Cannot ping ASA remote on an L2L

I have an ASA5520, and about 10 of 5505. Site running all at the Sites. The tunnels are in place and everything worked fine. Well on the side room, I cannot ping the ASA remote, but I can ping all devices behind it. On the remote side I ping the 5520 and everything else on my network I encouraged. When I look at the newspaper of the ASDM on the 5520, that there is no evidence related to the ping for the 5505. I don't see where it blocks the ICMP on the 5505. It just says:

"6 August 14, 2008 05:40:49 302020 10.0.3.69 192.168.1.101 built outgoing ICMP connection for faddr gaddr laddr 192.168.1.101/0 192.168.1.101/0 10.0.3.69/512.

and

"6 August 14, 2008 05:40:49 302021 10.0.3.69 192.168.1.101 connection disassembly ICMP for faddr gaddr laddr 192.168.1.101/0 192.168.1.101/0 10.0.3.69/512.

It is a normal traffic for a S2S I guess. While I am trying to get this to work I have it configured,.

ICMP allow any inside

"ICMP allow all outside.

Any suggestions?

If you try to ping inside the interface through the tunnel, try to add...

management-access inside

Tags: Cisco Security

Similar Questions

cannot ping between remote vpn site?

vpn l2l site A, site B is extension vpn network, connect to the same vpn device 5510 to the central office and work well. I can ping from central office for two remote sites, but I cannot ping between these two vpn sites? Tried to debug icmp, I can see the icmp side did reach central office but then disappeared! do not send B next? Help, please...

permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
!
object-group network SITE-a.
object-network 192.168.42.0 255.255.255.0
!
object-group network SITE-B
object-network 192.168.46.0 255.255.255.0
!
extended OUTSIDE allowed a whole icmp access list
HOLT-VPN-ACL extended access-list allow ip object-CBO-NET object group SITE-a.
!
destination SITE-a NAT (outside, outside) static source SITE - a static SITE to SITE-B-B
!
address for correspondence card crypto VPN-card 50 HOLT-VPN-ACL
card crypto VPN-card 50 peers set *. *.56.250
card crypto VPN-card 50 set transform-set AES-256-SHA ikev1
VPN-card interface card crypto outside
!
internal strategy group to DISTANCE-NETEXTENSION
Remote CONTROL-NETEXTENSION group policy attributes
value of DNS server *. *. *. *
VPN-idle-timeout no
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value REMOTE-NET2
value by default-field *.org
allow to NEM
!
remote access of type tunnel-group to DISTANCE-NETEXTENSION
Global DISTANCE-NETEXTENSION-attributes tunnel-group
authentication-server-group (inside) LOCAL
Group Policy - by default-remote CONTROL-NETEXTENSION
IPSec-attributes tunnel-group to DISTANCE-NETEXTENSION
IKEv1 pre-shared-key *.
tunnel-group *. *.56.250 type ipsec-l2l
tunnel-group *. *.56.250 ipsec-attributes
IKEv1 pre-shared-key *.
!

!

ASA - 5510 # display route. include the 192.168.42
S 192.168.42.0 255.255.255.0 [1/0] via *. *. 80.1, outside
ASA - 5510 # display route. include the 192.168.46
S 192.168.46.0 255.255.255.0 [1/0] via *. *. 80.1, outside
ASA-5510.

!
Username: Laporte-don't Index: 10
Assigned IP: 192.168.46.0 public IP address: *. *.65.201
Protocol: IKEv1 IPsecOverNatT
License: Another VPN
Encryption: 3DES hash: SHA1
TX Bytes: bytes 11667685 Rx: 1604235
Group Policy: Group remote CONTROL-NETEXTENSION Tunnel: remote CONTROL-NETEXTENSION
Opening time: 08:19:12 IS Thursday, February 12, 2015
Duration: 6 h: 53 m: 29 s
Inactivity: 0 h: 00 m: 00s
Result of the NAC: unknown
Map VLANS: VLAN n/a: no
!
ASA - 5510 # display l2l vpn-sessiondb

