My ASA cannot ping the lan address

Similar Questions

• New Win 7 computer cannot access the IP address of the network printer. Help, please.

  Greetings,

  -----------------------------------------------------------------------------------------------------------------------

  UPDATE: we have found the solution to this problem, we, and that I posted an explanation as well as two ways to solve the problem in my 2nd post on May 5, 2015. Scroll down to it for the solution. Unfortunately, Microsoft does not allow the OP to mark one of their own messages as 'the Answer' so this thread continues to be listed as "no answer" when he actually answered me.

  -----------------------------------------------------------------------------------------------------------------------

  The original message follows...

  We cannot sign a new Win 7 (64-bit) computer to a printer ethernet established in our local network of 'working '. We have reached the limit of our troubleshooting skills and expertise assistance.

  Our Local network
  ------------------------
  The printer is a Dell 5100cn workgroup laser that is connected via an ethernet cable to a 10/100 workgroup switch 5-port Cisco/Linksys. The switch is connected to the built-in cable Motorola modem / 4 port gigabit router / WiFi access point. There is no server between the printer and the network.

  Other computers on the network run also Win 7 and have no trouble seeing and using the printer. Some computers are connected via a gigabit ethernet cable to the router Motorola. Other computers connect wireless WiFi (once again, by the same Motorola device). All computers, including the new ones, are attributed to the same workgroup.

  The printer has a static IP address. It also has an integrated Web page accessible within the network via a browser to view the status of the printer. All previous computers can view the status of the printer Web page by entering its IP address in a browser.

  The new Win 7 computer
  --------------------------------
  At the Windows command prompt, we successfully ping the IP address of the printer and received a return signal. However, we are unable to connect to the IP address of the printer (and status Web page) with a browser. And we cannot find the printer when install us the printer driver. We have tried to turn off the Windows Firewall and it did not help.

  When we install the driver, move us as a 'local' printer and create a new "Standard TCP/IP Port" for her. We enter the static IP address of the printer and name the port. Define us the Protocol to "LPR", enter the name of the queue ("lp") and activate SNMP State with name of the 'public' community and the index "1". These settings have worked very well with our previous computers.

  When the time comes to 'choose printer', we select 'have disk... '. ' and use the Dell 64-bit for this printer driver. But it does not work and do not print a test page. We even tried to install the printer as a 'network' printer driver, but it does not, either. In addition, the 'local' method always seemed to work best in the past.

  The new computer has no harm to see other computers and devices on the network. For example, there is a NAS connected to the same switch Cisco/Linksys like the printer and the computer can access the NAS via its static IP address. The new computer can also access the internet. He can't use the IP address of the printer. We even tried to change the address IP of the printer, but that did not help either.

  Despite the fact that the work - the network troubleshooter Windows command prompt ping indicates that the printer is not responding. What do we lack? Help, please.

  Greetings,

  I hope that this will be our last post on this subject. We have discovered the source of the problem and can offer two 'fixed' in case someone else runs into the same situation.

  With the help of MSConfig and a process of elimination, we have disabled non-Microsoft services that were running on the computer until we discovered that "Qualcomm Atheros Killer Service V2" was the source of the problem.

  Explanation

  ----------------

  Our new Win 7 computer contains a communication module ethernet/WiFi/Bluetooth e2200 Qualcomm Atheros. The manufacturer provides a '' Killer Network Manager '' for this system. Its purpose is to monitor and control the flow of data over a network connection in order to optimize for. For example, the user can choose to give the program A high priority and program-B low priority. This ensures that the program-A is less lag in the network traffic.

  The primary market for this function, so far, has been the online game (where the name of 'Killer'). It allows players to channel the bulk of the bandwidth available to their game and away from other programs and services that are running at the same time. A response faster online gives the player the advantage it needs to get "kill him" before someone else.

  This system of control of bandwidth has interfered with data packets of return of our network, clearing communication between our computer and our printer printer.

  Difficulty 1

  --------------

  The simplest solution for us was to disable 'Qualcomm Atheros bandwidth control' for the ethernet NIC that has been accomplished by going to: Windows Control Panel > network and Internet > Network and Sharing Center > change the settings of the card (in the sidebar). Then we clicked on our connection to the LAN (our NETWORK ethernet card) and select the 'Properties' command Finally, on the Networking tab, we have disabled 'Qualcomm Atheros control bandwidth' and clicked 'OK' button to close.

