9.1 ASA 2 drops PING (icmp codes 0 & 8)

Hello

Im trying to ping DMZ on ASA to interface to the host from the INSIDE and vice versa. It does not work :( Trying to debug icmp however the icmp packet did not even touch the DMZ interface for the particular host. Doing so with packet - trace ASA displays all results under ALLOW. We could explain to me how to allow a host placed in X interface for PING Y interface itself?

Thank you very much in advance!

NB.

The result of packet - trace is attached. What I'm trying to do, it's to ping interface DMZ (192.168.200.1) of the host from the INSIDE (192.168.100.10).

Works as expected. The ASA does not support the rattling a foreign address. If your ping-host is located inside the interface, you can only ping the inside IP, if your ping-host is located in the demilitarized zone, you only can ping the DMZ IP. The ASA handles differently then a router.

The only exception is with the 'management-access XXX' command when the ping goes through a tunnel.

Tags: Cisco Security

Similar Questions

Echo of Ping ICMP blackBerry Smartphones

I'm working on a Nextel 8350i with v4.6.1.313 (Platform 3.1.0.31), not renovated. The plan is on a data unlimited and direct connect, but no cell phone service (incoming and outgoing calls are blocked).

The problem I have called with a 3rd party TMW D2 Link program, this program uses GPS to track the phone/driver (it's a program of shipping for the trucking industry), sends 'pages' on phones of drivers on this program (using data), allows drivers to send messages and to the entrance of their time, again using the data. The program ceased to receive a signal, from what I can tell. Internet works fine on the phone, but I know that something is wrong because no matter what I can not do the program to get a signal and it worked before, for several months. I did a diagnostic test, and everything went well except the ICMP Ping echo, which came as 'no '. I don't know exactly what is this... but since I did a bit of research, it seems to do with sending a signal to 3rd party applications? Am that I on the right track here? I have no idea how to solve this problem.

Here is a list of what I did on the phone:

Reset the Radio (several times)

Diagnostic test (one under manage connections) & under status and still the only thing that 'failed', was the echo Ping ICMP message, and Yes test diagnoses were able to complement every time

Battery pull (several times after trying things)

Extraction of SIM card

Software update (I don't check the previous edition of software, that I just plugged it in Blackberry Desktop Manager and he came to say that she needed an update)

TMW D2 app update latest version

I am very close to wiping the phone and reinstalling the OS, but I'm not sure it will work because it doesn't seem to be a software problem... I am not opposed to if anyone thinks it will work.

Any help is appreciated. I'll watch this site throughout the day, so I should respond quickly if you need more information. Thank you!

Just in case anyone else with Nextel Berry and TMW has this problem with D2 is no longer go in D2, go to the option Admin, go to the option erase data and go ahead and wipe. For some reason I'm going to only have this problem with the Berrys Nextel, but that seems to fix the problem. I don't know why. Forms must update and re-download themselves but if they do not go to the installation and the menu and save some success and it sort of "force" to download, it's worked every time so if it doesn't work for you I don't know what else to do the removal program and re - download.

I have not yet found someone, even with Sprint, who knows about Ping Echo... or if it's even a question. Most people don't know what it is if anyone of you learn something about Ping Echo please let me know... I will update this post as well if I learned something.

ASA 5540 - cannot ping inside the interface

Hi all. We have recently upgraded PIX to ASA5540 and we saw a strange thing going. In a Word, we can ping the inside interface of the ASA from any beach on our 6500 network (which is connected directly behind the ASA on the inside), but one where our monitoring tools are placed. Inside there is an ACL that allows all of our core networks, but it does not help that the interface is really strange.

In the ASDM, I see messages like this:

ID ICMP echo request: 2004 x.x.x.x y.y.y.y on the inside interface to. I don't think that's the problem, but I could be wrong.

This is also the configuration of the interface VLAN VIRTUAL local area network from which we cannot ping inside the interface we can ping to and since this VLAN and machines without problem. The only problem is ping the inside interface of the ASA.

interface Vlanx

IP x.x.x.x 255.255.255.0

IP broadcast directed to 199

IP accounting output-packets

IP pim sparse - dense mode

route IP cache flow

load-interval 30

Has anyone experiences the problem like this before? Thanks in advance for any help.

Can you post the output of the following on the ASA:-

display the route

And the output of your base layer diverter: -.

show ip route<>

HTH >

Cisco ASA 5515 - Anyconnect users can connect to ASA, but cannot ping inside the local IP address

Hello!

