Cannot ping via remote VPN
Hi all
I have a client who uses a 506e with the cleint 4.02 for the remote VPN Cisco. The pix is multiple inside roads. The first network inside is 192.168.1.X and E1 of the 506 is 192.168.1.1. The second network is 10.71.56.X.
The problem is as soon as the VPN is connected I can ping any host on the 192.168.1.X, but not anything on the 10.71.56.X network. Without netbios or the other. From the PIX, I can ping hosts on two internal networks.
Here is the config below. Thank you!
6.2 (2) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the password xxxxx
passwd xxxxxxx
hostname GNB - PIX
cisco.com-domain name
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
QUBEADMIN tcp service object-group
Beach of port-object 444 444
outside_access_in list access permit tcp any host 12.X.X.X eq pop3
outside_access_in list access permit tcp any host 12.X.X.X eq smtp
outside_access_in list access permit tcp any host 12.X.X.X EQ field
outside_access_in list access permit tcp any host 12.X.X.X eq www
outside_access_in list access permit tcp any host 12.X.X.X QUBEADMIN object-group
outside_access_in list access permit icmp any any echo response
access-list outside_access_in allow icmp all once exceed
outside_access_in list access permit tcp any host 12.169.2.21 eq ssh
GNB_splitTunnelAcl ip 10.71.56.0 access list allow 255.255.255.0 any
outside_cryptomap_dyn_20 ip access list allow any 10.71.56.32 255.255.255.224
pager lines 24
opening of session
timestamp of the record
logging paused
logging buffered stored notifications
Logging trap errors
notifications to the history of logging
the logging queue 0
host of logging inside the 10.71.55.10
logging out of the 192.104.109.91 host
interface ethernet0 car
Auto interface ethernet1
ICMP allow any inside
Outside 1500 MTU
Within 1500 MTU
IP address outside 12.X.X.X 255.255.254.0
IP address inside 192.168.1.254 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
local IP VPNPOOL 10.71.56.40 pool - 10.71.56.50
history of PDM activate
ARP timeout 14400
Global interface 10 (external)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 10 0.0.0.0 0.0.0.0 0 0
public static 12.X.X.X (Interior, exterior) 192.168.1.1 mask subnet 255.255.255.255 0 0
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 12.X.X.X 1
Route inside 10.71.55.0 255.255.255.0 192.168.1.1 1
Route inside 10.71.56.0 255.255.255.0 192.168.1.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
the ssh LOCAL console AAA authentication
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
ISAKMP allows outside
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 chopping sha
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
vpngroup address VPNPOOL pool GUARD
vpngroup dns-server 10.71.56.10 GNB 10.71.56.10
GNB GNB_splitTunnelAcl vpngroup split tunnel
vpngroup GNB 1800 idle time
GNB vpngroup password *.
Telnet timeout 5
SSH timeout 60
Terminal width 80
Cryptochecksum:XXXXX
: end
[OK]
GNB - PIX #.
You use 10.71.56.0 255.255.255.0 in two places
you route to it via 192.168.1.1, but you're also allocation of addresses for vpn clients. Guests who are on the segment 10.71.56.0/24, if they manage to get the connected vpn client package (which is assigned a 10.71.56.x) address, would not send the response packet to this request on the local subnet, the router that has the 192.168.1.1 interface, which is what would be needed to make it work.
You must use a different network for your vpn clients block - you cannot use the same ip through two different networks space.
Tags: Cisco Security
Similar Questions
-
cannot ping between remote vpn site?
vpn l2l site A, site B is extension vpn network, connect to the same vpn device 5510 to the central office and work well. I can ping from central office for two remote sites, but I cannot ping between these two vpn sites? Tried to debug icmp, I can see the icmp side did reach central office but then disappeared! do not send B next? Help, please...
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
!
object-group network SITE-a.
object-network 192.168.42.0 255.255.255.0
!
object-group network SITE-B
object-network 192.168.46.0 255.255.255.0
!
extended OUTSIDE allowed a whole icmp access list
HOLT-VPN-ACL extended access-list allow ip object-CBO-NET object group SITE-a.
