Cannot ping PIX 515e Interfaces
I know it's a very silly question for this forum, but I have already tried many things and cannot get the answer from the PIX firewall interfaces.
It's my (very easy) installation:
Using a FastEthernet port on router, I have a cable connected directly to the outside I / F of the PIX-515e. (Crossover cable works, I have already tested). Router <-->PIX directly connected.
I configured the PIX firewall to allow pings (I used different commands):
ICMP allow any response of echo outdoors
ICMP allow all outside
ICMP permitted
I tried to configure each of them and also combined. Also tried to send the PIX to its default values. Supposed to be after that the PIX should allow all pings if no "icmp" command is configured. I have configured the ports on both sides to 100 Full On both sides of the link (PIX and router) I have the links to the top. The lights are on. The 'show interest' on the PIX firewall shows to the top/top The same thing on the router... The two interfaces are configured in 10.1.1.0/24 (10.1.1.1 & 10.1.1.2) What I am doing wrong? This should be very easy... Hello Majority of the time interfaces refuses explicitly to ICMP packets unless you indicate otherwise. Here is a link to a pretty good setup guide... Have a look at the link to the ping Security Appliance Interfaces section in this guide. I'm really frustrated myself during the installation/testing phase because the pings are not working and it helped. Hope this helps a little and makes your life easier =) (rate if it please and thank you) Thank you Chris Tags: Cisco Security ASA 5540 - cannot ping inside the interface Hi all. We have recently upgraded PIX to ASA5540 and we saw a strange thing going. In a Word, we can ping the inside interface of the ASA from any beach on our 6500 network (which is connected directly behind the ASA on the inside), but one where our monitoring tools are placed. Inside there is an ACL that allows all of our core networks, but it does not help that the interface is really strange. In the ASDM, I see messages like this: ID ICMP echo request: 2004 x.x.x.x y.y.y.y on the inside interface to. I don't think that's the problem, but I could be wrong. This is also the configuration of the interface VLAN VIRTUAL local area network from which we cannot ping inside the interface we can ping to and since this VLAN and machines without problem. The only problem is ping the inside interface of the ASA. interface Vlanx IP x.x.x.x 255.255.255.0 IP broadcast directed to 199 IP accounting output-packets IP pim sparse - dense mode route IP cache flow load-interval 30 Has anyone experiences the problem like this before? Thanks in advance for any help. Can you post the output of the following on the ASA:- display the route And the output of your base layer diverter: -. show ip route<> HTH > Site to site VPN tunnel - cannot ping the second interface of the firewall peer inside2 I have two ASA 5505 firewall each with a basic license: FWa and FWb. currently there is a VPN tunnel between them work. I added a second (inside2) interface to the firewall, FWb, but I can't ping firewall FWa, so that I can ping the inside interface of FWa. I can ping the FWb inside interface 192.168.20.1 from the FWa inside 172.16.1.1 interface, but I can not ping to the 10.52.100.10 of the FWa FWb inside2 interface. I can not ping the gateway host FWa 10.52.100.1. I show the essential configuration of two firewalls as well as the debug icmp output on the two firewalls that I ping the internal interfaces and of FWa FWb inside2. Here is a skeleton of the FWa configuration: name 172.16.1.0 network-inside interface Vlan1 the DM_INLINE_NETWORK_5 object-group network the DM_INLINE_NETWORK_3 object-group network outside-interface of the access-list extended permitted Outside_5_cryptomap ip host object-group DM_INLINE_NETWORK_3 NAT (inside) 0 access-list sheep card crypto VPN 5 corresponds to the address Outside_5_cryptomap ========================================================= FWb: name 10.52.100.0 ring52-network interface Vlan1 the DM_INLINE_NETWORK_3 object-group network the DM_INLINE_NETWORK_2 object-group network inside_nat0_outbound to access extended list ip 192.168.20.0 allow 255.255.255.0 host S.S.S.S outside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_2 S.S.S.S ip host NAT (inside) 0-list of access inside_nat0_outbound Route inside2 network ring51 255.255.255.0 10.52.100.1 1 card crypto outside_map 1 match address outside_1_cryptomap tunnel-group S.S.S.S type ipsec-l2l