I have a 5515 ASA with the configuration below. I have configure the ASA as remote access with anyconnect VPN server, now my problem is that I can connect but I can not ping.

ASA Version 9.1 (1)

!

ASA host name

domain xxx.xx

names of

local pool VPN_CLIENT_POOL 192.168.12.1 - 192.168.12.254 255.255.255.0 IP mask

!

interface GigabitEthernet0/0

nameif inside

security-level 100

192.168.11.1 IP address 255.255.255.0

!

interface GigabitEthernet0/1

Description Interface_to_VPN

nameif outside

security-level 0

IP 111.222.333.444 255.255.255.240

!

interface GigabitEthernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/4

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/5

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

management only

nameif management

security-level 100

192.168.5.1 IP address 255.255.255.0

!

passive FTP mode

DNS server-group DefaultDNS

www.ww domain name

permit same-security-traffic intra-interface

the object of the LAN network

subnet 192.168.11.0 255.255.255.0

LAN description

network of the SSLVPN_POOL object

255.255.255.0 subnet 192.168.12.0

VPN_CLIENT_ACL list standard access allowed 192.168.11.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

management of MTU 1500

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 711.bin

don't allow no asdm history

ARP timeout 14400

no permit-nonconnected arp

NAT (exterior, Interior) static source SSLVPN_POOL SSLVPN_POOL static destination LAN LAN

Route outside 0.0.0.0 0.0.0.0 111.222.333.443 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

WebVPN

list of URLS no

identity of the user by default-domain LOCAL

the ssh LOCAL console AAA authentication

AAA authentication http LOCAL console

LOCAL AAA authorization exec

Enable http server

http 192.168.5.0 255.255.255.0 management

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec pmtu aging infinite - the security association

Crypto ca trustpoint ASDM_TrustPoint5

Terminal registration

E-mail [email protected] / * /

name of the object CN = ASA

address-IP 111.222.333.444

Configure CRL

Crypto ca trustpoint ASDM_TrustPoint6

Terminal registration

domain name full vpn.domain.com

E-mail [email protected] / * /

name of the object CN = vpn.domain.com

address-IP 111.222.333.444

pair of keys sslvpn

Configure CRL

trustpool crypto ca policy

string encryption ca ASDM_TrustPoint6 certificates

Telnet timeout 5

SSH 192.168.11.0 255.255.255.0 inside

SSH timeout 30

Console timeout 0

No ipv6-vpn-addr-assign aaa

no local ipv6-vpn-addr-assign

192.168.5.2 management - dhcpd addresses 192.168.5.254

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

SSL-trust outside ASDM_TrustPoint6 point

WebVPN

allow outside

CSD image disk0:/csd_3.5.2008-k9.pkg

AnyConnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1

AnyConnect enable

tunnel-group-list activate

attributes of Group Policy DfltGrpPolicy

Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client

internal VPN_CLIENT_POLICY group policy

VPN_CLIENT_POLICY group policy attributes

WINS server no

value of server DNS 192.168.11.198

VPN - 5 concurrent connections

VPN-session-timeout 480

client ssl-VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list VPN_CLIENT_ACL