  All that was needed after that was a quick restart and we were able to access our printer even with the killer Network Manager and functioning of Qualcomm Atheros Killer Service V2.

  Either way, we left the control function of bandwidth enabled for wireless (our) network connection because we do not plan on using this network printer when the computer is untethered to ethernet.

  Difficulty 2

  --------------

  If you don't want the killer running Network Manager on your computer, you may be tempted to uninstall. Do not! Uninstall will also uninstall the drivers needed for your ethernet, WiFi and possibly your Bluetooth as well. We heard that some users have communicated with Qualcomm and were able to coax, on their part, the necessary drivers comm without luggage "Killer". But you don't need to do it, either.

  All you need to do is: (1) remove the 'Killer Network Manager' of the '"start up" folder of the start menu of Windows (under "programs") and (2) using MSConfig, uncheck "Qualcomm Atheros Killer Service V2" under the ' Services ' section. Then reboot and you're good to go. The killer Network Manager and his service will not work.

  Moreover, the reason for which we did not chose this method, ourselves, is because we see one deserves that available Killer Network Manager so that we can block network traffic to select programs. Solution 1 converts this easy thing because the Ethernet bandwidth control can be quickly activated again if she is ever desired. And we're leaving it enabled for our WiFi.

  Best regards, David-EH

• CANNOT ACCESS THE LAN WITH THE EASY VPN CONFIGURATION

  Hello

  I configured easy vpn server in cisco 1905 SRI using ccp. The router is already configured with zone based firewall. With the help of vpn client I can reach only up to the internal interface of the router, but cannot access the LAN from my company. I need to change any configuration of ZBF since it is configured as "deny everything" from outside to inside? If so that all protocols should I match?   Also is there any exemption of NAT for VPN clients? Please help me! Thanks in advance.

  Please see my full configuration:

  Router #sh run
  Building configuration...

  Current configuration: 8150 bytes
  !
  ! Last modification of the configuration at 05:40:32 UTC Wednesday, July 4, 2012 by
  ! NVRAM config updated 06:04 UTC Tuesday, July 3, 2012 by
  ! NVRAM config updated 06:04 UTC Tuesday, July 3, 2012 by
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  router host name
  !
  boot-start-marker
  boot-end-marker
  !
  !
  Passwords security min-length 6
  no set record in buffered memory
  enable secret 5 xxxxxxxxxxx
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  AAA authentication login ciscocp_vpn_xauth_ml_1 local
  AAA authorization exec default local
  AAA authorization ciscocp_vpn_group_ml_1 LAN
  !
  !
  !
  !
  !
  AAA - the id of the joint session
  !
  !
  No ipv6 cef
  IP source-route
  no ip free-arps
  IP cef
  !
  Xxxxxxxxx name server IP
  IP server name yyyyyyyyy
  !
  Authenticated MultiLink bundle-name Panel
  !

  parameter-map local urlfpolicy TSQ-URL-FILTER type
  offshore alert
  block-page message "Blocked according to policy"
  parameter-card type urlf-glob FACEBOOK
  model facebook.com
  model *. Facebook.com

  parameter-card type urlf-glob YOUTUBE
  mires of youtube.com
  model *. YouTube.com

  parameter-card type urlf-glob CRICKET
  model espncricinfo.com
  model *. espncricinfo.com

  parameter-card type urlf-glob CRICKET1
  webcric.com model
  model *. webcric.com

  parameter-card type urlf-glob YAHOO
  model *. Yahoo.com
  model yapo

  parameter-card type urlf-glob PERMITTEDSITES
  model *.