=========================================================================
Ping Successul FWa inside the interface on FWb FWa # ping 192.168.20.1 FWb #. FWa # ping 192.168.20.15 FWb #. =========================== FWa # ping 10.52.100.10 FWb #. ================================================================================== Unsuccessful ping of Fwa to a host of related UI inside2 on FWb FWa # ping 10.52.100.1 FWb #. ======================= Thank you Hi odelaporte2, Is very probably the "access management" command is not applied in the second inside, only inside primary (see the race management) which will confirm. This command can be applied to an interface at a time, for example, if the law is now applied to the inside, it can not be applied to the inside2 at the same time. It may be useful -Randy- Cannot Ping PIX 525 inside interface Hi, I can not ping the interface e1 of a new 525 PIX running V6.35. I configured the address e1 and tried, but I can't ping the laptop connected directly to it, or vice versa... ACL has added to what icmp any an and the IP a whole and applied the e1 interface. Still can not ping... any idea why this is happening?... I'm suspect a hardware problem or cable, the cable must be crossver or directly through... I tired to connect to a switch also but same result... interface e1 is towards the top and to the top and show no problem... nor log shows no info as to why this happens... any suggestion is appreciated. Thank you GT Hello A single pix failover license does not work like a normal pix, so you can not 'test' with her before connecting. Once that connect you to your primary pix, that it will automatically update the IOS on the unit of failover and reproduce the config, so none of this is required of you before hand. I found this process much easier by using serial failover cable first, once the installation is finished and then in my case, I use the failover LAN based that later, I migrated to. Here's a couple of useful documents that you can review. Your version of the software may require the updated documentation. http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/config/failover.htm#1076500 PIX515E: Cannot ping interfaces Hi all I ' v has just got a new PIX 515E, 6 interfaces, Version 6.3 (5). I can't focus on any task with my PIX because the simplest operation is impossible: I cannot ping inside interface or PIX any host belonging to e same subnet. Interface is up and running, connected directly to a switch, icmp is to allow the inside... Please, could someone of you give me a help? Concerning Alberto Brivio Make sure the PIX is not a license to "failover". You will not be able to ping to this type of box until you activate failover. PIX 515e, multiple VIRTUAL networks on a physical interface to DMZ We try to set up multiple VIRTUAL networks on a physical interface to the DMZ on a PIX 515e. The goal is to have logical subnets linked to our single, physical interface DMZ. Here's what I've tried so far without success: The switch -created the vlan 30 -added switchports fa0/1 to 30 of vlan -attached host 192.168.100.1 in fa0/1 -added switchport fa0/24 to the vlan 1 and vlan 30 with multimode -interface PIX DMZ connected to fa0/24 switchport -attached host to switchport fa0/10 172.16.1.55 (vlan 1) PIX: Auto interface ethernet2 logical ethernet2 vlan30 interface nameif DMZ security50 ethernet2 nameif vlan30 dmz2 security50 address IP DMZ 172.16.1.254 255.255.255.0 IP address dmz2 192.168.100.254 255.255.255.0 Results: -172.16.1.55 has full connectivity to the PIX and beyond. -192.168.100.1 cannot ping the PIX to the 192.168.100.254 or anything else besides. Any help would be greatly appreciated. Also, I realize that I could buy a four port NIC and use the physical interfaces, but I can't get the approved purchase. Thank you Creation of VLANS on Ethernet1 We want to create a new interface VLAN - VLAN30 and name DMZ2. Also affect the security level 50 in it. Step 1: Create a physical Interface: PIX (config) # interface ethernet1 vlan2 physical Step 2: Name the Interface and set the