myComp.local value by default-field

the address value VPN_CLIENT_POOL pools

WebVPN

activate AnyConnect ssl dtls

AnyConnect Dungeon-Installer installed

AnyConnect ssl keepalive 20

time to generate a new key 30 AnyConnect ssl

AnyConnect ssl generate a new method ssl key

AnyConnect client of dpd-interval 30

dpd-interval gateway AnyConnect 30

AnyConnect dtls lzs compression

AnyConnect modules value vpngina

value of customization DfltCustomization

internal IT_POLICY group policy

IT_POLICY group policy attributes

WINS server no

value of server DNS 192.168.11.198

VPN - connections 3

VPN-session-timeout 120

Protocol-tunnel-VPN-client ssl clientless ssl

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list VPN_CLIENT_ACL

field default value societe.com

the address value VPN_CLIENT_POOL pools

WebVPN

activate AnyConnect ssl dtls

AnyConnect Dungeon-Installer installed

AnyConnect ssl keepalive 20

AnyConnect dtls lzs compression

value of customization DfltCustomization

username vpnuser password PA$ encrypted $WORD

vpnuser username attributes

VPN-group-policy VPN_CLIENT_POLICY

type of remote access service

Username vpnuser2 password PA$ encrypted $W

username vpnuser2 attributes

type of remote access service

username admin password ADMINPA$ $ encrypted privilege 15

VPN Tunnel-group type remote access

General-attributes of VPN Tunnel-group

address VPN_CLIENT_POOL pool

Group Policy - by default-VPN_CLIENT_POLICY

VPN Tunnel-group webvpn-attributes

the aaa authentication certificate

enable VPN_to_R group-alias

type tunnel-group IT_PROFILE remote access

attributes global-tunnel-group IT_PROFILE

address VPN_CLIENT_POOL pool

Group Policy - by default-IT_POLICY

tunnel-group IT_PROFILE webvpn-attributes

the aaa authentication certificate

enable IT Group-alias

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

inspect the icmp

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

: end

Help me please! Thank you!

Hello

Please set ACLs to allow ICMP between these two subnets (192.168.11.0 and 192.168.12.0) and check. It should ping. Let me know if it does not work.

Thank you

swap

ASA 5505 VPN Ping problems

Hi all

First of all, I apologize if this is something that I can google. My knowledge of the administration of the network is all self-taught, so if there is a guide that I missed please point me in the right direction, it is often difficult to Google the terms for troubleshooting when your jargon is not the height.

The main problem is that when ping devices internal when you are connected to the results are very inconsistent.

Ping 192.168.15.102 with 32 bytes of data:

Reply from 192.168.15.102: bytes = 32 time = 112ms TTL = 128

Request timed out.

Request timed out.

Request timed out.

We have implemented an IPSec VPN connection to a remote Cisco ASA 5505. There is no connection problems, connection seems constant, etc. good packages. At this stage, I can only assume I have configuration problems, but I was watching this while if long and pair with my inexperience configuration of these settings I have no idea where to start. My first impressions are that LAN devices I'm ping do not send their response back or the ASA does not know how to route packets back?

Here is a dump of the configuration:

Output of the command: "show config".

: Saved

: Written by enable_15 to the 12:40:06.114 CDT MON Sep 9 2013

!

ASA Version 8.2 (5)

!

hostname VPN_Test

activate the encrypted password of D37rIydCZ/bnf1uj

2KFQnbNIdI.2KYOU encrypted passwd

names of

192.168.15.0 - internal network name

DDNS update method DDNS_Update

DDNS both

maximum interval 0 4 0 0

!

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

Description VLAN internal guests

nameif inside

security-level 100

DDNS update hostname 0.0.0.0

DDNS update DDNS_Update

DHCP client updated dns server time

192.168.15.1 IP address 255.255.255.0

!

interface Vlan2

Description of VLAN external to the internet

nameif outside

security-level 0

address IP xx.xx.xx.xx 255.255.255.248

!

passive FTP mode

clock timezone CST - 6

clock to summer time recurring CDT

DNS server-group DefaultDNS

Server name 216.221.96.37

Name-Server 8.8.8.8

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

DM_INLINE_TCP_1 tcp service object-group

port-object eq www

EQ object of the https port

outside_access_in list extended access permit icmp any one

outside_access_in list extended access deny interface icmp outside interface inside

access extensive list ip 192.168.15.192 outside_access_in allow 255.255.255.192 all

Remote_splitTunnelAcl list standard allowed internal-network access 255.255.255.0

inside_nat0_outbound list extended access allowed internal-network ip, 255.255.255.0 192.168.15.192 255.255.255.192

Note to inside_access_in to access list blocking Internet traffic

access extensive list ip 192.168.15.192 inside_access_in allow 255.255.255.192 all

Note to inside_access_in to access list blocking Internet traffic

inside_access_in extended access list allow interface ip inside the interface inside

inside_access_in list of allowed ip extended access all 192.168.15.192 255.255.255.192

Note to inside_access_in to access list blocking Internet traffic

access extensive list ip 192.168.15.192 inside_nat0_outbound_1 allow 255.255.255.192 all

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

mask 192.168.15.200 - 192.168.15.250 255.255.255.0 IP local pool VPN_IP_Pool

inside_access_ipv6_in list of access allowed IPv6 interface ip inside the interface inside