Session type: LAN-to-LAN

Connection: *. *.56.250
Index: 6 IP Addr: *. *.56.250
Protocol: IPsec IKEv1
Encryption: AES256 3DES hash: SHA1
TX Bytes: bytes 2931026707 Rx: 256715895
Connect time: 02:00:41 GMT Thursday, February 12, 2015
Duration: 13: 00: 10:00

Hi Rico,

You need dynamic nat (for available IP addresses) for the two side to every subset of remote access to the other side remote subnet and so they can access every other subnet as if both from the traffic from your central location.

example:

Say, this IP (10.10.10.254) is unused IP to the central office, allowed to access remote tunnel 'A' and 'B' of the site.

object-group network SITE-a.
object-network 192.168.42.0 255.255.255.0
!
object-group network SITE-B
object-network 192.168.46.0 255.255.255.0

dynamic source destination SITE-a. 10.10.10.254 NAT (outdoors, outdoor)
public static SITE SITE-B-B

destination NAT (outdoors, outdoor) SITE-B 10.10.10.254 dynamic source
SITE static-SITE a

Hope this helps

Thank you

Rizwan James

Cannot ping ASA inside the interface via VPN

Hello

I have a scenario with tunel VPN between a router and ASA and can ping subnet behind ASA subnet behind the router (and), but I cannot ping the ASA inside the interface on the VPN tunnel. I need to access the remote location ASDM. How can it be done?

Thanks for your suggestions.

Remi

Hello

You must have the 'inside access management' command configured on the SAA.

If you run a 8.3 software or newer on the SAA, should also look at the configuration 'nat' IF the above command solves your problem

-Jouni

Cannot ping via remote VPN

Hi all

I have a client who uses a 506e with the cleint 4.02 for the remote VPN Cisco. The pix is multiple inside roads. The first network inside is 192.168.1.X and E1 of the 506 is 192.168.1.1. The second network is 10.71.56.X.

The problem is as soon as the VPN is connected I can ping any host on the 192.168.1.X, but not anything on the 10.71.56.X network. Without netbios or the other. From the PIX, I can ping hosts on two internal networks.

Here is the config below. Thank you!

6.2 (2) version PIX

ethernet0 nameif outside security0

nameif ethernet1 inside the security100

activate the password xxxxx

passwd xxxxxxx

hostname GNB - PIX

cisco.com-domain name

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol they 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol 2000 skinny

names of

QUBEADMIN tcp service object-group

Beach of port-object 444 444

outside_access_in list access permit tcp any host 12.X.X.X eq pop3

outside_access_in list access permit tcp any host 12.X.X.X eq smtp

outside_access_in list access permit tcp any host 12.X.X.X EQ field

outside_access_in list access permit tcp any host 12.X.X.X eq www

outside_access_in list access permit tcp any host 12.X.X.X QUBEADMIN object-group

outside_access_in list access permit icmp any any echo response

access-list outside_access_in allow icmp all once exceed

outside_access_in list access permit tcp any host 12.169.2.21 eq ssh

GNB_splitTunnelAcl ip 10.71.56.0 access list allow 255.255.255.0 any

outside_cryptomap_dyn_20 ip access list allow any 10.71.56.32 255.255.255.224

pager lines 24

opening of session

timestamp of the record

logging paused

logging buffered stored notifications

Logging trap errors

notifications to the history of logging

the logging queue 0

host of logging inside the 10.71.55.10

logging out of the 192.104.109.91 host

interface ethernet0 car

Auto interface ethernet1

ICMP allow any inside

Outside 1500 MTU

Within 1500 MTU

IP address outside 12.X.X.X 255.255.254.0

IP address inside 192.168.1.254 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

local IP VPNPOOL 10.71.56.40 pool - 10.71.56.50

history of PDM activate

ARP timeout 14400

Global interface 10 (external)

NAT (inside) 0-list of access inside_outbound_nat0_acl

NAT (inside) 10 0.0.0.0 0.0.0.0 0 0

public static 12.X.X.X (Interior, exterior) 192.168.1.1 mask subnet 255.255.255.255 0 0

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 12.X.X.X 1

Route inside 10.71.55.0 255.255.255.0 192.168.1.1 1

Route inside 10.71.56.0 255.255.255.0 192.168.1.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