  parameter-card type urlf-glob HOTMAIL
  model hotmail.com
  model *. Hotmail.com

  Crypto pki token removal timeout default 0
  !
  Crypto pki trustpoint TP-self-signed-2049533683
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 2049533683
  revocation checking no
  rsakeypair TP-self-signed-2049533683
  !
  Crypto pki trustpoint tti
  crl revocation checking
  !
  Crypto pki trustpoint test_trustpoint_config_created_for_sdm
  name of the object [email protected] / * /
  crl revocation checking
  !
  !
  TP-self-signed-4966226213 crypto pki certificate chain
  certificate self-signed 01
  3082022B 30820194 02111101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43647274 31312F30
  69666963 32303439 35323236 6174652D 3833301E 170 3132 30363232 30363332

  quit smoking
  encryption pki certificate chain tti
  for the crypto pki certificate chain test_trustpoint_config_created_for_sdm
  license udi pid CISCO1905/K9 sn xxxxxx
  licence start-up module c1900 technology-package datak9
  username privilege 15 password 0 xxxxx xxxxxxx
  !
  redundancy
  !
  !
  !
  !
  !
  type of class-card inspect entire tsq-inspection-traffic game
  dns protocol game
  ftp protocol game
  https protocol game
  match icmp Protocol
  match the imap Protocol
  pop3 Protocol game
  netshow Protocol game
  Protocol shell game
  match Protocol realmedia
  match rtsp Protocol
  smtp Protocol game
  sql-net Protocol game
  streamworks Protocol game
  tftp Protocol game
  vdolive Protocol game
  tcp protocol match
  udp Protocol game
  match Protocol l2tp
  class-card type match - all BLOCKEDSITES urlfilter
  Server-domain urlf-glob FACEBOOK game
  Server-domain urlf-glob YOUTUBE game
  CRICKET urlf-glob-domain of the server match
  game server-domain urlf-glob CRICKET1
  game server-domain urlf-glob HOTMAIL
  class-map type urlfilter match - all PERMITTEDSITES
  Server-domain urlf-glob PERMITTEDSITES match
  inspect the class-map match tsq-insp-traffic type
  corresponds to the class-map tsq-inspection-traffic
  type of class-card inspect correspondence tsq-http
  http protocol game
  type of class-card inspect all match tsq-icmp
  match icmp Protocol
  tcp protocol match
  udp Protocol game
  type of class-card inspect correspondence tsq-invalid-src
  game group-access 100
  type of class-card inspect correspondence tsq-icmp-access
  corresponds to the class-map tsq-icmp
  !
  !
  type of policy-card inspect urlfilter TSQBLOCKEDSITES
  class type urlfilter BLOCKEDSITES
  Journal
  reset
  class type urlfilter PERMITTEDSITES
  allow
  Journal
  type of policy-card inspect SELF - AUX-OUT-policy
  class type inspect tsq-icmp-access
  inspect
  class class by default
  Pass
  policy-card type check IN and OUT - POLICIES
  class type inspect tsq-invalid-src
  Drop newspaper
  class type inspect tsq-http
  inspect
  service-policy urlfilter TSQBLOCKEDSITES
  class type inspect tsq-insp-traffic
  inspect
  class class by default
  drop
  policy-card type check OUT IN-POLICY
  class class by default
  drop
  !
  area inside security
  security of the OUTSIDE area
  source of security OUT-OF-IN zone-pair outside the destination inside
  type of service-strategy check OUT IN-POLICY
  zone-pair IN-to-OUT DOMESTIC destination outside source security
  type of service-strategy inspect IN and OUT - POLICIES
  security of the FREE-to-OUT source destination free outdoors pair box
  type of service-strategy inspect SELF - AUX-OUT-policy
  !
  Crypto ctcp port 10000
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  !
  crypto ISAKMP policy 2
  Group 2
  !
  ISAKMP crypto client configuration group vpntunnel
  XXXXXXX key
  pool SDM_POOL_1
  include-local-lan
  10 Max-users
  ISAKMP crypto ciscocp-ike-profile-1 profile
  vpntunnel group identity match
  client authentication list ciscocp_vpn_xauth_ml_1
  ISAKMP authorization list ciscocp_vpn_group_ml_1
  client configuration address respond
  virtual-model 1
  !
  !
  Crypto ipsec transform-set TSQ-TRANSFORMATION des-esp esp-md5-hmac
  !
  Profile of crypto ipsec CiscoCP_Profile1
  game of transformation-TRANSFORMATION TSQ
  set of isakmp - profile ciscocp-ike-profile-1
  !
  !
  !
  !
  !
  !
  the Embedded-Service-Engine0/0 interface
  no ip address
  response to IP mask
  IP directed broadcast to the
  Shutdown
  !
  interface GigabitEthernet0/0
  Description LAN INTERFACE-FW-INSIDE
  IP 172.17.0.71 255.255.0.0
  IP nat inside
  IP virtual-reassembly in
  security of the inside members area
  automatic duplex
  automatic speed
  !
  interface GigabitEthernet0/1
  Description WAN-INTERNET-INTERNET-FW-OUTSIDE
  IP address xxxxxx yyyyyyy
  NAT outside IP
  IP virtual-reassembly in
  security of the OUTSIDE member area
  automatic duplex
  automatic speed
  !
  interface Serial0/0/0
  no ip address
  response to IP mask
  IP directed broadcast to the
  Shutdown
  no fair queue
  2000000 clock frequency
  !
  type of interface virtual-Template1 tunnel
  IP unnumbered GigabitEthernet0/0
  ipv4 ipsec tunnel mode
  Tunnel CiscoCP_Profile1 ipsec protection profile
  !
  local IP SDM_POOL_1 172.17.0.11 pool 172.17.0.20
  IP forward-Protocol ND
  !
  no ip address of the http server
  local IP http authentication
  IP http secure server
  !
  IP nat inside source list 1 interface GigabitEthernet0/1 overload
  IP route 0.0.0.0 0.0.0.0 yyyyyyyyy
  IP route 192.168.1.0 255.255.255.0 172.17.0.6
  IP route 192.168.4.0 255.255.255.0 172.17.0.6
  !
  access-list 1 permit 172.17.0.0 0.0.255.255
  access-list 100 permit ip 255.255.255.255 host everything
  access-list 100 permit ip 127.0.0.0 0.255.255.255 everything
  access-list 100 permit ip yyyyyy yyyyyy everything
  !
  !
  !
  !
  !
  !
  !
  !
  control plan
  !
  !
  !
  Line con 0
  line to 0
  line 2
  no activation-character
  No exec
  preferred no transport
  transport of entry all
  output transport lat pad rlogin lapb - your MOP v120 udptn ssh telnet
  StopBits 1
  line vty 0 4
  transport input ssh rlogin
  !
  Scheduler allocate 20000 1000
  end