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow any inside

ICMP allow any response of echo outdoors

ICMP allow all outside

don't allow no asdm history

ARP timeout 14400

NAT-control

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access

NAT (inside) 1 192.168.15.192 255.255.255.192

NAT (inside) 1 0.0.0.0 0.0.0.0

inside_access_in access to the interface inside group

inside_access_ipv6_in access to the interface inside group

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

Enable http server

http 192.168.1.0 255.255.255.0 inside

255.255.255.0 inside internal network http

http yy.yy.yy.yy 255.255.255.255 outside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Sysopt connection timewait

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH timeout 5

Console timeout 0

management-access inside

dhcpd outside auto_config

!

dhcpd address 192.168.15.200 - 192.168.15.250 inside

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

NTP server 192.168.15.101 source inside

prefer NTP server 192.168.15.100 source inside

WebVPN

internal remote group strategy

Group remote attributes policy

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list Remote_splitTunnelAcl

username StockUser encrypted password privilege 0 t6a0Nv8HUfWtUdKz

username StockUser attributes

Strategy-Group-VPN remote

tunnel-group type remote access remotely

tunnel-group remote General attributes

address pool VPN_IP_Pool

Group Policy - by default-remote control

tunnel-group remote ipsec-attributes

pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

inspect the icmp

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:f4271785b86e45dd3a17bab8f60cd2f3

Hi Graham,

My first question is do you have a site to site VPN and VPN remote access client.

After checking your configuration, I see you don't have any Site to SIte VPN configuration, so I'm assuming you ara facing issue with the VPN client.

And if I understand you are able to connect VPN client, but you not able to access internal resources properly.

I recommend tey and make the following changes.

First remove the following configuration:

NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access

NAT (inside) 1 192.168.15.192 255.255.255.192

You don't need the 1st one and I do not understand the reason for the second

Second, one is your pool IP subnet (192.168.15.200 - 192.168.15.250) and I don't know why you added this NAT.

If possible change your subnet pool all together because we do not recommend to use th ip POOL that is similar to your local network.

Try the changes described above and let me know in case if you have any problem.

Thank you

Jeet Kumar

Interfaces (ASA 5520) cant ping

Hello

I recently implemented a configuration of active failover / standby with 2 secondary interfaces configured on my interface of g0/0 (g0/0.1 and g0/0.2) for some reason I can't an of these my ping test server (when the server is on the network and subnet to test the interface)? I'm not sure what continues... I've included a print out of my current configuration of the interface and failover. The test server is connected to a switch of 2724 Dell and the interfaces are in question.

interface GigabitEthernet0/0

No nameif

security-level 0

no ip address

!

interface GigabitEthernet0/0.1

VLAN 10

nameif Outside1

security-level 0

IP address 66.38.x.x 255.255.x.x Eve 66.38.x.x

!

interface GigabitEthernet0/0.2

VLAN 20

nameif Outside2

security-level 0

IP address 64.187.x.x 255.255.x.x Eve 64.187.x.x

!

interface GigabitEthernet0/1

nameif DMZ

security-level 100

IP address 255.255.x.x 10.10.x.x ensures 10.10.x.x

!

interface GigabitEthernet0/2

nameif private

security-level 40

IP address 255.255.x.x 192.168.x.x ensures 192.168.x.x

!

interface GigabitEthernet0/3

STATE/LAN failover Interface Description

!

interface Management0/0

STATE failover Interface Description

No nameif

security-level 100

IP address 192.168.x.x 255.255.x.x

!

clock timezone IS - 5

clock to summer time EDT recurring

pager lines 24

Enable logging

monitor debug logging

asdm of logging of information

MTU 1500 Outside1

MTU 1500 Outside2

MTU 1500 DMZ

MTU 1500 private

failover

primary failover lan unit

local failover FoInt GigabitEthernet0/3 network interface

failover replication http

link failover FoInt GigabitEthernet0/3

failover interface ip FoInt 192.168.x.x 255.255.x.x Eve 192.168.x.x

the interface of the monitor Outside1

the interface of the monitor Outside2

Thank you

Chris

Hi Chris,

Your config subinterface is fine, except that you will probably need to affect the level of safety that is different between them unless you have already planned for this.

Normally, it is on the side of the switch that must be configured accordingly. The link of the trunk between the firewall and the switch use the encapsulation DOT1Q (IEEE). I don't know if he Dell support. Make sure that the trunk permits some Vlan you assigned to the firewall secondary interfaces.

http://www.Cisco.com/en/us/products/ps6120/products_configuration_guide_chapter09186a008054c515.html#wp1051819

To be able to ping to the interface, make sure that you allow the firewall to allow/permit icmp to hit the interface using the command "icmp", for example "icmp allow any Outside2."