security level: PIX (config) # nameif ethernet1 inside the security100 Step 3: Assign the IP address of the interface: PIX (config) # ip inside 192.168.1.1 address 255.255.255.0 Step 4: Create the logical Interface: PIX (config) # interface ethernet1 vlan30 logical Step 5: Name of the Interface and set the security level: PIX (config) # nameif vlan30 DMZ2 security50 Step 6: Assign IP address to the interface: IP pix (config) # DMZ2 192.168.100.254 255.255.255.0 Step 7. Switch, set the port where from the inside, to the Isls or dot1q physical interface. Place the sheath in the native vlan2 as in step 1. Cisco ezvpn ASAs cannot ping each other inside interfaces I have a set ezvpn in place with a 5506 (position B) client-side and a 5520 (location A) server-side. I have successfully connected vpn, and traffic flows. My problem is that I can't SSH in the location b. investigate this more than I can not ping is within the interface of the ASA opposing, or the machines inside each ASA ASA. I found the following links that describes a scenario similar to mine, but nothing on one of them helped me. I joined sanitized versions of these two configs. Any help is appreciated. Hi Adam The site of B I'm not able to see "management of access to inside. Please try to set up the same. He could solve the problem. Also on the instruction of the ASA takes place nat can you please try to add keywords 'search non-proxy-arp route'. something like: Cannot ping ASA inside the interface via VPN Hello I have a scenario with tunel VPN between a router and ASA and can ping subnet behind ASA subnet behind the router (and), but I cannot ping the ASA inside the interface on the VPN tunnel. I need to access the remote location ASDM. How can it be done? Thanks for your suggestions. Remi Hello You must have the 'inside access management' command configured on the SAA. If you run a 8.3 software or newer on the SAA, should also look at the configuration 'nat' IF the above command solves your problem -Jouni Ping inside the interface on a Pix 501 from outside the network All the I have a Pix 501 firewall at a remote site with an IPSEC tunnel established at HQ. We have an analysis tool which remote sites for us let proactively pings know when a site crashes. I want to set up this ping the inside interface of the Pix tool as I can with 871 routers; However I can't configure the Pix to allow ICMP inside interface. I know by default that the Pix does not allow ICMP to the opposite interface and I was wondering if someone could help me with a configuration that will allow this? I enclose my configuration of the pix! Thank you Brian Hello By raising the ordering tool, it seems that the 'management-access' command was introduced in version 6.3 I recommend spending at 6.3 If you can. Federico. Hi all... My workstation (10.10.0.47), I can ping and connect to a server on the LAN of RV320 (10.78.0.54) Now if I remote in the 10.78.0.54 area, I cannot ping or connect to my desktop (10.10.0.47). So what am I missing here? The LAN is 10.78.0.0/24. Do the remote VPN pool 10.78.1.0/24. Then use 10.78.0.0/23 as the field of encryption. Hi all We just bought a PIX 515E and try to use it, but got a number of questions. Here's the NVA of show: PIX-151st #show version Cisco PIX Firewall Version 6.3 (1) Cisco PIX Device Manager Version 3.0 (1) Updated Thursday 19 March 03 11:49 by Manu PIX-515E up to 5 hours and 15 minutes Material: PIX-515E, 64 MB RAM, Pentium II 433 MHz processor Flash E28F128J3 @ 0 x 300, 16 MB BIOS Flash AM29F400B @ 0xfffd8000, 32 KB 0: ethernet0: the address is 000f.2457.4b12, irq 10 1: ethernet1: the address is 000f.2457.4b13, irq 11 Features licensed: Failover: enabled VPN - A: enabled VPN-3DES-AES: enabled Maximum Interfaces: 6 Cut - through Proxy: enabled Guardians: enabled URL filtering: enabled Internal hosts: unlimited Flow: IKE peers unlimited: unlimited This PIX has a failover license only (FO). Problem is that we cannot ping inner harbor, if we do not switch light, but this is a unique machine. Here's another message once we turn on the switch: PIX-515E # config t WARNING *. Configuration of replication is NOT performed the unit from standby to Active unit. Configurations are no longer synchronized. PIX-515e (config) #. Please help solve this problem. I wonder if we buy the