Timeout, uauth 0:05:00 absolute

GANYMEDE + Protocol Ganymede + AAA-server

RADIUS Protocol RADIUS AAA server

AAA-server local LOCAL Protocol

the ssh LOCAL console AAA authentication

No snmp server location

No snmp Server contact

SNMP-Server Community public

No trap to activate snmp Server

enable floodguard

Permitted connection ipsec sysopt

Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20

Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

ISAKMP allows outside

part of pre authentication ISAKMP policy 20

ISAKMP policy 20 3des encryption

ISAKMP policy 20 chopping sha

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 86400

vpngroup address VPNPOOL pool GUARD

vpngroup dns-server 10.71.56.10 GNB 10.71.56.10

GNB GNB_splitTunnelAcl vpngroup split tunnel

vpngroup GNB 1800 idle time

GNB vpngroup password *.

Telnet timeout 5

SSH timeout 60

Terminal width 80

Cryptochecksum:XXXXX

: end

[OK]

GNB - PIX #.

You use 10.71.56.0 255.255.255.0 in two places

you route to it via 192.168.1.1, but you're also allocation of addresses for vpn clients. Guests who are on the segment 10.71.56.0/24, if they manage to get the connected vpn client package (which is assigned a 10.71.56.x) address, would not send the response packet to this request on the local subnet, the router that has the 192.168.1.1 interface, which is what would be needed to make it work.

You must use a different network for your vpn clients block - you cannot use the same ip through two different networks space.

Cannot Ping router remotely

Currently, I get to work with WRT54GL router for customers who are looking for a cheaper camera, I am trying to ping the public IP address of remote, so we could properly monitor these devices and I get a timeout of the request, I looked at the settings that I couldn't find anything to help me on this Please let me know if anyone has had knowledge of how do.

It's on the Security tab. I think that on the WRT54GL called 'Block anonymous Internet requests. Turn this option off.

If she's not still go through, it may also be the ISP blocks...

Cisco ezvpn ASAs cannot ping each other inside interfaces

I have a set ezvpn in place with a 5506 (position B) client-side and a 5520 (location A) server-side. I have successfully connected vpn, and traffic flows. My problem is that I can't SSH in the location b. investigate this more than I can not ping is within the interface of the ASA opposing, or the machines inside each ASA ASA.

I found the following links that describes a scenario similar to mine, but nothing on one of them helped me.
http://www.experts-exchange.com/questions/28388142/cannot-ping-ASA-5505-inside-interface-across-VPN.html
https://www.fir3net.com/firewalls/Cisco/Cisco-ASA-proxy-ARP-gotcha.html
https://supportforums.Cisco.com/discussion/11755586/Cisco-ASA-VPN-established-cant-ping

I joined sanitized versions of these two configs. Any help is appreciated.

Hi Adam

The site of B I'm not able to see "management of access to inside. Please try to set up the same. He could solve the problem.

Also on the instruction of the ASA takes place nat can you please try to add keywords 'search non-proxy-arp route'.

something like:
```
nat (inside,outside) source static (Location A)_Networks (Location A)_Networks destination static (location B)-remote_network (location B)-remote_network no-proxy-arp route-lookup
```
as I have noted problems with inside access to interface via the VPN when those keywords are not applied. If I remember correctly 8.6.x ASA version had a bug regarding the same. Cordially Véronique

cannot ping remote ip on ASA no firewall (VPN site to site on SAA) configired no proxy, icmp not inspect, no chance

some help me

(Q) ping remote ip unable on ASA is not Firewall not on pc (VPN site to site on SAA) configired no proxy, icmp not inspect, no chance

Note - I can ping PC but not the same subnet ip on ASA2 L3

PC---> > ASA1 - ASA2<>

Hi Matt,

Let me answer your question in two points:
- You cannot ping an ASA on another interface other than the one where you are connected to the ASA of.
For example, ASA1 and ASA2 are connected through their interfaces 'outside '. ASA1 (or any other device on the external interface) can not ping/access ASA2 on his (ASA2) within the interface. The only time wherever this can be substituted is a tunnel VPN with the command "access management" configured for other interface, for example management-access inside
- Traffic ASA1 ping to a remote client behind ASA2 won't over the VPN tunnel and as such is not encrypted. That's because ASA1 will forward traffic based on its routing table that probably this way through its 'outside' interface Except that traffic is allowed with the ASA2 (using the ACL), it will fail.
We can do on the routers of sourcing our ping to another interface, but it will not work on the SAA.

