Cannot ping via remote VPN

Similar Questions

• cannot ping between remote vpn site?

  vpn l2l site A, site B is extension vpn network, connect to the same vpn device 5510 to the central office and work well.  I can ping from central office for two remote sites, but I cannot ping between these two vpn sites?  Tried to debug icmp, I can see the icmp side did reach central office but then disappeared! do not send B next?  Help, please...

  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  !
  object-group network SITE-a.
  object-network 192.168.42.0 255.255.255.0
  !
  object-group network SITE-B
  object-network 192.168.46.0 255.255.255.0
  !
  extended OUTSIDE allowed a whole icmp access list
  HOLT-VPN-ACL extended access-list allow ip object-CBO-NET object group SITE-a.
  !
  destination SITE-a NAT (outside, outside) static source SITE - a static SITE to SITE-B-B
  !
  address for correspondence card crypto VPN-card 50 HOLT-VPN-ACL
  card crypto VPN-card 50 peers set *. *.56.250
  card crypto VPN-card 50 set transform-set AES-256-SHA ikev1
  VPN-card interface card crypto outside
  !
  internal strategy group to DISTANCE-NETEXTENSION
  Remote CONTROL-NETEXTENSION group policy attributes
  value of DNS server *. *. *. *
  VPN-idle-timeout no
  Ikev1 VPN-tunnel-Protocol
  Split-tunnel-policy tunnelspecified
  Split-tunnel-network-list value REMOTE-NET2
  value by default-field *.org
  allow to NEM
  !
  remote access of type tunnel-group to DISTANCE-NETEXTENSION
  Global DISTANCE-NETEXTENSION-attributes tunnel-group
  authentication-server-group (inside) LOCAL
  Group Policy - by default-remote CONTROL-NETEXTENSION
  IPSec-attributes tunnel-group to DISTANCE-NETEXTENSION
  IKEv1 pre-shared-key *.
  tunnel-group *. *.56.250 type ipsec-l2l
  tunnel-group *. *.56.250 ipsec-attributes
  IKEv1 pre-shared-key *.
  !

  !

  ASA - 5510 # display route. include the 192.168.42
  S 192.168.42.0 255.255.255.0 [1/0] via *. *. 80.1, outside
  ASA - 5510 # display route. include the 192.168.46
  S 192.168.46.0 255.255.255.0 [1/0] via *. *. 80.1, outside
  ASA-5510.

  !
  Username: Laporte-don't Index: 10
  Assigned IP: 192.168.46.0 public IP address: *. *.65.201
  Protocol: IKEv1 IPsecOverNatT
  License: Another VPN
  Encryption: 3DES hash: SHA1
  TX Bytes: bytes 11667685 Rx: 1604235
  Group Policy: Group remote CONTROL-NETEXTENSION Tunnel: remote CONTROL-NETEXTENSION
  Opening time: 08:19:12 IS Thursday, February 12, 2015
  Duration: 6 h: 53 m: 29 s
  Inactivity: 0 h: 00 m: 00s
  Result of the NAC: unknown
  Map VLANS: VLAN n/a: no
  !
  ASA - 5510 # display l2l vpn-sessiondb

  Session type: LAN-to-LAN

  Connection: *. *.56.250
  Index: 6 IP Addr: *. *.56.250
  Protocol: IPsec IKEv1
  Encryption: AES256 3DES hash: SHA1
  TX Bytes: bytes 2931026707 Rx: 256715895
  Connect time: 02:00:41 GMT Thursday, February 12, 2015
  Duration: 13: 00: 10:00

  Hi Rico,

  You need dynamic nat (for available IP addresses) for the two side to every subset of remote access to the other side remote subnet and so they can access every other subnet as if both from the traffic from your central location.

  example:

  Say, this IP (10.10.10.254) is unused IP to the central office, allowed to access remote tunnel 'A' and 'B' of the site.

  object-group network SITE-a.
  object-network 192.168.42.0 255.255.255.0
  !
  object-group network SITE-B
  object-network 192.168.46.0 255.255.255.0

  dynamic source destination SITE-a. 10.10.10.254 NAT (outdoors, outdoor)
  public static SITE SITE-B-B

  destination NAT (outdoors, outdoor) SITE-B 10.10.10.254 dynamic source
  SITE static-SITE a

  Hope this helps

  Thank you

  Rizwan James

• Cannot ping via the VPN client host when static NAT translations are used

  Hello, I have a SRI 3825 configured for Cisco VPN client access.