wrong license? Thank you very much. you have in your possession a PIX failover. That's why says in the "sh run". This device is intended to be used only as a failover for a live device. It will work as a live PIX, but behave badly. It is cheaper than a PIX with an unrestricted license, as it is not intended to be used as a standalone device. Check with the one that you bought to get the situation sorted. Good luck Steve I got some new PIX 515E security infra-red and I had sex 2 questions about everything I tried. I installed a 5 port switch inside and cannot ping anything from the console. I have a computer on the switch, and he is able to ping other devices on the switch, but not the PIX. What I find strange is that when I try to ping from the inside interface on the PIX of one inside computers, PIX displays the MAC address of the computer inside in the arp table. My goal is to upgrade the PIX to ver7.0 but I can't do so until I can solve this problem. Here are some information among the PIX. #sh worm Cisco PIX Firewall Version 6.3 (4) Cisco PIX Device Manager Version 3.0 (2) Updated Saturday 2 July 04 00:07 by Manu pixfirewall up to 29 minutes 33 seconds Material: PIX-515E, 128 MB RAM, Pentium II 433 MHz processor Flash E28F128J3 @ 0 x 300, 16 MB BIOS Flash AM29F400B @ 0xfffd8000, 32 KB Hardware encryption device: VAC + (Crypto5823 revision 0 x 1) 0: ethernet0: the address is 0015.625a.f7da, irq 10 1: ethernet1: the address is 0015.625a.f7db, irq 11 2: ethernet2: the address is 000d.8810.902c, irq 11 3: ethernet3: the address is 000d.8810.902d, irq 10 4: ethernet4: the address is 000d.8810.902e, irq 9 5: ethernet5: the address is 000d.8810.902f, irq 5 Features licensed: Failover: enabled VPN - A: enabled VPN-3DES-AES: disabled The maximum physical Interfaces: 6 Maximum Interfaces: 10 Cut - through Proxy: enabled Guardians: enabled URL filtering: enabled Internal hosts: unlimited Throughput: unlimited Peer IKE: unlimited This PIX has a failover license only (FO). #sh run interface ethernet1 100full nameif ethernet1 inside the security100 pixfirewall hostname domain testlan access-list acl_out permit icmp any one No external ip address IP address inside 192.168.1.222 255.255.255.0 No IP failover outdoors No IP failover inside #sh int e1 interface ethernet1 'inside' is up, line protocol is up The material is i82559 ethernet, the address is 0015.625a.f7db IP 192.168.1.222, subnet mask 255.255.255.0 MTU 1500 bytes, BW 100000 Kbit full duplex Hi M8, Your firewall has a license of FO, you must enable this device to be able to see it. Run the command: active failover With this command, the device turns into the 'Active' from a perspective of failover state. It will work after that. See you soon. Salem. I am installing a PIX 515e with an ADSL router. I have all the IP addresses for the router etc. I'm trying to connect to a network on the interface internal of the PIX. (Please bare with me as I am new on the firewall!) I ping the network firewall, but I can not access to the internet. The initial configuration for the PIX documentation implies that by default, it has access form the firewall but no! I'm obviously missing something here, i.e. of Thompson the network to route requests through the firewall interent! ??? Sorry to be so simplistic but I'm learning all the time! Thanks for any help. Robin After you enter the acl to allow ping, can you ping now? Watch newspaper reveal something? For DNS and testing, create a static on the PIX for your DNS server. For example "x.x.x.x (indoor, outdoor) static 192.168.0.x netmask 255.255.255.255" where x.x.x.x is a public IP address and 192.168.0.x is your dns server. Then let the outside to your DNS server dns - "access-list 101 permit host udp/tcp host x.x.x.x eq 53 z.z.z.z ' where z.z.z.z is a public dns server (or use one for testing) and x.x.x.x IP NAT'ed to your dns server. See what is happening, look in your journal. What version of PIX you run. Let know use. Steve Hello I am setting up and reconfiguration of a firewall PIX515 with 6.3 software (4) OS PIX. I cannot ping devices on the Internet from inside interface. There are a few addresses that I can ping if I am outside of the firewall. Looks like the firewall is not translate correctly on the return package. I can navigate and do other things