  A few things to change:

  (1) pool of IP must be a single subnet, it is not the same subnet as your subnet internal.

  (2) your NAT ACL 1 must be changed to ACL extended for you can configure NAT exemption, so if your pool is reconfigured to be 10.10.10.0/24:

  access-list 120 deny ip 172.17.0.0 0.0.255.255 10.10.10.0 0.0.0.255

  access-list 120 allow ip 172.17.0.0 0.0.255.255 everything

  overload of IP nat inside source list 120 interface GigabitEthernet0/1

  No inside source list 1 interface GigabitEthernet0/1 ip nat overload

  (3) OUT POLICY need to include VPN traffic:

  access-list 121 allow ip 10.10.10.0 0.0.0.255 172.17.0.0 0.0.255.255

  type of class-card inspect correspondence vpn-access

  game group-access 121

  policy-card type check OUT IN-POLICY

  vpn-access class

  inspect

• Cannot ping the Virtual Machine by host

  Hi all,

  Please help, I use VMWare Workstation 6.5 and I have a physical operating system which is Windows XP SP2, I have a network card, but not connected to a physical switch, the IP address is 192.168.0.1. I installed a Virtual Machine using Microsoft Windows 2003 server as the operating system, promote as domain controller, install the DHCP, DNS service and assign an IP 192.168.0.2, no default gateway.

  My VMnet1 on physical operating system has an IP 192.168.204.1 and VMNet8 has an IP 192.168.126.1.

  The host, I cannot ping the 192.168.0.2 which is the IP address of the Virtual Machine. Even in the Virtual Machine, I can not ping 192.168.0.1 is the IP address of the host. From what I read, the physical and the virtual machine were connected with a virtual switch. Am I wrong?

  Any advice?

  Thanks in advance.

