setup with IP 10.10.10.100
Tunnel settings on home RVS4000 (the other location properly mirror these). - Local Security Gateway Type : IP Only - Local Security Group Type : Subnet [code]....
I have an GRE Tunnel across my head office and remote site with multiple subnets using cisco 1841 routers.I can ping most of the devices on the remote side, but I can not ping certain devices.These devices respond to ping requests on the local LAN, but not through the WAN link. If I change the IP of device than it start responding. I am using same gateway and mask on these devices.The remote site is running classic STP on switches with distribution switch being the root bridge.
I have recently purchased a E4200 i have flashed it with the latest Firmware 1.0.03 and Hard Reset the Router so the Media issue was resolved i was having. After upgrading the firmware to the latest version my Nortel VPN IPSEC Client no longer will work. The tunnel is connected and it passes traffic for about 15 seconds then nothing. The connection remains connected but no traffic passes cant ping across tunnel. I have checked all the settings and VPN - IPSEC - Passthru is enabled. I have put the client in DMZ mode and tried that same thing.
i have my Cisco E4200 set up with a 6rd tunnel. the tunnel seems to work fine for the most part. i can ping ipv6.google.com and get a response.however, i cannot ping the addresses of the IPv6 Tunnel ends from within my network. If i run a ping from outside the network, i can ping the IPv6 address of the server end, however, i cannot ping the E4200's end of the tunnel. is there a specific option that needs to be set? i have allowed ping so that my IPv4 address is pingable, am i missing something for IPv6?
I've 3 Cisco 800 series routers and I needed to configure site-to-site vpn tunnel from branch2 to the main office(branch 1 VPN was already configured and working). I've managed to get the tunnel up and everything seemed OK as sh cry isa sa,sh cry session and sh cry ipsec sa didn't seem to have any problems.
Although the tunnel is up, I cannot ping PC-s on either side of the vpn tunnel.
Using Cisco IOS 12.x+ on a router.How would create an ACL that will only allow access to a port from the inside only after it has been established. i.e. similar to port triggering? Inside host 10.1.1.60 needs to use port 61200 for bit torrent. Dont want the port to be visible as open to the global net accept when the host 10.1.1.60 establishes the connection first.That way a port doesnt have to be left open 24-7.
how its possible that even when I turn off wifi on the laptop and even disconnect the modem that when I type netstat into CMD that there is still one or two TCP ESTABLISHED connections? I have waited as long as an hour and there are still established connections even though I am not connected to my internet. if I shut down the computer and reload it again with the router unplugged there will be either no connections or maybe one TIME WAIT connection for one or two IPs. but as soon as I reconnect to the internet then disconnect, the same thing happens where there are established connections to the laptop even though I am not connected to the internet.I use ccleaner to remove all cookies between sessions.
I have the netgear wndr4500 setup on my home theater shelves which are located in the corner of the room. When using my ASus G74sx with the Atheros 9002 wifi I consistently get disconnected. The wifi connection is lost and needs to be re-established.
Interestingly, when I am using the laptop downstairs the disconnects never happen. I have pored over my router's settings, updated to the latest firmware, as well as installed the latest drivers on the laptop. I also tried setting the router to short preamble and changing the channels to 11and automatic.
I have one ASA5520 with version 8.4(3), and a few ACL rules defined. One ACL is permit traffic from one interface(EXT_SERVICE) to another interface(DMZ_SERVICE), if i change that rule to deny traffic, all new connections that match the rule is denied, but no the established connectios. ¿Why the established connections can pass the deny rule? ¿How I can change that? I need create a ACL with deny type and stop all comunications that is running and match the deny rule.
Running-config of my ASA5520:
ciscoasa# show run : Saved : ASA Version 8.4(3) ! hostname ciscoasa enable password 8ay2wjIyt7RRXU24 encrypted passwd 2wFQnbNIdI.2KYtU encrypted names ! interface GigabitEthernet0/0 [Code] ........
I have four ACE 4710. Each pair of ACE is in one geographical location. Probes are configured so that it is checking regular regex (HTTP GET).When there is need rserver update we change text in our testpage.html (for ie. from "OK" to "SUSPEND" ) so that probe detect fail. In fact rservers are still operational, but should not accept new connections. This works fine. BUT I observed that established connection/sessions did not end up after probe fails. ACE probably wait for openned/established connections to end up and it is what I am askign for.What happens if probe fails but in fact rserver is operational? I thought that if probe fails it also end up/cut all established connections to rserver. But seems it is not true.