Bring up a VPN Tunnel?

lon21lon21 Member Posts: 201
Guys is it possible to initiate a VPN tunnel by pinging a inside loopback address?

Comments

  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Yes it is. I do it all the time.

    Edit: If you are using two loopbacks, remember that each router needs to know how to get to each loopback (if they aren't directly connected). I put in static routes that look something this:

    ip route 192.168.1.1 255.255.255.255 172.16.31.1

    Or if you are using a routing protocol, just advertise them accordingly. Now one thing that I found out (very quickly) doing a project involving ASAs and Routers is that you cannot source a ping on an ASA like you can on a Router so you will need to have something on the other side of the ASA if you are setting up a tunnel. Pretty lame. If it is between two routers you should have no problems. If it doesn't work, post your configs and I'll try to help you out.

    HTH
  • lon21lon21 Member Posts: 201
    Yes it is. I do it all the time.

    Edit: If you are using two loopbacks, remember that each router needs to know how to get to each loopback (if they aren't directly connected). I put in static routes that look something this:

    ip route 192.168.1.1 255.255.255.255 172.16.31.1

    Or if you are using a routing protocol, just advertise them accordingly. Now one thing that I found out (very quickly) doing a project involving ASAs and Routers is that you cannot source a ping on an ASA like you can on a Router so you will need to have something on the other side of the ASA if you are setting up a tunnel. Pretty lame. If it is between two routers you should have no problems. If it doesn't work, post your configs and I'll try to help you out.

    HTH

    Thanks I'll give it a go, instead of router I'm using two ASA 5505.

    When you say source the ping, do you mean you can't find the ASA from outside? I found this problem, I just put a access list. Then I thought maybe this was not wise.

    Also, is it possible to but the ssh cmd " ssh 89.1.1.1.1 255.255.255.255" but instead of an ip address use a hostname. I would like to ssh into the ASA from outside but I have a dynamic ip address.

    Thanks.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    How did I know you were going to say that lol. I have a love hate thing going on with ASAs right now lol. No that's not what I mean. On a router you can do ping 192.68.1.1. source (an ip address on the router). You cannot do that on an ASA. I don't mean the thing about icmp responses although you should really only allow path discover and maybe echo replies as far as icmp is concerned.

    If you want to be able to ssh from the outside (assuming you have set up the keys and told it to use something for authentication and assuming you are using 8.2 or above) you would do something like ssh 0 0 outside. This would allow any ip address to ssh from the outside. Of course this isn't the best idea and if you know exactly what ip you want to allow ssh access to, I would only allow that.
  • apr911apr911 Member Posts: 380 ■■■■□□□□□□
    Hey Bl8ckr0uter,

    Have you tried

    ping <interface> destination

    You can source your ping from one of the interfaces on the firewall that way.

    You could also try entering into config mode and throwing one of the interfaces into management-access mode.

    You can then do all sorts of things on the firewall as if that interface were a host.
    Currently Working On: Openstack
    2020 Goals: AWS/Azure/GCP Certifications, F5 CSE Cloud, SCRUM, CISSP-ISSMP
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    I was told it doesn't do that. From what the senior engineer here told me ping interface destination tells the router to look to that interface to find that ip address. So if I did ping inside 8.8.8.8 it would try to look out the inside interface to find a route to that ip address (which it never would). I tried that about 150 times and it matched what happened for me. That being said, I am now curious because thinking back on it, I may have had icmp turned off at that time. I could have been doing it wrong but I did confirm it with a few people.


    When I was googling before I found this article too:
    https://supportforums.cisco.com/thread/2004250

    Take a look at the 9th response.

    Now management access I didn't try at all. I'll have to take a look at both of those things later.
  • tim100tim100 Member Posts: 162
    I was told it doesn't do that. From what the senior engineer here told me ping interface destination tells the router to look to that interface to find that ip address.

    Not true. If you do "ping inside x.x.x.x" on the ASA and x.x.x.x is an IP that matches the interesting traffic ACL for the VPN it will bring up the VPN tunnel. "ping (interface) x.x.x.x" sources the ping from that interface. You need to configure "management access inside". If you configure "management access inside" on both ASAs in an L2L VPN implementation and do "debug crypto isakmp 255" and then do a "ping inside x.x.x.x" where x.x.x.x is the inside interface IP of the other ASA you will see the tunnel come up and your ping will be successful.
Sign In or Register to comment.