!
destination SITE-a NAT (outside, outside) static source SITE - a static SITE to SITE-B-B
!
address for correspondence card crypto VPN-card 50 HOLT-VPN-ACL
card crypto VPN-card 50 peers set *. *.56.250
card crypto VPN-card 50 set transform-set AES-256-SHA ikev1
VPN-card interface card crypto outside
!
internal strategy group to DISTANCE-NETEXTENSION
Remote CONTROL-NETEXTENSION group policy attributes
value of DNS server *. *. *. *
VPN-idle-timeout no
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value REMOTE-NET2
value by default-field *.org
allow to NEM
!
remote access of type tunnel-group to DISTANCE-NETEXTENSION
Global DISTANCE-NETEXTENSION-attributes tunnel-group
authentication-server-group (inside) LOCAL
Group Policy - by default-remote CONTROL-NETEXTENSION
IPSec-attributes tunnel-group to DISTANCE-NETEXTENSION
IKEv1 pre-shared-key *.
tunnel-group *. *.56.250 type ipsec-l2l
tunnel-group *. *.56.250 ipsec-attributes
IKEv1 pre-shared-key *.
!!
ASA - 5510 # display route. include the 192.168.42
S 192.168.42.0 255.255.255.0 [1/0] via *. *. 80.1, outside
ASA - 5510 # display route. include the 192.168.46
S 192.168.46.0 255.255.255.0 [1/0] via *. *. 80.1, outside
ASA-5510.!
Username: Laporte-don't Index: 10
Assigned IP: 192.168.46.0 public IP address: *. *.65.201
Protocol: IKEv1 IPsecOverNatT
License: Another VPN
Encryption: 3DES hash: SHA1
TX Bytes: bytes 11667685 Rx: 1604235
Group Policy: Group remote CONTROL-NETEXTENSION Tunnel: remote CONTROL-NETEXTENSION
Opening time: 08:19:12 IS Thursday, February 12, 2015
Duration: 6 h: 53 m: 29 s
Inactivity: 0 h: 00 m: 00s
Result of the NAC: unknown
Map VLANS: VLAN n/a: no
!
ASA - 5510 # display l2l vpn-sessiondbSession type: LAN-to-LAN
Connection: *. *.56.250
Index: 6 IP Addr: *. *.56.250
Protocol: IPsec IKEv1
Encryption: AES256 3DES hash: SHA1
TX Bytes: bytes 2931026707 Rx: 256715895
Connect time: 02:00:41 GMT Thursday, February 12, 2015
Duration: 13: 00: 10:00Hi Rico,
You need dynamic nat (for available IP addresses) for the two side to every subset of remote access to the other side remote subnet and so they can access every other subnet as if both from the traffic from your central location.
example:
Say, this IP (10.10.10.254) is unused IP to the central office, allowed to access remote tunnel 'A' and 'B' of the site.
object-group network SITE-a.
object-network 192.168.42.0 255.255.255.0
!
object-group network SITE-B
object-network 192.168.46.0 255.255.255.0dynamic source destination SITE-a. 10.10.10.254 NAT (outdoors, outdoor)
public static SITE SITE-B-Bdestination NAT (outdoors, outdoor) SITE-B 10.10.10.254 dynamic source
SITE static-SITE aHope this helps
Thank you
Rizwan James
-
Cannot ping via the VPN client host when static NAT translations are used
Hello, I have a SRI 3825 configured for Cisco VPN client access.
There are also several hosts on the internal network of the static NAT translations have a services facing outwards.
Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.
For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.
Any help would be appreciated.
Concerning
!
session of crypto consignment
!
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group vpnclient
key S3Cu4Ke!
DNS 192.168.1.1 192.168.1.2
domain domain.com
pool dhcppool
ACL 198
Save-password
PFS
netmask 255.255.255.0
!
!
Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac
!