  There are also several hosts on the internal network of the static NAT translations have a services facing outwards.

  Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.

  For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.

  Any help would be appreciated.

  Concerning

  !

  session of crypto consignment

  !

  crypto ISAKMP policy 10

  BA 3des

  preshared authentication

  Group 2

  !

  ISAKMP crypto client configuration group vpnclient

  key S3Cu4Ke!

  DNS 192.168.1.1 192.168.1.2

  domain domain.com

  pool dhcppool

  ACL 198

  Save-password

  PFS

  netmask 255.255.255.0

  !

  !

  Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac

  !

  Crypto-map dynamic dynmap 10

  86400 seconds, life of security association set

  game of transformation-3DES-SECURE

  market arriere-route

  !

  card crypto client cryptomap of authentication list drauthen

  card crypto isakmp authorization list drauthor cryptomap

  client configuration address card crypto cryptomap answer

  map cryptomap 65535-isakmp ipsec crypto dynamic dynmap

  !

  interface GigabitEthernet0/0

  NAT outside IP

  IP 1.2.3.4 255.255.255.240

  cryptomap card crypto

  !

  interface GigabitEthernet0/1

  IP 192.168.1.254 255.255.255.0

  IP nat inside

  !

  IP local pool dhcppool 192.168.2.50 192.168.2.100

  !

  Note access-list 198 * Split Tunnel encrypted traffic *.
  access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

  !
  Note access-list 199 * NAT0 ACL *.
  access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  access-list 199 permit ip 192.168.1.0 0.0.0.255 any

  !

  Sheep allowed 10 route map
  corresponds to the IP 199

  !
  IP nat inside source map route sheep interface GigabitEthernet0/0 overload

  !

  IP nat inside source static 192.168.1.1 1.2.3.5
  IP nat inside source static 192.168.1.2 1.2.3.6

  The problem seems to be that static NAT take your nat exemption.

  The solution would be:

  IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
  IP nat inside source static 192.168.1.2 1.2.3.6 sheep map route

  HTH

  Herbert

• QuickVPN - could not do a ping the remote VPN router!

  Hello

  I have a RV042 (VPN router) and I have some problems to run properly using the QuickVPN client.

  Here is the Log of the QuickVPN client.

  2008-10-15 20:14:38 [STATUS] a network interface detected with 192.168.0.104 IP address
  2008-10-15 20:14:38 [STATUS] connection...
  2008-10-15 20:14:38 [STATUS] connection to a remote gateway with IP address: 96.20.174.84
  2008-10-15 20:14:38 [WARNING] server certificate does not exist on your local computer.
  2008-10-15 20:14:44 remote gateway [STATE] has been reached with https...
  2008-10-15 20:14:44 [STATUS] commissioning...
  2008-10-15 20:14:51 [STATUS] Tunnel is connected successfully.
  2008-10-15 20:14:51 [STATUS] verification of network...
  2008-10-15 20:14:55 [WARNING] failed to do a ping the remote VPN router!
  2008-10-15 20:14:58 [WARNING] failed to do a ping the remote VPN router!
  2008-10-15 20:15:01 [WARNING] failed to do a ping the remote VPN router!
  2008-10-15 20:15:05 [WARNING] failed to do a ping the remote VPN router!
  2008-10-15 20:15:08 [WARNING] failed to do a ping the remote VPN router!
  2008-10-15 20:15:11 [WARNING] Ping has been blocked, which can be caused by an unexpected disconnection.
  2008-10-15 20:15:19 [STATUS] disconnection...
  2008-10-15 20:15:25 [STATUS] Tunnel is disconnected successfully.

  I don't know how it is implemented, but if WuickVPN wait a form ping my router, it will not happen. I was never able to ping my router ouside of my ISP network.

  There is a way to disable the Ping process and continue with the VPN connection?

  QuickVPN try ping on the router via the VPN tunnel to check the connection. It should work without worrying about whether your ISP filters ICMP messages or not. The tunnel is encrypted your ISP won't know what you're doing.

  Please post the corresponding on the RV042 VPN log. That is expected to see how far you get.

  You have a firewall running on the computer? I think that some firewalls have difficulty with the traffic of ESP.

  What is the router that is connected to the computer? How is it that is configured?