BTW, what is the gateway for your server? Is it subinterface ASA (function vlan) or IP VLAN on the switch?

http://www.Cisco.com/en/us/partner/products/ps6120/products_command_reference_chapter09186a00805fba52.html#wp1615091

Other, you must apply normal static ACL, NAT firewall and so on.

Rgds,

AK

How execure the command ping (ICMP ECHO_REQUEST)

Hello

I am trying to execure the ping (http://developer.blackberry.com/native/reference/core/com.qnx.doc.neutrino.utilities/topic/p/ping.ht,... , through QProcess, without success. The code output is - 2, not 0, so a kind of error occurs.

If I ssh to Z10 (10.3.1), I get the following:
```
$ ping

sh: ping: cannot execute - Permission denied
```
So my question is, we are allowed to use the ping command? If so, how? I should add that ifconfig responds very well.

It is not available for third party applications. As mentioned above, this list is a copy of the documentation for QNX Neutrino. Currently these docs don't list what commands are available on BlackBerry 10, however, is something that is on the roadmap for our documentation team.

Rookie of the ASA 5505 - cannot ping remote site or vice versa

Hi, I am trying configure an ipsec to an ASA 5505 (8.4) for a Sophos UTM (9.2)

Internet, etc. is in place and accessible. IPSec tunnel is also but I can't pass the traffic through it.

I get this message in the logs:

August 5, 2014

22:38:52

81.111.111.156

82.222.222.38

Refuse the Protocol entering 50 CBC outdoor: 81.111.111.156 outside dst: 82.222.222.38

SITE has (ASA 5505) = 82.222.222.38
SITE B (UTM 9) = 81.111.111.156

Pointers would be good because it's the first time I tried this. Thank you.

Running config below:

ciscoasa hostname
activate 8Ry2YjIyt7RRXU24 encrypted password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
Description Internet Zen
nameif outside
security-level 0
Customer vpdn group PPPoE Zen
82.222.222.38 255.255.255.255 IP address pppoe setroute
!
boot system Disk0: / asa922 - k8.bin
passive FTP mode
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
Name-Server 8.8.8.8
network obj_any object
subnet 0.0.0.0 0.0.0.0
the object of MY - LAN network
subnet 192.168.1.0 255.255.255.0
the object of THIER-LAN network
192.168.30.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.30.0_24 object
192.168.30.0 subnet 255.255.255.0
network of the THIER_VPN object
Home 81.111.111.156
THIER VPN description
service of the Sophos_Admin object
Service tcp destination eq 4444
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-protocol esp
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-protocol esp
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-protocol esp
object-group service DM_INLINE_SERVICE_1
ICMP service object
area of service-object udp destination eq
service-object, object Sophos_Admin
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
ESP service object
object-group service DM_INLINE_SERVICE_2
ICMP service object
service-object, object Sophos_Admin
ESP service object
response to echo icmp service object
object-group service DM_INLINE_SERVICE_3
the purpose of the ip service
ESP service object
response to echo icmp service object
object-group service DM_INLINE_SERVICE_4
service-object, object Sophos_Admin
the purpose of the echo icmp message service
response to echo icmp service object
outside_cryptomap list extended access allow object-group DM_INLINE_PROTOCOL_3 MY - LAN LAN THIER object object
outside_cryptomap_1 list extended access allow object-group DM_INLINE_PROTOCOL_2 MY - LAN LAN THIER object object
inside_cryptomap list extended access allow THIER-LAN MY - LAN object object DM_INLINE_PROTOCOL_1 object-group
outside_access_out list extended access allowed object-group DM_INLINE_SERVICE_3 object THIER_VPN host 82.222.222.38
outside_access_out list extended access allow DM_INLINE_SERVICE_1 of object-group a
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 object THIER_VPN host 82.222.222.38
inside_access_out list extended access allow object-group DM_INLINE_SERVICE_4 MY - LAN LAN THIER object object
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 722.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
Access-group interface inside inside_access_out
Access-group outside_access_in in interface outside
Access-group outside_access_out outside interface
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 81.111.111.156
card crypto outside_map 1 set transform-set ESP-AES-128-SHA ikev1
outside_map map 1 set ikev2 proposal ipsec crypto AES
card crypto outside_map 2 match address outside_cryptomap_1
card crypto outside_map 2 set pfs
peer set card crypto outside_map 2 81.111.111.156
card crypto outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 2 set AES AES192 AES256 3DES ipsec-proposal ikev2
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2
FRP sha
second life 7800
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 7800
Telnet timeout 5
SSH enable ibou
SSH stricthostkeycheck
SSH 192.168.1.0 255.255.255.0 inside
SSH timeout 30
SSH version 2
SSH group dh-Group1-sha1 key exchange
Console timeout 0
VPDN group Zen request dialout pppoe
VPDN group Zen localname [email protected] / * /
VPDN group Zen ppp authentication chap
VPDN username [email protected] / * / password * local store

dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.36 inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
enable dynamic filters updater-customer
use of data Dynamics-based filters
smart filters enable external interface
interface of blacklist of decline in dynamic filters outside
WebVPN
AnyConnect essentials
internal GroupPolicy_81.111.111.156 group strategy
attributes of Group Policy GroupPolicy_81.111.111.156
Ikev1 VPN-tunnel-Protocol
JsE9Hv42G/zRUcG4 admin password user name encrypted privilege 15
username bob lTKS32e90Yo5l2L password / encrypted
tunnel-group 81.111.111.156 type ipsec-l2l
tunnel-group 81.111.111.156 General-attributes
Group - default policy - GroupPolicy_81.111.111.156
IPSec-attributes tunnel-group 81.111.111.156
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the dns dynamic-filter-snoop preset_dns_map
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
HPM topN enable
Cryptochecksum:9430c8a44d330d2b55f981274599a67e
: end
ciscoasa #.

Hello

Watching your sh crypto ipsec output... I can see packets are getting wrapped... average packets out of the peer 88.222.222.38 network and I do not see the package back from the site of the UTM 81.111.111.156 at the ASA... This means that the UTM Firewall either don't know the package or not able to get the return package... Exchange of routing is there... but you need to check LAN to another counterpart of site...

Please check the card encryption (it must match on both ends), NAT (exemption should be there @ both ends) and referral to the ends of the LAN...

I suggest you try with the crypto wthout specific port card... say source LAN to LAN with any port destination...

allow cryptomap to access extended list ip

Concerning

Knockaert

Concerning

Knockaert

Installation of ASA EasyVPN - cannot ping loopback on router CME

Hello

I don't know if it is a problem of firewall or something on my router, so I thought I would start here. I have an ASA 5505 at home that I use as a client for the purpose of connecting a Cisco IP phone to a CME No. 2851 router EasyVPN. At the office, I have an ASA 5510, which acts as the EasyVPN server. The CME router loopback address is 10.1.254.254, and the router's ethernet interfaces are 10.2.100.50 and 10.1.100.1. The customer EasyVPN receives an address 192.168.100.1 the EasyVPN server.

In my house, if I connect a computer to my ASA 5505 VPN is based and I can ping all my hosts interns (at the office), and I can ping both interfaces of the router. If I try to ping the router loopback address I get nothing. If I start the router and work my way to the EasyVPN (ASA 5510) Server I can ping the loopback address of the router to the power switch and then the ASA5510. I think it's a problem of firewall because of the capture, I install both inside the ASA interfaces:

If I ping 10.2.100.50 or 10.1.100.1, I see the echo and echo on the ASA5505 responses, and I see them on the ASA5510 - successfully running through the VPN tunnel.

If I ping 10.1.254.254, I see the echo to the ASA5505 request, but I don't see anything on the ASA5510.

I checked my nat_exemption on the ASA5510 and I have an entry like this:

nat_exemption list of allowed ip extended access any 192.168.100.0 255.255.255.128

I can provide more if necessary configs, but anybody have any ideas where I'm wrong?

Thanks in advance,

Brandon

Brandon,

I would like to start showing us "crypto ipsec to show its" on your home 5505.

Then the station we would need:

--------

See the establishment of performance-crypto

See running nat setting

See the global race

See the static race

See the tunnel-group race

---------

Ideally I would allow newspapers on informqtional level on headboard and ASA local.

Run the ping command and check:

-------

Show logg. I have 10.1.254.254

-------

We are looking for connections being built or any "deny" messages.