Crypto-map dynamic dynmap 10
86400 seconds, life of security association set
game of transformation-3DES-SECURE
market arriere-route
!
card crypto client cryptomap of authentication list drauthen
card crypto isakmp authorization list drauthor cryptomap
client configuration address card crypto cryptomap answer
map cryptomap 65535-isakmp ipsec crypto dynamic dynmap
!
interface GigabitEthernet0/0
NAT outside IP
IP 1.2.3.4 255.255.255.240
cryptomap card crypto
!
interface GigabitEthernet0/1
IP 192.168.1.254 255.255.255.0
IP nat inside
!
IP local pool dhcppool 192.168.2.50 192.168.2.100
!
Note access-list 198 * Split Tunnel encrypted traffic *.
access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255!
Note access-list 199 * NAT0 ACL *.
access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 any!
Sheep allowed 10 route map
corresponds to the IP 199!
IP nat inside source map route sheep interface GigabitEthernet0/0 overload!
IP nat inside source static 192.168.1.1 1.2.3.5
IP nat inside source static 192.168.1.2 1.2.3.6The problem seems to be that static NAT take your nat exemption.
The solution would be:
IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
IP nat inside source static 192.168.1.2 1.2.3.6 sheep map routeHTH
Herbert
-
QuickVPN - could not do a ping the remote VPN router!
Hello
I have a RV042 (VPN router) and I have some problems to run properly using the QuickVPN client.
Here is the Log of the QuickVPN client.
2008-10-15 20:14:38 [STATUS] a network interface detected with 192.168.0.104 IP address
2008-10-15 20:14:38 [STATUS] connection...
2008-10-15 20:14:38 [STATUS] connection to a remote gateway with IP address: 96.20.174.84
2008-10-15 20:14:38 [WARNING] server certificate does not exist on your local computer.
2008-10-15 20:14:44 remote gateway [STATE] has been reached with https...
2008-10-15 20:14:44 [STATUS] commissioning...
2008-10-15 20:14:51 [STATUS] Tunnel is connected successfully.
2008-10-15 20:14:51 [STATUS] verification of network...
2008-10-15 20:14:55 [WARNING] failed to do a ping the remote VPN router!
2008-10-15 20:14:58 [WARNING] failed to do a ping the remote VPN router!
2008-10-15 20:15:01 [WARNING] failed to do a ping the remote VPN router!
2008-10-15 20:15:05 [WARNING] failed to do a ping the remote VPN router!
2008-10-15 20:15:08 [WARNING] failed to do a ping the remote VPN router!
2008-10-15 20:15:11 [WARNING] Ping has been blocked, which can be caused by an unexpected disconnection.
2008-10-15 20:15:19 [STATUS] disconnection...
2008-10-15 20:15:25 [STATUS] Tunnel is disconnected successfully.I don't know how it is implemented, but if WuickVPN wait a form ping my router, it will not happen. I was never able to ping my router ouside of my ISP network.
There is a way to disable the Ping process and continue with the VPN connection?
QuickVPN try ping on the router via the VPN tunnel to check the connection. It should work without worrying about whether your ISP filters ICMP messages or not. The tunnel is encrypted your ISP won't know what you're doing.
Please post the corresponding on the RV042 VPN log. That is expected to see how far you get.
You have a firewall running on the computer? I think that some firewalls have difficulty with the traffic of ESP.
What is the router that is connected to the computer? How is it that is configured?
-
Cannot ping ASA remote on an L2L
I have an ASA5520, and about 10 of 5505. Site running all at the Sites. The tunnels are in place and everything worked fine. Well on the side room, I cannot ping the ASA remote, but I can ping all devices behind it. On the remote side I ping the 5520 and everything else on my network I encouraged. When I look at the newspaper of the ASDM on the 5520, that there is no evidence related to the ping for the 5505. I don't see where it blocks the ICMP on the 5505. It just says:
"6 August 14, 2008 05:40:49 302020 10.0.3.69 192.168.1.101 built outgoing ICMP connection for faddr gaddr laddr 192.168.1.101/0 192.168.1.101/0 10.0.3.69/512.
and
"6 August 14, 2008 05:40:49 302021 10.0.3.69 192.168.1.101 connection disassembly ICMP for faddr gaddr laddr 192.168.1.101/0 192.168.1.101/0 10.0.3.69/512.
It is a normal traffic for a S2S I guess. While I am trying to get this to work I have it configured,.