but not ping. Here's my nat and global declarations: # Sh nat Pix1 NAT (inside) 1 10.0.0.0 255.0.0.0 0 0 NAT (dmz) 1 172.xx.xx.0 255.255.255.0 0 0 Pix1 # global HS Global (outside) 1 6x.xxx.xxx.6 x - 6 x .xxx .xxx. 7 x Global 1 6x.xxx.xxx.6x (outside) Global interface (dmz) 1 Here's an abbreviated ICMP trace: Pix1 debug icmp trace #. ICMP trace on WARNING: This can cause problems on busy networks Pix1 # 1:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = 89 length 63 = 40 2: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6 3:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9219 GTH = 40 4: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6 5:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9475 GTH = 40 6: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6 7: ICMP echo-reply of the outside:6 x .xxx .xxx. 1 to the seq ID = 512 6x.xxx.xxx.6 = the 9475 ngth = 40 8:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9731 GTH = 40 9: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6 Thanks in advance for your help. Doug. ICMP is not a protocol with the State, to allow ping trought the PIX, you must add extra lines in your access list on the outside! See: Handling ICMP Pings with the PIX firewall http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml The PIX and the traceroute command http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml examples: Traveroute Microsoft: Access-group 101 in external interface access-list 101 permit icmp any unreachable host YourPublicIP access-list 101 permit icmp any host YourPublicIP time exceeded access-list 101 permit icmp any host YourPublicIP echo-reply UNIX: Access-group 101 in external interface access-list 101 permit icmp any unreachable host YourPublicIP access-list 101 permit icmp any host YourPublicIP time exceeded ICMP command example ICMP deny everything outside ICMP allow any response of echo outdoors ICMP allow any response echo inside permit ICMP echo host 192.168.1.30 inside permit ICMP echo host 192.168.1.31 inside permit ICMP echo host 192.168.1.20 inside permit ICMP echo host 192.168.1.40 inside permit ICMP echo host 192.168.1.100 inside sincerely Patrick Using PIX 515E configuration require Dear all, Hi.Actually I need help for PIX 515E.Pls. check out the scenario, design & suggest? Pls. find the details following and configuration of VLAN attached router. # I want to put as «Spend my LAN on CISCO 2900 (range 172.16.29.X IP...» (25 PCs) - VLAN router - CISCO PIX - ISP public IP. # Now it's "My LAN on CISCO 2900 - VLAN (external) router - ISP. Details of router & PIX: #Router inside the IP - 172.16.29.1 (inside property intellectual as it is very critical that cannot be changed) Outdoor #Router ip - what ip should I use? (I tried with 1.1.1.1 255.255.255.0) #PIX outside intellectual property - what ip should I use? (My ISP IP?-j' tried with 208.144.230.197 which is currently outside of my router) #PIX within the intellectual property - what ip should I use? (I tried with 1.1.1.2 255.255.255.0) Connection ISP #My is directly from the ISP GW to an ethernet cat 5 on my router VLAN #I would allow www, FTP, web-based like Yahoomail... etc... & Messenger services VLAN router Config: Current configuration: 1028 bytes ! version 12.3 horodateurs service debug datetime msec Log service timestamps datetime msec no password encryption service ! hostname VLANRouter ! boot-start-marker boot-end-marker ! activate the gcsroot password ! No aaa new-model IP subnet zero ! ! no record of conflict ip dhcp DHCP excluded-address IP 172.16.29.1 172.16.29.240 DHCP excluded-address IP 172.16.29.250 172.16.29.254 ! IP dhcp pool dhcppool network 172.16.29.0 255.255.255.0 DNS-server 208.144.230.1 208.144.230.2 router by default - 172.16.29.1 ! ! ! ! controller E1 0/0 ! controller E1 0/1 ! ! interface FastEthernet0/0 IP 208.144.230.197 255.255.255.224 NAT outside IP automatic duplex automatic speed ! interface FastEthernet0/1 IP 172.16.29.1 255.255.255.0 IP nat inside automatic duplex automatic speed ! IP nat inside source list 7 interface FastEthernet0/0 overload IP http server IP classless IP route 0.0.0.0 0.0.0.0 208.144.230.200 ! ! access-list 7 permit 172.16.29.0 0.0.0.255 ! Line con 0 line to 0 line vty 0 4 opening of session ! ! ! end All advice is appreciated. Kind regards Hiren