• Cannot ping ASA remote on an L2L

  I have an ASA5520, and about 10 of 5505. Site running all at the Sites. The tunnels are in place and everything worked fine. Well on the side room, I cannot ping the ASA remote, but I can ping all devices behind it. On the remote side I ping the 5520 and everything else on my network I encouraged. When I look at the newspaper of the ASDM on the 5520, that there is no evidence related to the ping for the 5505. I don't see where it blocks the ICMP on the 5505. It just says:

  "6 August 14, 2008 05:40:49 302020 10.0.3.69 192.168.1.101 built outgoing ICMP connection for faddr gaddr laddr 192.168.1.101/0 192.168.1.101/0 10.0.3.69/512.

  and

  "6 August 14, 2008 05:40:49 302021 10.0.3.69 192.168.1.101 connection disassembly ICMP for faddr gaddr laddr 192.168.1.101/0 192.168.1.101/0 10.0.3.69/512.

  It is a normal traffic for a S2S I guess. While I am trying to get this to work I have it configured,.

  ICMP allow any inside

  "ICMP allow all outside.

  Any suggestions?

  If you try to ping inside the interface through the tunnel, try to add...

  management-access inside

• Cannot Ping across the VPN remote access

  Hello world

  I hope I posted this in the right place!

  I'm a bit new to Cisco IOS, so please forgive me if I ask a stupid question!

  We have a firewall of 515E PIX 6.3 (4) on which I used the VPN Wizard to set up a remote access VPN the Cisco VPN client on the external interface.

  When I connect to home on my laptop Windows XP Pro SP2 running Cisco VPN Client 4.0.5(C) I seem to be able to connect to most of the network resources (IE file shares, I can RDP into servers, etc.) but I can't seem to be able to ping anything : I just request times out.

  I'm sure it's something stupid I've done (or not done).

  I have attached my config and would be grateful if someone could take a look and point me in the right direction.

  Thanks in advance for your help,

  Peter.

  Hi Peter,.

  You must add a line to the inside_access_in access list:

  Enable

  conf t

  access-list inside_access_in allow icmp a whole

  output

  write members

  Kind regards

  Cathy

• Cannot Ping router remotely

  Currently, I get to work with WRT54GL router for customers who are looking for a cheaper camera, I am trying to ping the public IP address of remote, so we could properly monitor these devices and I get a timeout of the request, I looked at the settings that I couldn't find anything to help me on this Please let me know if anyone has had knowledge of how do.

  It's on the Security tab. I think that on the WRT54GL called 'Block anonymous Internet requests. Turn this option off.

  If she's not still go through, it may also be the ISP blocks...

• INTERNET VIA REMOTE VPN ACCESS

  We have a customer who wants to route all internet traffic to their remote sites of their internet connection to Headquarters. In other words, when users connect to corporate headquarters using Cisco VPN client on their PC, we need to route all internet traffic on through the firewall of the headquarters. Head office is running a ASA place all the VPN configuration. We have a number of virtual private network set up for this customer but would welcome suggestions as to the best way to configure this particular step.

  Thank you very much.

  Hello

  This looks like back or Hairpining for VPN clients, so they could access the Internet through the tunnel.

  In which case it is a ASA 8.2 or earlier:

  permit same-security-traffic intra-interface

  NAT (outside) 1 192.168.1.0 255.255.255.0---> range of IP addresses assigned to VPN clients.

  Global 1 interface (outside)

  In which case it is an ASA 8.3 or later:

  permit same-security-traffic intra-interface

  network vpn-pool objects

  subnet 192.168.1.0 255.255.255.0

  dynamic NAT interface (outdoors, outdoor)

  !

  On the configuration of VPN:

  mypolicy group policy attributes

  Split-tunnel-policy tunnelall

  !
  tunnel-group mytunnel General-attributes

  MyPolicy defaul-group-policy

  !

  Benefits:

  1-Internet access is controlled by the ASA.

  Disadvantages:

  1 Internet connection of the ASA is severely affected, it will be used by VPN clients to access the Internet.

  Alternative solution:

  Send all traffic to a Layer 3 internal device or a server that has an external Internet connection, so the ASA forwards all traffic to this device, if this device is able to perform web filterting advance as the unit of Microsoft IIS, then you would have a powerful way to control your users and that they access, thus preventing sites such undesirable sites for adults and animation.