  They SEEM to be in different networks, you need search routing between them,... since they differnet networks...

  on the other

  they do host and the virtual machine on the same subnet / network for EXAMPLE: class C class network 192.168.200.0/24

  granting of points if my answer was helpful... Thank you > > > > > > > >

  concerning

  Joe

• 5110 printer wireless but the software cannot see the IP address

  Hello. I have a new printer Photosmart 5110. I turned on and it found my wireless network. I entered the key wireless and got an IP 192.168.1.68 and connected is displayed.

  I have an ASUS Netbook. It doesn't have a CD player, so I had to download the HP Photosmart installation software. I am running XP. When I run the installer, it asks if I have a printer connected wireless network. I enter the IP address and the message says printer not found.

  I use a BT Home Hub. When I log on the hub I see the printer and IP address.

  I can ping the IP address of the laptop.

  I can access the printer directly using Internet Explorer and entering the printer IP address - and I can print a test page with success.

  I have Norton Security and I turned off the firewall.

  I can't get the installation software to see the IP address of the printer.

  Don't you think that there is a problem with Norton blocking the IP (if so, how unlock) or something to the BT Hub?

  Can you help or give ideas I can try before I bring her to the store.

  Steve

  Hello Steveargy,

  you have the tray to run the network diagnostic utility? If this is not the case, can you please do?

  I hope this helps

  Best regards
  F.

• ESX host cannot ping the default gateway.

  Hi Experts,

  I have connected ESX hosts to switch cisco as well by the ILO and other ports.

  Cisco switch configuration;

  int gig 1/0/21 and 1/0/13 gig and gig 1/0/14 are configured as access ports because they are carriers/tagging vLan as a 306.

  Cisco switch, I can ping the ip address of the ILO, but I can't ping the IP address management and vice versa.

  IP Managment

  10.197.204.10

  255.255.255.0

  10.197.204.1

  VLAN 306

  Attached the screenshot shown in the diagram.

  your help will be appreciated.

  Concerning

  Don't know what it is, but there must be something simple that you miss

  Let's go through each step of configuration for both ESXi network connections (ILO work already, so we do not touch).

  Check the configuration of switch port physical interface GigabitEthernet1/0/13 and 1/0/14.

  switchport access vlan 306

  switchport mode access

  spanning tree portfast

  Only connect the cable network for vmnic0 to host and make sure what vmnic0 presents itself as 'connected' in the DCUI

  

  Make sure the VLAN ID is empty.

  

  Make sure you then the IP settings are correct (IE without typos,...) and restart the management network from the main menu.

  André

• Windows 2008 R2 as a guest cannot get the IP address of the server (VMware workstation 7.1.3 on Windows 7) professional

  Hi gurus,

  I installed VMware workstation 7.1.3 on my Windows 7 laptop professional x64bit and I can run my old VM (XP) without any problems in this regard. And I tried to install a new client (Windows 2008 R2 Standard x 64) on this subject, when I put the NETWORK card in the deck, he cannot get the IP address from my DHCP, always show me error "Windows has detected an IP address conflict...". ", I tried the IP static installation for her also, same result.

  I tried to install a new windows Server 2003 as a guest (also defined as a network bridge), it works very well, can get the IP address from my DHCP or can set a static IP address with no problems. Does anyone have a similar experience on this combination? Any solution to this issue?

  Best regards

  BUGBUG

  I recently managed to get bridge network work with a Windows Server 2003 R2 SP2 guest in VMW Workstation 7.1.4.385536 on a host Windows 7 SP1 Ultimate.

  VirtualBox 4.0.4.70112 is installed on the host and disabling the 'VMware Bridge Protocol' in the 'VirtualBox in Ethernet Adapter"on the host was necessary.

  Outpost Firewall Pro 7.1.0.3415.520.1247 is also installed on the host computer and I used some information from the link below to add some necessary firewall rules.

  http://www.agnitum.com/support/KB/article.php?id=1000061

• After that stright connected to iSCSI (initiator) Host cannot ping the server iSCSI (target), but the target can, why?

  After that host on vSHere 4.0 strightly connected to iSCSI (initiator) host cannot ping the server iSCSI (target), but target can.  And iSCSI works well. I mean I can create and use the iSCSI disk, why? It makes me confused.

  Thank you!