ICMP allow any inside
"ICMP allow all outside.
Any suggestions?
If you try to ping inside the interface through the tunnel, try to add...
management-access inside
-
Cannot Ping across the VPN remote access
Hello world
I hope I posted this in the right place!
I'm a bit new to Cisco IOS, so please forgive me if I ask a stupid question!
We have a firewall of 515E PIX 6.3 (4) on which I used the VPN Wizard to set up a remote access VPN the Cisco VPN client on the external interface.
When I connect to home on my laptop Windows XP Pro SP2 running Cisco VPN Client 4.0.5(C) I seem to be able to connect to most of the network resources (IE file shares, I can RDP into servers, etc.) but I can't seem to be able to ping anything : I just request times out.
I'm sure it's something stupid I've done (or not done).
I have attached my config and would be grateful if someone could take a look and point me in the right direction.
Thanks in advance for your help,
Peter.
Hi Peter,.
You must add a line to the inside_access_in access list:
Enable
conf t
access-list inside_access_in allow icmp a whole
output
write members
Kind regards
Cathy
-
Currently, I get to work with WRT54GL router for customers who are looking for a cheaper camera, I am trying to ping the public IP address of remote, so we could properly monitor these devices and I get a timeout of the request, I looked at the settings that I couldn't find anything to help me on this Please let me know if anyone has had knowledge of how do.
It's on the Security tab. I think that on the WRT54GL called 'Block anonymous Internet requests. Turn this option off.
If she's not still go through, it may also be the ISP blocks...
-
INTERNET VIA REMOTE VPN ACCESS
We have a customer who wants to route all internet traffic to their remote sites of their internet connection to Headquarters. In other words, when users connect to corporate headquarters using Cisco VPN client on their PC, we need to route all internet traffic on through the firewall of the headquarters. Head office is running a ASA place all the VPN configuration. We have a number of virtual private network set up for this customer but would welcome suggestions as to the best way to configure this particular step.
Thank you very much.
Hello
This looks like back or Hairpining for VPN clients, so they could access the Internet through the tunnel.
In which case it is a ASA 8.2 or earlier:
permit same-security-traffic intra-interface
NAT (outside) 1 192.168.1.0 255.255.255.0---> range of IP addresses assigned to VPN clients.
Global 1 interface (outside)
In which case it is an ASA 8.3 or later:
permit same-security-traffic intra-interface
network vpn-pool objects
subnet 192.168.1.0 255.255.255.0
dynamic NAT interface (outdoors, outdoor)
!
On the configuration of VPN:
mypolicy group policy attributes
Split-tunnel-policy tunnelall
!
tunnel-group mytunnel General-attributesMyPolicy defaul-group-policy
!
Benefits:
1-Internet access is controlled by the ASA.
Disadvantages:
1 Internet connection of the ASA is severely affected, it will be used by VPN clients to access the Internet.
Alternative solution:
Send all traffic to a Layer 3 internal device or a server that has an external Internet connection, so the ASA forwards all traffic to this device, if this device is able to perform web filterting advance as the unit of Microsoft IIS, then you would have a powerful way to control your users and that they access, thus preventing sites such undesirable sites for adults and animation.
To do this, all you need is:
Route within 0 0 192.168.10.1 tunnele---> where the 192.168.10.1 corresponds to the internal device responsible for providing Internet.
* Remember that this device must have an external connection for Internet access, not on the SAA.
Let me know.
Portu.
Please note any workstation that will be useful.
Post edited by: Javier Portuguez
-
Cannot ping inside the vpn client hosts. It's a NAT problem
Hello everyone, I'm running into what seems to be a cause of exclusion with an IOS IPSEC VPN NAT/nat. I can connect to the VPN with cisco IPSEC VPN client, and I am able to authenticate. Once I have authenticate, I'm not able to reach one of the guests inside. Below is my relevant config. Any help would be greatly appreciated.
AAA new-model
!
!