  To do this, all you need is:

  Route within 0 0 192.168.10.1 tunnele---> where the 192.168.10.1 corresponds to the internal device responsible for providing Internet.

  * Remember that this device must have an external connection for Internet access, not on the SAA.

  Let me know.

  Portu.

  Please note any workstation that will be useful.

  Post edited by: Javier Portuguez

• Cannot ping inside the vpn client hosts. It's a NAT problem

  Hello everyone, I'm running into what seems to be a cause of exclusion with an IOS IPSEC VPN NAT/nat. I can connect to the VPN with cisco IPSEC VPN client, and I am able to authenticate. Once I have authenticate, I'm not able to reach one of the guests inside. Below is my relevant config. Any help would be greatly appreciated.

  AAA new-model

  !

  !

  AAA authentication login default local

  radius of group AAA authentication login userauthen

  AAA authorization exec default local

  AAA authorization groupauthor LAN

  crypto ISAKMP policy 3

  BA 3des

  preshared authentication

  Group 2

  !

  ISAKMP crypto client configuration group businessVPN

  key xxxxxx

  DNS 192.168.10.2

  business.local field

  pool vpnpool

  ACL 108

  Crypto isakmp VPNclient profile

  businessVPN group identity match

  client authentication list userauthen

  ISAKMP authorization list groupauthor

  client configuration address respond

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

  !

  Crypto-map dynamic dynmap 10

  Set transform-set RIGHT

  Define VPNclient isakmp-profile

  market arriere-route

  !

  !

  10 ipsec-isakmp crypto map clientmap Dynamics dynmap

  interface Loopback0

  IP 10.1.10.2 255.255.255.252

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP virtual-reassembly

  !

  Null0 interface

  no ip unreachable

  !

  interface FastEthernet0/0

  IP 111.111.111.138 255.255.255.252

  IP access-group outside_in in

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  NAT outside IP

  inspect the outgoing IP outside

  IP virtual-reassembly

  automatic duplex

  automatic speed

  clientmap card crypto

  !

  the integrated-Service-Engine0/0 interface

  description Locator is initialized with default IMAP group

  IP unnumbered Loopback0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP virtual-reassembly

  ip address of service-module 10.1.10.1 255.255.255.252

  Service-module ip default gateway - 10.1.10.2

  interface BVI1

  IP 192.168.10.1 255.255.255.0

  no ip redirection

  no ip unreachable

  no ip proxy-arp

  IP nat inside

  IP virtual-reassembly

  IP nat inside source static tcp 192.168.10.2 25 interface FastEthernet0/0 25

  IP nat inside source static tcp 192.168.10.2 443 interface FastEthernet0/0 443

  IP nat inside source static tcp 192.168.10.2 3389 interface FastEthernet0/0 3389

  IP nat inside source map route nat interface FastEthernet0/0 overload

  nat extended IP access list

  deny ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255

  refuse the 10.1.1.0 ip 0.0.0.255 192.168.109.0 0.0.0.255

  ip licensing 10.1.1.0 0.0.0.255 any

  permit ip 192.168.10.0 0.0.0.255 any

  sheep extended IP access list

  permit ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255

  ip permit 10.1.10.0 0.0.0.255 192.168.109.0 0.0.0.255

  ip licensing 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255

  outside_in extended IP access list

  permit tcp object-group Yes_SMTP host 111.111.111.138 eq smtp

  permit any any eq 443 tcp

  permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 3389

  permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 22

  allow any host 111.111.111.138 esp

  allow any host 111.111.111.138 eq isakmp udp

  allow any host 111.111.111.138 eq non500-isakmp udp

  allow any host 111.111.111.138 ahp

  allow accord any host 111.111.111.138

  access-list 108 allow ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255

  access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255

  access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255

  !

  !

  !

  !

  route nat allowed 10 map

  match ip address nat

  1 channel ip bridge

  In my view, the acl applied to customer is back. It must allow traffic from the internal network to the pool of customers.

  To confirm, you can open the Cisco VPN client statistics (after login) then go in the route Details tab. We should see the networks you should be able to reach the customer. Make sure that the good ones are here.

  Kind regards

• Inside the server can't ping remote vpn client

  My simple vpn client can accumulate the tunnel vpn with my Office ASA5510 success and my vpn client can ping the internal server. But my internal server cannot ping the remote vpn client. Even the firewall vpn client windows is disable.

  1. in-house server can ping Internet through ASA.