  Geoarge,

  iSCSI traffic uses a VMkernel port, instead of using the command 'ping', use 'vmkping '.

  André

• Cannot renew the IP address...

  Hello, last night my Dimension 8200 has lost the ability to use the Internet; It is connected to a router that is connected to the cable modem. My Dell laptop works very well. When I look at network connections, he says "Comcast Hi-speed limited connectivity or none. When I right click on it and try to 'fix', it cannot renew the IP address. I put off the power to the modem cable as well as the router. no help. Again, my laptop works very well. I've run Mcaffee and it found no viruses?

  Any suggestion would be appreciated.

  Pat

  
  

• Cannot ping the Anyconnect client IP address to LAN

  Hi guys,.

  I have an old ASA5520 running 9.1 (6) 8 where I installed Anyconnect SSL split tunneling access:

  See establishing group policy enforcement
  attributes of Group Policy DfltGrpPolicy
  VPN-tunnel-Protocol ikev1, ikev2 clientless ssl

  lanwan-gp group policy internal
  gp-lanwan group policy attributes
  WINS server no
  DNS server no
  VPN - connections 1
  client ssl-VPN-tunnel-Protocol
  Split-tunnel-policy tunnelspecified
  Split-tunnel-network-list value lanwan-acl
  by default no
  WebVPN
  AnyConnect value lanwan-profile user type profiles

  permit for line lanwan-acl access-list 1 standard 172.16.0.0 255.254.0.0 (hitcnt = 48) 0xb5bbee32

  Now I can ping, RDP, etc. of any VPN host connected to any destination within 172.16.0.0 255.254.0.0 range.

  Here is my routing information:

  See the road race
  Route outside 0.0.0.0 0.0.0.0 69.77.43.1 1
  Route inside 172.16.0.0 255.254.0.0 172.25.8.1 1

  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  IP 172.25.8.4 255.255.254.0

  But I can't ping any Anyconnect VPN client connected from my LAN.

  See the establishment of performance ip local pool

  mask IP local pool lanwan-pool 172.25.9.8 - 172.25.9.15 255.255.254.0

  Here's the traceroute of LAN:

  C:\Users\Florin>tracert d 172.25.9.10

  Determination of the route to 172.25.9.10 with a maximum of 30 hops

  1 1 ms<1 ms="" 1="" ms="">
  2<1 ms="" *=""><1 ms="">
  3 * the request exceeded.
  4 * request timed out.

  While the ASA routing table has good info:

  show route | I have 69.77.43.1

  S 172.25.9.10 255.255.255.255 [1/0] via 69.77.43.1, outdoors

  Other things to mention:

  -There is no other FW between LAN and the ASA

  -There is no FW or NAT configured or enabled on this ASA(see her running nat and see the race group-access they return all two virgins).

  -FW Windows on the Anyconnect workstation is disabled (the service is running). I also tested and able to ping to my workstation Anyconnect House of another device on the same network.

  So, I'm left with two questions:

  1. first a I do not understand: after reading some threads here, I added this line standard lanwan-acl access-list allowed 69.77.43.0 255.255.255.0

  out of ping and tracert commands remains the same, but now I can RDP to the docking station VPN connected to any workstation LAN;

  What happens here?

  2. how can I do ICMP work after all? I also tried fixup protocol icmp and icmp Protocol Error Correction, still no luck

  Thanks in advance,

  Florin.

  Hi Florin,

  The entire production is clear enough for me

  in debugging, you can see that traffic is constituent of the ASA

  "Inside ICMP echo request: 172.17.35.71 outside: 172.25.9.9 ID = 22 seq = 14024 len = 32.

  the SAA can be transferred on or can be a downfall for some reason unknow

  can we have a wireshark capture on the vpn client to see if the icmp request is to reach the customer? I want to just isolate the problem of fw so that we can concentrate on the ASA rather than silly windows ;) fw

  made the RDP Protocol for VPN client for you inside the LAN work?

  run logging on ASA and ping and then inside to VPN client and the Coachman connects on the firewall, if ASA comes down the pkt it will appear in the log.

  loggon en
  debug logging in buffered memory

  #sh logging buffere | in icmp

  #Rohan

• VPN Site-to-Site - cannot ping the router's internal IP address

  Hi guys,.