s Mehta. ORG Informatics Ltd. Bamako, MALI AFRICA Hi hiren,. See the answers below: #Router inside the IP - 172.16.29.1 (inside property intellectual as it is very critical that cannot be changed) When you upgrade the PIX router inbetween and your switch, you must put the PIX inside IP like 172.16.29.1 and change the router within the subnet to someother pool. Do the PAT on the PIX, rather than the router. Outdoor #Router ip - what ip should I use? (I tried with 1.1.1.1 255.255.255.0) Router outside the property intellectual property will be that given by the ISP... The ISP would have given a public IP address for the WAN link. This cannot be changed. #PIX outside intellectual property - what ip should I use? (My ISP IP?-j' tried with 208.144.230.197 which is currently outside of my router) PIX outside IP must be comprehensive. ISP would have given you a LAN subnet. Use it. In this case, inside the interface of the router has an IP address from that subnet even... #PIX within the intellectual property - what ip should I use? (I tried with 1.1.1.2 255.255.255.0) PIX inside must be 172.16.29.1, which will be the default gateway for all PCs. If you change this subnet, then the PC should have an IP address on the same subnet that has decided.
Connection ISP #My is directly from the ISP GW to an ethernet cat 5 on my router VLAN didn't get it... is that on the internet router or switch? #I would allow www, FTP, web-based like Yahoomail... etc... & Messenger services If all these must be permitted from inside to outside, you have not open anything... by default, all traffic to the inside outside is allowed (except if you put a list of access denied)... Satellite Pro P - how to disable the hot keys for camera assistant? Is it possible, and how, to disable the shortcut keys for the camera wizard? The default keys interfere with shortcuts of Microsoft Office (Word) - for example Alt + F9 to show/hide codes field to turns on the properties of camera assistant, Alt + 10 Error 1310 during the installation of Adobe reader. Vista Home premium. I tried a single repair for this error. I can't do a reinstall/upgrade as suggested I bought a disc of upgrade and it only let me do a full installation and not an upgrade. Wireless cannot turn the key in the field of mobility is grayed out and I cannot select Original title: I use windows vista, my problem is with the radio can turn on not in the area of mobility is the gray key and does not allow me to select tride troubleshooting and it says wireless off I am using windows vista and my wireless does not Original title: startup without access code I would like to start my computer without entering a password. also, how can I keep it going while I'm working, say, after a few minutes. How do contact you Microsoft directly? How can you contact Microsoft DIRECTLY. I just bought a computer and told me almost everywhere and when I try to do almost anything that I do not have access, or I do not have permission even under the administrator account. There is a kind of lock oSimilar Questions
=========================================================
name 192.168.20.0 HprCnc Thesys
name 10.52.100.0 ring52-network
name 10.53.100.0 ring53-network
name S.S.S.S outside-interface
nameif inside
security-level 100
IP 172.16.1.1 255.255.255.0
!
interface Vlan2
Description Connection to 777 VLAN to work around static Comast external Modem and IP address.
nameif outside
security-level 0
outside interface IP address 255.255.255.240
network-object HprCnc Thesys 255.255.255.0
ring52-network 255.255.255.0 network-object
ring53-network 255.255.255.0 network-object
ring52-network 255.255.255.0 network-object
network-object HprCnc Thesys 255.255.255.0
ring53-network 255.255.255.0 network-object
inside_nat_outbound list extended access allowed inside-network ip, 255.255.255.0 DM_INLINE_NETWORK_5 object-group
permit access list extended ip host 173.162.149.72 Outside_nat0_outbound aus_asx_uat 255.255.255.0
NAT (inside) 101-list of access inside_nat_outbound
NAT (inside) 101 0.0.0.0 0.0.0.0
NAT (outside) 0-list of access Outside_nat0_outbound
card crypto VPN 5 set pfs Group1
VPN 5 set peer D.D.D.D crypto card
VPN 5 value transform-set VPN crypto card
tunnel-group D.D.D.D type ipsec-l2l
IPSec-attributes tunnel-Group D.D.D.D
pre-shared key *.