ASA as point endpoint l2l and route remote peer

Hello dear community support.

I need to set up the following scenario:

I managed to create the tunnels of routers to ASA, but there are 2 questions:
1. Remote local networks, I'm not able to ping inside the interface interface, apart if I use the management-access command on my inside, I don't want to.
2. Remote local networks cannot communicate with each other. Is there some routing that I should add? My Interface inside has a permit temporary icmp a whole, and I guess the ASA must bring up the appropriate routes when the tunnels appears. I have identfyed the roads properly in my Crypto Card and on my remote routers.
As my remote routers all have dynamic IP addresses assigned, they all fall into the Group of the defaultl2l Tunnel. Is this wrong?

Any ideas or suggestions would be highly appreciated

Thank you very much for your help!

Hello

The ASAs generally have a limit that you can not ICMP/PING an interface behind another interface of the ASA. command "access management" is the only way to activate the Protocol ICMP interface via another interface. And also this only applies to connections that arrive via a VPN connection.

So if you want ICMP/PING the interface 'inside' of the ASA to remote sites, you can use the command "access management" . If management connections are your worries you should limit the management as well as remote network will not be able to manage the ASA. Of course, they also know the login information to even have the option to manage the ASA?

As for your other question, there are some things you need to make the connections between the Remote LAN if you intend to do this via the central site with the ASA.
- You will need to have the command "permit same-security-traffic intra-interface" configured on the SAA. This command will allow traffic to enter and exit the same interface on the ASA. In your case, it would be the "outside" interface, which would be the only interface through which traffic between remote LANs would traverse through the ASA
- You will need to define the interesting connections VPN L2L traffic so that it includes this traffic
  - ASA l2l to a peripheral remote site VPN VPN connection must have as source address for traffic interesting the other network to remote sites.
  - The remote VPN device l2l VPN connection must have as destination address of the remote network
- You need NAT0 configurations for traffic on the remote site VPN devices
- You will need to have a configuration NAT0 on the SAA for this traffic that will flow between remote sites through the ASA. This NAT0 configuration must be configured on the 'outside' interface. The format of configuration depends on your level of Software ASA
If you mention that you are using a default VPN L2L "tunnel-group" both of the connections.

I suggest you look at this document. It would allow to the allows you to configure remote sites, so that you can set up other than "tunnel-group" for them on the SAA and accomplish what you want.

http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080bc7d13.shtml

Hope this helps

-Jouni

Site to Site VPN - cannot ping remote subnet

Hi all.

I have a site to site VPN IPSEC between a 5510 (HQ) and 5505 (Remote). Everything works on the tunnel. Crypto cards and ACL is symmetrical. I see that the tunnel is in place for the required subnets. However, I can not ping of internal subnets inside 5510 to Remote LAN inside 5505 and vice versa. I have other rays VPN 5510 where I can ping within remote LAN successfully x.x.x.x. Can figure out what I'm missing. I can ping internet points, but cannot ping HQ.

Any suggestions?

I'm also an instant learn the ASAs, so I'm not an expert. I know that I encouraged outside ICMP. My statement SHEEP and crypto are running off of the same group of objects that lists subnets of HQ.

Thanks in advance.

5505 lack the command:

management-access inside

Federico.

Cannot ping computers on the subnet remote site vpn while to set up

Hi all

I encountered a problem of site to site vpn for ping answered nothing of machines of remote subnet.

the ipsec tunnel is ok but I can ping the ASA distance inside the interface ip

Here is my scenario:

LAN1 - ASA5510 - ASA5505 - LAN2 - ordinateur_distant

LAN1: 192.168.x.0/24

LAN2: 172.25.88.0/24

remote_machine_ip: 172.25.87.30

LAN1 can ping to ASA5505 inside interface (172.25.88.1)

but cannot ping ordinateur_distant (172.25.87.30)

Inside of the interface ASA5505 can ping ordinateur_distant

LAN2 can ASA5510 ping inside the machines on LAN1 and interface

Is there something I missed?