Marcin

ASA VPN cannot ping ip local pool

Hello

We have ASA 5510 a device be deployed for a period of time. Everything works fine except customers local VPN cannot ping local customer VPN which get their IP address to the local swimming pool. They can ping anywhere on the local network of company, but not each other. I don't know there's a logical explantion for this because of an ACL but all appreciated the advice...

Thanks in advance

Keith

Hi Keith,

I think that, in order to allow a customer VPN reach another VPN client, the SAA should turn the VPN traffic (because it will receive the traffic of a VPN tunnel and re - again to send another tunnel.)

Can you add "same-security-traffic intra-interface permits" and try again?

Federico.

The CSS for my drop-Spry has code missing. How can I fix it?

I moved the spry by copy and paste CSS code to my own STYLE sheet external and made some adjustments. I'm putting anything in the same area as the vertical menu. I can not put articles on the same ground as the menu. I tried to place images and text of absolute positioning, using the pixels, creation of containers and thing that I could think of. Nothing has worked. My footer will not be convinced that the lower part of the menu s not the bottom of the page. ! I decided to start from scratch. The CSS for the Spry drop down vertical menu is now empty. How can I fix my DreamWeaver? Then I need solve the problem with the menu

Spry menus unsuitable for modern Web sites.

Switch to the pure HTML/CSS or JQuery menus

Here is an example of a pure CSS menu with an indicator of page continuing to remind the visitor what page they are on

«"" "Homepage: cards by Karen: handmade greeting cards»»»"

View the HTML soource and see the CSS on its own stylesheet here

www.kardsbykaren.us/kknav.CSS

Cisco ASA 5520 cannot ping between VPN Tunnels

I have the main site and sites A and B. A to connect to the hand and B connects to the main. I can ping from A hand and has for main. I can ping from main to B and B to main. However, I can not ping from A to B. A and B are sonicwall 2040 and main is a 5520. The question should not be with the 5520 none allowing traffic between the two VPN Tunnels, but I can't understand why it does not work. Can someone give an idea on that? Thanks in advance.

Hello

I see that you use ASDM. Always makes my eyes bleed when I need to look at the DM_INLINE of named objects and try to make sense the CLI format

Seems to me that there are problems with the NAT.

If you don't mind a small break between the main Site and remote locations, I'd say changing some follows the NAT configuration

Remove old

no nat source (indoor, outdoor) public static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10 non-proxy-arp-search of route static destination

no nat source (indoor, outdoor) public static DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_12 DM_INLINE_NETWORK_12 non-proxy-arp-search of route static destination

Add a new

object-group network NETWORK-2790

object-network 10.217.0.0 255.255.255.0

object-network 10.217.1.0 255.255.255.0

object-group network NETWORK-3820

object-network 10.216.0.0 255.255.255.0

object-network 10.216.1.0 255.255.255.0

object-group network NETWORK-COLO

object-net 10.8.0.0 255.255.255.0

destination of NETWORK of NETWORK-2790-2790 static NAT (outside, outside) static source NETWORK - 3820 - 3820

NAT static destination of NETWORK of NETWORK-COLO-COLO (indoor, outdoor) static source NETWORK - 2790 - 2790

NAT static destination of NETWORK of NETWORK-COLO-COLO (indoor, outdoor) static source NETWORK - 3820 - 3820

The first new line of configuring NAT manages the NAT0 configuration for traffic between SiteA and SiteB. The following configurations of NAT 2 manage the NAT0 for traffic between the main Site - hand Site SiteA - SiteB

-Jouni

block icmp never work on ASA 8.6

Hi all

I tried to put this on my ACL

extended access list 1 outside_access_in line deny icmp no echo

and write on the flash.

but still I can ping my ip address. my version of the SAA is 8.6.

Thanks for any comments, that you can add.

The access list more access-group apply to traffic with the ASA, not realized with the SAA itself. To block the icmp to the ASA use rather a icmp deny ... statement.

-Jim Leinweber, WI State Lab of hygiene

Impossible to ping anyconnect Client IP de ASA

Hello world

I can't connect to cisco anyconenct fine no problem.

When connected I ping the SAA in interface and other subnets that are behind the ASA inside the interface from the PC connected through the VPN.

My only problem is that of ASA, I cannot ping IP of 10.0.0.5.