name 10.53.100.0 ring53-network
name 10.51.100.0 ring51-network
name 10.54.100.0 ring54-network
nameif inside
security-level 100
address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP D.D.D.D 255.255.255.240
!
interface Vlan52
prior to interface Vlan1
nameif inside2
security-level 100
IP 10.52.100.10 255.255.255.0
ring52-network 255.255.255.0 network-object
ring53-network 255.255.255.0 network-object
ring52-network 255.255.255.0 network-object
object-network 192.168.20.0 255.255.255.0
ring53-network 255.255.255.0 network-object
inside2_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_3 S.S.S.S ip host
NAT (inside) 1 0.0.0.0 0.0.0.0
inside2_nat0_outbound (inside2) NAT 0 access list
NAT (inside2) 1 0.0.0.0 0.0.0.0
Route inside2 network ring53 255.255.255.0 10.52.100.1 1
Route inside2 network ring54 255.255.255.0 10.52.100.1 1
card crypto outside_map 1 set pfs Group1
outside_map game 1 card crypto peer S.S.S.S
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
IPSec-attributes tunnel-group S.S.S.S
pre-shared key *.
I'm Tournai on icmp trace debugging on both firewalls and could see the traffic arriving at the inside2 interface, but never return to FWa.
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.20.1, time-out is 2 seconds:
Echo request ICMP from outside-interface to 192.168.20.1 ID = 32068 seq = 23510 len = 72
! ICMP echo reply to 192.168.20.1 in outside-interface ID = 32068 seq = 23510 len = 72
....
Echo ICMP of S.S.S.S to 192.168.20.1 ID request = 32068 seq = 23510 len = 72
ICMP echo reply 192.168.20.1 S.S.S.S ID = 32068 seq = 23510 len = 72
==============================================================================
Successful ping of Fwa on a host connected to the inside interface on FWb
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.20.15, wait time is 2 seconds:
Echo request ICMP from outside-interface to 192.168.20.15 ID = seq 50862 = 18608 len = 72
! ICMP echo reply to 192.168.20.15 in outside-interface ID = seq 50862 = 18608 len = 72
...
Inside outside:S.S.S.S ICMP echo request: 192.168.20.15 ID = seq 50862 = 18608 len = 72
ICMP echo reply to Interior: 192.168.20.15 outside:S.S.S.S ID = seq 50862 = 18608 len = 72
Unsuccessful ping of FWa to inside2 on FWb interface
Send 5, echoes ICMP 100 bytes to 10.52.100.10, wait time is 2 seconds:
Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
? Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
...
10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
....
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.52.100.1, wait time is 2 seconds:
Echo request ICMP from outside-interface to 10.52.100.1 ID = 11842 seq = 15799 len = 72
Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72
Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72
http://www.experts-exchange.com/questions/28388142/cannot-ping-ASA-5505-inside-interface-across-VPN.html
https://www.fir3net.com/firewalls/Cisco/Cisco-ASA-proxy-ARP-gotcha.html
https://supportforums.Cisco.com/discussion/11755586/Cisco-ASA-VPN-established-cant-ping
nat (inside,outside) source static (Location A)_Networks (Location A)_Networks destination static (location B)-remote_network (location B)-remote_network no-proxy-arp route-lookup
as I have noted problems with inside access to interface via the VPN when those keywords are not applied. If I remember correctly 8.6.x ASA version had a bug regarding the same.
Cordially Véronique
I have a RV320 (internal LAN 10.78.0.0/24) connection to a PIX 515E (10.10.0.0/24) using the VPN Tunnel.
The tunnel between the two is in place and working.
However, I can ping the inside interface of the PIX 515E 10.10.0.252Maybe you are looking for