Thanks much for the reply

I don't think it's something you really want to do.

If you PAT the whole subnet to LAN1 ip (192.168.1.0/24) to 172.25.249.1, then LAN2, will not be able to reach the specific host on LAN1, cause now, you represent the LAN1 network, with a single ip address.

So traffic will become a way from LAN1 can reach LAN2 and get the response of LAN2 through the PAT on 172.25.249.1

But LAN2, is no longer specific hosts LAN1 ip traffic, since you only have 172.25.249.1, to represent the subnet to LAN1.

If you still want to PAT the whole subnet to LAN1 (192.168.1.0/24) ip to 172.25.249.1, then you have to do outside the NAT.

http://www.Cisco.com/en/us/customer/docs/security/ASA/asa80/command/reference/no.html#wp1737858

Kind regards

ASA 5540 - cannot ping inside the interface

Hi all. We have recently upgraded PIX to ASA5540 and we saw a strange thing going. In a Word, we can ping the inside interface of the ASA from any beach on our 6500 network (which is connected directly behind the ASA on the inside), but one where our monitoring tools are placed. Inside there is an ACL that allows all of our core networks, but it does not help that the interface is really strange.

In the ASDM, I see messages like this:

ID ICMP echo request: 2004 x.x.x.x y.y.y.y on the inside interface to. I don't think that's the problem, but I could be wrong.

This is also the configuration of the interface VLAN VIRTUAL local area network from which we cannot ping inside the interface we can ping to and since this VLAN and machines without problem. The only problem is ping the inside interface of the ASA.

interface Vlanx

IP x.x.x.x 255.255.255.0

IP broadcast directed to 199

IP accounting output-packets

IP pim sparse - dense mode

route IP cache flow

load-interval 30

Has anyone experiences the problem like this before? Thanks in advance for any help.

Can you post the output of the following on the ASA:-

display the route

And the output of your base layer diverter: -.

show ip route<>

HTH >

Site to site between ASA 8.2 VPN, cannot ping

Two 8.2 ASA is configured with a VPN tunnel from site to site, as shown in the diagram:

Here is my setup for both.

Clients on the inside network to the ASA cannot ping inside, network clients, else the ASA. Why not?

When the rattling from inside network SALMONARM inside network of KAMLOOPS, the following debug logs can be seen on SALMONARM:

%ASA-7-609001: Built local-host outside:10.30.7.2

%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

%ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

%ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02

%ASA-7-609001: Built local-host outside:10.30.7.2

%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

%ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

%ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02

%ASA-7-609001: Built local-host outside:10.30.7.2

%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

...

Each attempt to ping responds with "Request timed out" on the computer of ping.

Why clients cannot mutually ping on the VPN tunnel?

Hello

Create a NAT0 ACL at both ends.

ex: 10.30.0.0 ip access-list extended SHEEP 255.255.0.0 allow 10.45.0.0 255.255.0.0

NAT (inside) 0 access-list SHEEP

THX

Edit: at the beginning, I mentioned ACL #, it may not work.

ASA VPN cannot ping ip local pool

Hello

We have ASA 5510 a device be deployed for a period of time. Everything works fine except customers local VPN cannot ping local customer VPN which get their IP address to the local swimming pool. They can ping anywhere on the local network of company, but not each other. I don't know there's a logical explantion for this because of an ACL but all appreciated the advice...

Thanks in advance

Keith

Hi Keith,

I think that, in order to allow a customer VPN reach another VPN client, the SAA should turn the VPN traffic (because it will receive the traffic of a VPN tunnel and re - again to send another tunnel.)

Can you add "same-security-traffic intra-interface permits" and try again?

Federico.

My ASA cannot ping the lan address

I use ASA built ezvpn. I can access the ASA and ping inside port address successfully. But in my ping to the address of interconnection 10.100.255.2 window7 cant. I don't know how to solve the problem. If all goes well, can help me. Thank you...

set it up

ASA5520 # sh run

: Saved

:

ASA Version 7.2 (3)

!

asa5520-host name

sxng domain name

activate the encrypted password of DOAXe2w/ilkXwCIz

names of

DNS-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

IP x.x.x.x 255.255.255.248

!

interface GigabitEthernet0/1

nameif inside

security-level 100

IP 10.100.255.254 255.255.255.0

!

interface GigabitEthernet0/2

nameif dmz

security-level 50

IP x.x.x.x 255.255.255.0

!

interface GigabitEthernet0/3

nameif wireless

security-level 10

IP x.x.x.x 255.255.255.0

!

interface Management0/0

Shutdown

nameif management

security-level 100

IP 192.168.1.1 255.255.255.0

management only

!