  2 internal server cannot ping vpn client.

  3 Vpn client can ping the internal server.

  Why interal Server ping vpn client? ASA only does support vpn in direction to go?

  Thank you.

  Hello

  Enable inspect ICMP, this should work for you.

  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the icmp
  inspect the icmp error

  inspect the icmp

  

  To configure the ICMP inspection engine, use the command of icmp inspection in class configuration mode. Class configuration mode is accessible from policy map configuration mode.

  inspect the icmp

  HTH

  Sandy

• ASA VPN cannot ping ip local pool

  Hello

  We have ASA 5510 a device be deployed for a period of time. Everything works fine except customers local VPN cannot ping local customer VPN which get their IP address to the local swimming pool. They can ping anywhere on the local network of company, but not each other. I don't know there's a logical explantion for this because of an ACL but all appreciated the advice...

  Thanks in advance

  Keith

  Hi Keith,

  I think that, in order to allow a customer VPN reach another VPN client, the SAA should turn the VPN traffic (because it will receive the traffic of a VPN tunnel and re - again to send another tunnel.)

  Can you add "same-security-traffic intra-interface permits" and try again?

  Federico.

• Easy remote VPN - IPsec Session count

  I have recently updated our ASA5510 head to our datacenter to 8.2.1 to 8.4.5. The ASD has been also improved 6.2.1 to 7.1. (1) 52. Under the old code, a connected remote ASA5505 via remote VPN easy showed 1 IPsec tunnel. However, after the upgrade, it shows 42 sessions. It seems to me that each split tunnel network defined in the easy VPN profile is being counted as a tunnel. Someone has seen this, or is - it possible that I may have something misconfigured now that the code is upgraded? Thank you.

  Dave

  No, IMHO, it's a display error in ASDM for 7.1.

  Return to ASDM 6.4.9 and it should be 1 tunnel.

• cannot ping remote ip on ASA no firewall (VPN site to site on SAA) configired no proxy, icmp not inspect, no chance

  some help me

  (Q) ping remote ip unable on ASA is not Firewall not on pc (VPN site to site on SAA) configired no proxy, icmp not inspect, no chance

  Note - I can ping PC but not the same subnet ip on ASA2 L3

  PC---> > ASA1 - ASA2<>

  Hi Matt,

  Let me answer your question in two points:

  • You cannot ping an ASA on another interface other than the one where you are connected to the ASA of.

  For example, ASA1 and ASA2 are connected through their interfaces 'outside '. ASA1 (or any other device on the external interface) can not ping/access ASA2 on his (ASA2) within the interface. The only time wherever this can be substituted is a tunnel VPN with the command "access management" configured for other interface, for example management-access inside

  • Traffic ASA1 ping to a remote client behind ASA2 won't over the VPN tunnel and as such is not encrypted. That's because ASA1 will forward traffic based on its routing table that probably this way through its 'outside' interface Except that traffic is allowed with the ASA2 (using the ACL), it will fail.

  We can do on the routers of sourcing our ping to another interface, but it will not work on the SAA.

• Site to Site VPN - cannot ping remote subnet

  Hi all.

  I have a site to site VPN IPSEC between a 5510 (HQ) and 5505 (Remote). Everything works on the tunnel. Crypto cards and ACL is symmetrical. I see that the tunnel is in place for the required subnets. However, I can not ping of internal subnets inside 5510 to Remote LAN inside 5505 and vice versa. I have other rays VPN 5510 where I can ping within remote LAN successfully x.x.x.x. Can figure out what I'm missing. I can ping internet points, but cannot ping HQ.

  Any suggestions?

  I'm also an instant learn the ASAs, so I'm not an expert.  I know that I encouraged outside ICMP. My statement SHEEP and crypto are running off of the same group of objects that lists subnets of HQ.

  Thanks in advance.

  5505 lack the command:

  management-access inside

  Federico.

• Cannot ping ASA inside the interface via VPN

  Hello

  I have a scenario with tunel VPN between a router and ASA and can ping subnet behind ASA subnet behind the router (and), but I cannot ping the ASA inside the interface on the VPN tunnel. I need to access the remote location ASDM. How can it be done?

  Thanks for your suggestions.

  Remi

  Hello

  You must have the 'inside access management' command configured on the SAA.

  If you run a 8.3 software or newer on the SAA, should also look at the configuration 'nat' IF the above command solves your problem

  -Jouni