When I connect the server directly behind the router, I can ping the other
host (10.13.2.19) but when connected behind the ASA, I cannot. When I
initiated ping request, I got hit counts on both the access-list of the ASA
and the router but I will run deb icmp trace on the ASA tomorrow and report
my findings.
Thank you.
On Sun, Oct 2, 2011 at 7:14 AM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
> If this works when you put the server directly behind the router (with the
> same IP address) the issue must be related to tha ASA. That's why I wanted
> to know how you test it. Can you elaborate more what's your test procedure?
> Also try to run 'deb icmp trace' on the ASA to see what's happening.
>
> Regards,
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security), CCSI #33705
> Technical Instructor
> website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
> blog: www.ccie1.com
>
> �If you can't explain it simply, you don't understand it well enough� -
> Albert Einstein
>
>
> 2011/10/1 Solomon Awosina <solomonawosina_at_gmail.com>
>
>> Yes, ICMP is allowed.
>>
>>
>> On Sat, Oct 1, 2011 at 9:31 PM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
>>
>>> Hi,
>>>
>>> Can you tell me how are you verifying it? Is it ICMP traffic between
>>> servers or what?
>>>
>>> Regards,
>>> --
>>> Piotr Matusiak
>>> CCIE #19860 (R&S, Security), CCSI #33705
>>> Technical Instructor
>>> website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
>>> blog: www.ccie1.com
>>>
>>> �If you can't explain it simply, you don't understand it well enough� -
>>> Albert Einstein
>>>
>>>
>>> 2011/10/1 Solomon Awosina <solomonawosina_at_gmail.com>
>>>
>>>> Dear Expert,
>>>> >
>>>> > I have an issue on my network that I require your help.
>>>> >
>>>> > I have a server (192.168.1.29) that needs to connect to another host
>>>> > (10.13.2.19) over internet thru a VPN but it is not connecting.
>>>> >
>>>> > My Architecture
>>>> >
>>>> > My Server is connected behind a Cisco ASA which is connected to a
>>>> Cisco
>>>> > Router. It is on the router that the VPN is setup.
>>>> >
>>>> > My_Server(192.168.1.29) ==> Cisco ASA(192.168.1.17) ==> Cisco
>>>> > Router(192.168.1.46) <=====> Cisco ASA(196.200.119.100) ==>
>>>> > Other_host(10.13.2.19)
>>>> >
>>>> > internet
>>>> >
>>>> > If I put my server behind the Cisco Router, I connect successfully.
>>>> Like
>>>> > this
>>>> > My_Server(192.168.1.40) ==>Cisco Router(192.168.1.46) <=====> Cisco
>>>> > ASA(196.200.119.100) ==> Other_host(10.13.2.19)
>>>> >
>>>> > internet
>>>> >
>>>> > Below are my config,
>>>> >
>>>> > *Cisco ASA*
>>>>
>>>> >
>>>> >
>>>> > ASA Version 7.0(7)
>>>> > !
>>>> >
>>>> > !
>>>> > interface Ethernet0/0
>>>> > nameif outside
>>>> > security-level 0
>>>> > ip address 192.168.1.33 255.255.255.240
>>>> > !
>>>> > interface Ethernet0/1
>>>> > nameif inside
>>>> > security-level 100
>>>> > ip address 172.16.1.1 255.255.255.0
>>>> > !
>>>> > interface Ethernet0/2
>>>> > nameif dmz1
>>>> > security-level 60
>>>> > ip address 192.168.1.17 255.255.255.240
>>>> >
>>>> >
>>>> > access-list outside_in extended permit icmp any any echo-reply
>>>> > access-list outside_in extended permit ip host 10.13.2.19 host
>>>> > 192.168.1.40
>>>> > access-list dmz1_in extended permit ip host 192.168.1.29 any
>>>> >
>>>> > static (dmz1,outside) 192.168.1.40 192.168.1.29 netmask
>>>> 255.255.255.255
>>>> > access-group outside_in in interface outside
>>>> > access-group dmz1_in in interface dmz1
>>>> > route outside 0.0.0.0 0.0.0.0 192.168.1.46
>>>> >
>>>> >
>>>> > *Cisco ROUTER*
>>>>
>>>> >
>>>> >
>>>> > crypto isakmp policy 9
>>>> > encr aes 256
>>>> > authentication pre-share
>>>> > group 2
>>>> >
>>>> > crypto isakmp key XXXXXXXXXXXXX address 196.200.119.100
>>>> > !
>>>> > crypto ipsec security-association lifetime seconds 86400
>>>> > !
>>>> > crypto ipsec transform-set CLICKATELL esp-aes 256 esp-sha-hmac
>>>> > !
>>>> > crypto map CLICK 9 ipsec-isakmp
>>>> > set peer 196.200.119.100
>>>> > set transform-set CLICKATELL
>>>> > match address 198
>>>> > !
>>>> > interface GigabitEthernet0/0
>>>> > description VGC Internet WAN link
>>>> > ip address 41.220.72.126 255.255.255.248
>>>> > ip nbar protocol-discovery
>>>> > ip nat outside
>>>> > ip virtual-reassembly
>>>> > duplex auto
>>>> > speed auto
>>>> > crypto map CLICK
>>>> > !
>>>> > interface GigabitEthernet0/1
>>>> > description 21CTL Internet WAN link
>>>> > ip address 80.248.9.142 255.255.255.128
>>>> > ip nat outside
>>>> > ip virtual-reassembly
>>>> > duplex auto
>>>> > speed auto
>>>> > !
>>>> > interface FastEthernet0/0/0
>>>> > description LAN Interface
>>>> > switchport access vlan 10
>>>> > !
>>>> > interface Vlan10
>>>> > description LAN
>>>> > ip address 192.168.1.46 255.255.255.240
>>>> > ip verify unicast source reachable-via rx
>>>> > ip nat inside
>>>> > ip virtual-reassembly
>>>> > !
>>>> > ip route 10.13.2.19 255.255.255.255 41.220.72.121
>>>> > ip route 196.200.119.100 255.255.255.255 41.220.72.121
>>>> > !
>>>> > access-list 110 deny ip host 192.168.1.40 host 10.13.2.19
>>>> > access-list 110 permit ip host 192.168.1.40 any
>>>> > access-list 198 permit ip host 192.168.1.40 host 10.13.2.19
>>>> >
>>>> >
>>>> >
>>>> > WHAT ARE AM I MISSING?
>>>> >
>>>> > Kindly assist.
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Oct 03 2011 - 10:14:21 ART