2KFQnbNIdI.2KYOU encrypted passwd

Disk0: / pix723.bin starting system

passive FTP mode

DNS server-group DefaultDNS

sxng domain name

dmz_access_in of access allowed any ip an extended list

dmz_access_in list extended access permit icmp any one

tunnel of splitting allowed access list standard 10.0.0.0 255.0.0.0

inside_nat0_outbound list of allowed ip extended access all 10.100.254.0 255.255.255.0

inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 10.100.254.0 255.255.255.0

outside_cryptomap_dyn_20 list of allowed ip extended access all 10.100.254.0 255.255.255.0

acl_out list extended access permit icmp any one

acl_out list extended access permit tcp any host x.x.x.x eq www

acl_out list extended access permit tcp any host x.x.x.x eq 9000

acl_out list extended access permit udp any host x.x.x.x eq 9000

........

......

acl_out allowed ip extended access list any 10.1.1.0 255.255.255.0

inside_access_in list extended access permitted tcp 10.1.10.0 255.255.255.0 any eq 5000

acl_inside of access allowed any ip an extended list

acl_inside list extended access permit icmp any one

wireless_access_in of access allowed any ip an extended list

wireless_access_in list extended access permit icmp any one

pager lines 24

Enable logging

timestamp of the record

emergency list vpn-event logging level

log message 109001-109028 vpn-event list

log message 113001-113019 vpn-event list

exploitation forest-size of the buffer 5000

information recording console

debug logging in buffered memory

recording of debug trap

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

MTU 1500 dmz

MTU 1500 wireless

management of MTU 1500

IP local pool vpnpool 10.100.254.1 - 10.100.254.250 mask 255.255.255.0

no failover

ICMP unreachable rate-limit 1 burst-size 1

ICMP allow all outside

ICMP allow any inside

ASDM image disk0: / asdm - 507.bin

don't allow no asdm history

ARP timeout 14400

Global (outside) 1 x.x.x.x

Global (dmz) 1 10.100.253.101 - 10.100.253.200 netmask 255.255.255.0

Global (wireless) 1 172.16.255.101 - 172.16.255.200 netmask 255.255.255.0

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 10.1.1.14 255.255.255.255

NAT (inside) 1 10.1.13.100 255.255.255.255

NAT (wireless) 1 172.16.0.0 255.255.0.0

static (dmz, outside) tcp x.x.x.x www 10.100.253.1 www netmask 255.255.255.255

.......

.........

static (inside, dmz) 10.1.1.11 10.1.1.11 netmask 255.255.255.255

static (inside, dmz) 10.1.1.16 10.1.1.16 netmask 255.255.255.255

static (dmz, external) 10.100.253.20 x.x.x.x 255.255.255.255 netmask

static (dmz, external) 10.100.253.32 x.x.x.x 255.255.255.255 netmask

Access-group acl_out in interface outside

acl_inside access to the interface inside group

Access-group interface inside acl_inside

Access-group dmz_access_in in dmz interface

Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

Route inside 10.0.0.0 255.0.0.0 10.100.255.1 1

Route inside 10.0.0.0 255.0.0.0 10.100.255.2 1

Route wireless 172.16.0.0 255.255.0.0 172.16.255.1 1

!

router ospf 1

255.255.255.255 network 10.67.180.0 area 0

network 0.0.0.0 0.0.0.0 area 1

Journal-adj-changes

!