AAA authentication login default local
radius of group AAA authentication login userauthen
AAA authorization exec default local
AAA authorization groupauthor LAN
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group businessVPN
key xxxxxx
DNS 192.168.10.2
business.local field
pool vpnpool
ACL 108
Crypto isakmp VPNclient profile
businessVPN group identity match
client authentication list userauthen
ISAKMP authorization list groupauthor
client configuration address respond
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
Define VPNclient isakmp-profile
market arriere-route
!
!
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
interface Loopback0
IP 10.1.10.2 255.255.255.252
no ip redirection
no ip unreachable
no ip proxy-arp
IP virtual-reassembly
!
Null0 interface
no ip unreachable
!
interface FastEthernet0/0
IP 111.111.111.138 255.255.255.252
IP access-group outside_in in
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
inspect the outgoing IP outside
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
!
the integrated-Service-Engine0/0 interface
description Locator is initialized with default IMAP group
IP unnumbered Loopback0
no ip redirection
no ip unreachable
no ip proxy-arp
IP virtual-reassembly
ip address of service-module 10.1.10.1 255.255.255.252
Service-module ip default gateway - 10.1.10.2
interface BVI1
IP 192.168.10.1 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
IP nat inside source static tcp 192.168.10.2 25 interface FastEthernet0/0 25
IP nat inside source static tcp 192.168.10.2 443 interface FastEthernet0/0 443
IP nat inside source static tcp 192.168.10.2 3389 interface FastEthernet0/0 3389
IP nat inside source map route nat interface FastEthernet0/0 overload
nat extended IP access list
deny ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255
refuse the 10.1.1.0 ip 0.0.0.255 192.168.109.0 0.0.0.255
ip licensing 10.1.1.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any
sheep extended IP access list
permit ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255
ip permit 10.1.10.0 0.0.0.255 192.168.109.0 0.0.0.255
ip licensing 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255
outside_in extended IP access list
permit tcp object-group Yes_SMTP host 111.111.111.138 eq smtp
permit any any eq 443 tcp
permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 3389
permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 22
allow any host 111.111.111.138 esp
allow any host 111.111.111.138 eq isakmp udp
allow any host 111.111.111.138 eq non500-isakmp udp
allow any host 111.111.111.138 ahp
allow accord any host 111.111.111.138
access-list 108 allow ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255
!
!
!
!
route nat allowed 10 map
match ip address nat
1 channel ip bridge
In my view, the acl applied to customer is back. It must allow traffic from the internal network to the pool of customers.
To confirm, you can open the Cisco VPN client statistics (after login) then go in the route Details tab. We should see the networks you should be able to reach the customer. Make sure that the good ones are here.
Kind regards
-
Inside the server can't ping remote vpn client
My simple vpn client can accumulate the tunnel vpn with my Office ASA5510 success and my vpn client can ping the internal server. But my internal server cannot ping the remote vpn client. Even the firewall vpn client windows is disable.
1. in-house server can ping Internet through ASA.
2 internal server cannot ping vpn client.
3 Vpn client can ping the internal server.
Why interal Server ping vpn client? ASA only does support vpn in direction to go?
Thank you.
Hello
Enable inspect ICMP, this should work for you.
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the icmp
inspect the icmp errorinspect the icmp
To configure the ICMP inspection engine, use the command of icmp inspection in class configuration mode. Class configuration mode is accessible from policy map configuration mode.
inspect the icmp
HTH
Sandy
-
ASA VPN cannot ping ip local pool
Hello
We have ASA 5510 a device be deployed for a period of time. Everything works fine except customers local VPN cannot ping local customer VPN which get their IP address to the local swimming pool. They can ping anywhere on the local network of company, but not each other. I don't know there's a logical explantion for this because of an ACL but all appreciated the advice...
Thanks in advance
Keith
Hi Keith,
I think that, in order to allow a customer VPN reach another VPN client, the SAA should turn the VPN traffic (because it will receive the traffic of a VPN tunnel and re - again to send another tunnel.)
Can you add "same-security-traffic intra-interface permits" and try again?
Federico.