ASA1 # sh anyconnect vpn-sessiondb

Session type: AnyConnect

User name: anyconnect_user index: 54

Assigned IP: 10.0.0.5 Public IP address: 192.168.98.2

Protocol: AnyConnect-Parent-Tunnel SSL DTLS-Tunnel
License: AnyConnect Essentials
Encryption: AnyConnect-Parent: (1) no SSL Tunnel: (1) AES128 DTLS-Tunnel: (1) AES128
Hash: AnyConnect-Parent: (1) no SSL Tunnel: (1) SHA1 DTLS-Tunnel: SHA1 (1)
TX Bytes: 12318 bytes Rx: 73502
Group Policy: anyconnect_group
Tunnel of Group: anyconnect_connection_profile
Connect time: 23:21:28 MST Friday, March 7, 2014
Duration: 0 h: 34 m: 33 s
Inactivity: 0 h: 00 m: 00s
Result of the NAC: unknown
Map VLANS: VLAN n/a: no

I ping the switch connected to ASA inside interface

ASA1 # ping 10.0.0.2

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 10.0.0.2, time-out is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = ms 04/01/10

I can ping from the ASA inside interface

ASA1 # ping 10.0.0.1 - ASA inside interface

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 10.0.0.1, time-out is 2 seconds:

!!!!!

Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/1 ms

ASA1 # ping 10.0.0.5

Type to abort escape sequence.

Send 5, echoes ICMP 100 bytes to 10.0.0.5, time-out is 2 seconds:

?????

Success rate is 0% (0/5)

ASA1 #.

Journal of the shows

March 7, 2014 23:00:52: % ASA-6-302020: built outgoing ICMP connection for 10.0.0.5/0(LOCAL\anyconnect_user faddr) gaddr laddr 192.168.1.171/1168 192.168.1.171/1168

March 7, 2014 23:01:02: % ASA-6-302021: connection of disassembly ICMP for faddr 10.0.0.5/0(LOCAL\anyconnect_user) gaddr laddr 192.168.1.171/1168 192.168.1.171/1168

Where IP 192.168.1.171 is ASA outside interface

Concerning

MAhesh

Hello Manu,

Have you tried to ping the network interior? Or the package from inside the source interface of the ASA? Remember, you should have some rules exemption nat for packets going through the VPN connection. That's how specify us which networks are allowed to join the VPN clients. If you ping without specify any interface the packet is going to come from the external interface, and probably this interface/subnet is not allowed through the VPN connection. Using split tunnel or tunnelall?

You can try to activate the management of access to the inside interface and the ping from the inside. These packages should hit the exemption nat rule and will be sent through the tunnel instead of the Internet.

These are the necessary commands:

To specify an interface as an interface of management only, enter the following command:
```
 hostname(config)# management access inside
```
Then, you could do an inside 10.0.0.5 ping to ping the ASA AnyConnect client.

Notes on the access management command:

If your VPN tunnel ends on an interface, but you want to manage the ASA by accessing a different interface, you can identify this interface as an interface for management access. For example, if you enter the ASA of the external interface, this feature allows you to connect inside the interface by using ASDM, SSH, Telnet or SNMP. or you can test inside the interface at the entrance to the external interface. Management is accessible by the following VPN tunnels types: client IPsec, the client AnyConnect SSL VPN and IPsec LAN-to-LAN.

Hope this helps,

Luis

Site to site between ASA 8.2 VPN, cannot ping

Two 8.2 ASA is configured with a VPN tunnel from site to site, as shown in the diagram:

Here is my setup for both.

Clients on the inside network to the ASA cannot ping inside, network clients, else the ASA. Why not?

When the rattling from inside network SALMONARM inside network of KAMLOOPS, the following debug logs can be seen on SALMONARM:

%ASA-7-609001: Built local-host outside:10.30.7.2

%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

%ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

%ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02

%ASA-7-609001: Built local-host outside:10.30.7.2

%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

%ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

%ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02

%ASA-7-609001: Built local-host outside:10.30.7.2

%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

...

Each attempt to ping responds with "Request timed out" on the computer of ping.

Why clients cannot mutually ping on the VPN tunnel?

Hello

Create a NAT0 ACL at both ends.

ex: 10.30.0.0 ip access-list extended SHEEP 255.255.0.0 allow 10.45.0.0 255.255.0.0

NAT (inside) 0 access-list SHEEP

THX

Edit: at the beginning, I mentioned ACL #, it may not work.

9.1 ASA 2 drops PING (icmp codes 0 &amp; 8)

Similar Questions

Maybe you are looking for

9.1 ASA 2 drops PING (icmp codes 0 & 8)