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout, uauth 0:05:00 absolute

the ssh LOCAL console AAA authentication

Enable http server

http 192.168.1.0 255.255.255.0 management

http 10.0.0.0 255.0.0.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

Crypto outside-dyn-map Dynamics-plan 20 reverse-drive value

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 1

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Crypto isakmp nat-traversal 20

Telnet 0.0.0.0 0.0.0.0 outdoors

Telnet 10.0.0.0 255.0.0.0 inside

Telnet 10.100.0.0 255.255.0.0 inside

Telnet 10.100.255.0 255.255.255.0 inside

Telnet 0.0.0.0 0.0.0.0 wireless

Telnet timeout 10

SSH 0.0.0.0 0.0.0.0 outdoors

SSH timeout 30

Console timeout 0

dhcpd x.x.x.x dns

!

management of 192.168.1.2 - dhcpd address 192.168.1.254

enable dhcpd management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

Policy-map global_policy

class inspection_default

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the netbios

inspect the rsh

inspect the rtsp

inspect the skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect the tftp

inspect the sip

inspect xdmcp

inspect the icmp

!

global service-policy global_policy

internal sxnggroup group policy

attributes of the strategy of group sxnggroup

value of server DNS 202.99.192.68

enable IP-comp

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value split tunnel

username password sxtrq Y6cwK1wOhbhJ6YI / encrypted

maboai R6eu6P1iKIwFIFjS username encrypted password

winet FwZ0ghxvIpXOepvf username encrypted password

tunnel-group sxnggroup type ipsec-ra

tunnel-group sxnggroup General-attributes

address vpnpool pool

Group Policy - by default-sxnggroup

sxnggroup group of tunnel ipsec-attributes

pre-shared-key *.

context of prompt hostname

Cryptochecksum:119ae137eef5ed97d38b4e2f90ed46d7

: end

ASA5520 # route sh

Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP

D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone

N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2

E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP

i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone

* - candidate by default, U - static route by user, o - ODR

P periodical downloaded static route

Gateway of last resort is 202.97.158.177 to network 0.0.0.0

C x.x.x.x 255.255.255.248 is directly connected to the outside of the

C 172.16.255.0 255.255.255.0 is directly connected, wireless

S 172.16.0.0 255.255.0.0 [1/0] via 172.16.255.1, wireless

S 10.0.0.0 255.0.0.0 [1/0] via 10.100.255.1, inside

[1/0] via 10.100.255.2, inside

C 10.100.255.0 255.255.255.0 is directly connected to the inside

S 10.100.254.2 255.255.255.255 [1/0] via x.x.x.x, outdoor

C 10.100.253.0 255.255.255.0 is directly connected, dmz

S * 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outdoor

ASA5520 # sh arp

outside 00d0.d0c6.9181 x.x.x.x

outside 00d0.d0c6.9181 x.x.x.x

outside 224.0.0.5 0100.5e00.0005

inside 224.0.0.5 0100.5e00.0005

inside the 10.100.255.1 0000.0c07.acff

inside the 10.100.255.2 001c.b0cb.5ec0

DMZ 10.100.253.20 60a4.4c23.3032

DMZ 224.0.0.5 0100.5e00.0005

DMZ 10.100.253.1 001a.6436.6df6

224.0.0.5 wireless 0100.5e00.0005

Wireless 172.16.255.1 0026.98c6.41c8

Try to use the "crypto ipsec to show his ' command to watch the program and decaps packages, I hope this isn't too fast increment. You should be able to see the two increase when you successfully and only one side increase when it fails. Check both sides of the vpn, and this should give you an idea where the problem is. If the program packages are multiplying on the ASA local to your PC Win7 and Decaps multiply on the ASA Remote and the program is not so, then the question is with packets from the remote side. I hope this will help you determine the location of the problem and then you can focus your search here.

Cannot telnet ASA VPN remote

Hello

I set up a VPN between two sites using two cisco asa. The VPN works perfectly, but I can not telnet, ssh or run ASDM on the ASA remote, that is, if I'm on LAN 1, I can not telnet, ssh or run ASDM on ASA2 and vice versa.

Just to test, the entire networks (LAN1 and LAN2) have all-IP and ICMP authorized on VPN, but no way.

I can connect and everything else between LAN1 and LAN2.

on the ASA1, I tried both

Telnet netmask2 LAN2 inside

and

Telnet netmask2 LAN2 outdoors

What's wrong?

Thank you

You will need:

inside management interface

HTH,

John

Cannot ping ASA remote on an L2L

Similar Questions

Maybe you are looking for