-
Easy remote VPN - IPsec Session count
I have recently updated our ASA5510 head to our datacenter to 8.2.1 to 8.4.5. The ASD has been also improved 6.2.1 to 7.1. (1) 52. Under the old code, a connected remote ASA5505 via remote VPN easy showed 1 IPsec tunnel. However, after the upgrade, it shows 42 sessions. It seems to me that each split tunnel network defined in the easy VPN profile is being counted as a tunnel. Someone has seen this, or is - it possible that I may have something misconfigured now that the code is upgraded? Thank you.
Dave
No, IMHO, it's a display error in ASDM for 7.1.
Return to ASDM 6.4.9 and it should be 1 tunnel.
-
some help me
(Q) ping remote ip unable on ASA is not Firewall not on pc (VPN site to site on SAA) configired no proxy, icmp not inspect, no chance
Note - I can ping PC but not the same subnet ip on ASA2 L3
PC---> > ASA1 - ASA2<>
Hi Matt,
Let me answer your question in two points:
- You cannot ping an ASA on another interface other than the one where you are connected to the ASA of.
For example, ASA1 and ASA2 are connected through their interfaces 'outside '. ASA1 (or any other device on the external interface) can not ping/access ASA2 on his (ASA2) within the interface. The only time wherever this can be substituted is a tunnel VPN with the command "access management" configured for other interface, for example management-access inside
- Traffic ASA1 ping to a remote client behind ASA2 won't over the VPN tunnel and as such is not encrypted. That's because ASA1 will forward traffic based on its routing table that probably this way through its 'outside' interface Except that traffic is allowed with the ASA2 (using the ACL), it will fail.
We can do on the routers of sourcing our ping to another interface, but it will not work on the SAA.
-
Site to Site VPN - cannot ping remote subnet
Hi all.
I have a site to site VPN IPSEC between a 5510 (HQ) and 5505 (Remote). Everything works on the tunnel. Crypto cards and ACL is symmetrical. I see that the tunnel is in place for the required subnets. However, I can not ping of internal subnets inside 5510 to Remote LAN inside 5505 and vice versa. I have other rays VPN 5510 where I can ping within remote LAN successfully x.x.x.x. Can figure out what I'm missing. I can ping internet points, but cannot ping HQ.
Any suggestions?
I'm also an instant learn the ASAs, so I'm not an expert. I know that I encouraged outside ICMP. My statement SHEEP and crypto are running off of the same group of objects that lists subnets of HQ.
Thanks in advance.
5505 lack the command:
management-access inside
Federico.
-
Cannot ping ASA inside the interface via VPN
Hello
I have a scenario with tunel VPN between a router and ASA and can ping subnet behind ASA subnet behind the router (and), but I cannot ping the ASA inside the interface on the VPN tunnel. I need to access the remote location ASDM. How can it be done?
Thanks for your suggestions.
Remi
Hello
You must have the 'inside access management' command configured on the SAA.
If you run a 8.3 software or newer on the SAA, should also look at the configuration 'nat' IF the above command solves your problem
-Jouni
Maybe you are looking for
-
Remove the extraneous information in the bookmarks sidebar
Is attached a screenshot of Mozilla Firefox 42 on my Windows 7 PC. I like having the bookmarks bar, but want to remove the foreign text following at the top of the sidebar: 1. the word "Bookmarks" immediately under the top left of the sidebar bookmar
-
what it means when it says this copy of windows has failed the windows genuine validation?
one day, I was Tremblay download off the internet, there are a few things but I had to install, not that I REALLY new what I was doing, lol. Finally anyway, now whenever I turn on my computer, after I login, HERE, on my desk, it displays a message sa
-
A6000 more can't find advanced wifi setting
I'm on a6000 KitKat 151016 update.I have problem with my WiFi and need to access the advanced WiFi setting. but I can't find it anywhere. It should be 3 point on the windows on the right low wireless but it is not found. Please help me.
-
When I try to connect to the internet, Access Manager prevents me from...
.. connection as he claims sides not installed, how to fix this? I don't have a supervisor password to disable...
-
Try the Preview movie but otherwise
HelloLast year when I started using After Effects CC I could preview the entire sequence RAM, I was working on. But since Adobe took out the RAM Preview and it changed just an excerpt from I can get 8 seconds maximum.Usually, I'm working on sequences