  I configured a VPN site-to site between two routers, everything works well except ping the internal (LAN) IP of a router.

  Everything works fine: ping the hosts through the tunnel in both feel.

  Routers that I use:

  -IOS 1841: M3 15.0 (1)

  -2811 IOS: 15.0 (1) M5-> here is the problem. I can't ping the inside interface of the router.

  I checked its ipsec counters and it seems that it does not send packets through the tunnel when I ping from the LAN interface.

  #pkts program is not incrementing.

  Anyone had this problem before?

  Thank you very much.

  Best regards

  I think that happens because when the router responds to icmp request he gets is outside interface IP (not the IP Address of the inside interface, wich you are trying to ping) as the source of a package. If icmp-response does not go in the tunnel, because the IP address in the router's external interface is not included in the crypto-acl.

  Solution to this, if it's correct guess, is to add the router's external IP to the crypto-acl.

• Cisco VPN Client cannot ping from LAN internal IP

  Hello

  I apologize in advance for my lack of knowledge about it, but I got a version of the software running ASA 5510 7.2 (2) and has been invited to set up a site with a client, I managed to get this configured and everything works fine. In addition, I created a group of tunnel ipsec-ra for users to connect to a particular server 192.168.10.100/24 remote, even if the connection is made successfully, I can not ping any IP on the LAN 192.168.10.0/24 located behind the ASA and when I ping inside the interface on the ASA it returns the public IP address of the external interface.

  If someone out there could give me a little push in the right direction, it would be much appreciated! This is the current configuration of the device.

  Thanks in advance.

  : Saved

  :

  ASA Version 7.2 (2)

  !

  hostname ciscoasa5510

  domain.local domain name

  activate the password. 123456789 / encrypted

  names of

  !

  interface Ethernet0/0

  nameif outside

  security-level 0

  PPPoE client vpdn group ISP

  12.34.56.789 255.255.255.255 IP address pppoe setroute

  !

  interface Ethernet0/1

  nameif inside

  security-level 100

  IP 192.168.10.1 255.255.255.0

  !

  interface Ethernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Ethernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 192.168.1.1 255.255.255.0

  management only

  !

  passwd encrypted 123456789

  passive FTP mode

  clock timezone GMT/UTC 0

  summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00

  DNS server-group DefaultDNS

  domain.local domain name

  permit outside_20_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 host 10.16.2.124

  permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 host 10.16.2.124

  access-list Split_Tunnel_List note the network of the company behind the ASA

  Split_Tunnel_List list standard access allowed 192.168.10.0 255.255.255.0

  pager lines 24

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  management of MTU 1500

  IP local pool domain_vpn_pool 192.168.11.1 - 192.168.11.254 mask 255.255.255.0

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 522.bin

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Route outside 0.0.0.0 0.0.0.0 12.34.56.789 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout, uauth 0:05:00 absolute

  internal domain_vpn group policy

  attributes of the strategy of group domain_vpn

  value of 212.23.3.100 DNS server 212.23.6.100

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list Split_Tunnel_List

  username domain_ra_vpn password 123456789 encrypted

  username domain_ra_vpn attributes

  VPN-group-policy domain_vpn

  encrypted utilisateur.123456789 password username

  encrypted utilisateur.123456789 password username

  privilege of username user password encrypted passe.123456789 15

  encrypted utilisateur.123456789 password username

  the ssh LOCAL console AAA authentication

  AAA authentication enable LOCAL console

  Enable http server

  http 192.168.1.0 255.255.255.0 management

  http 192.168.10.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto-map dynamic outside_dyn_map 20 set pfs

  Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

  card crypto outside_map 20 match address outside_20_cryptomap

  peer set card crypto outside_map 20 987.65.43.21

  outside_map crypto 20 card value transform-set ESP-3DES-SHA

  3600 seconds, duration of life card crypto outside_map 20 set - the security association

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  aes-256 encryption

  sha hash

  Group 5

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  tunnel-group 987.65.43.21 type ipsec-l2l

  IPSec-attributes tunnel-group 987.65.43.21

  pre-shared-key *.

  tunnel-group domain_vpn type ipsec-ra

  tunnel-group domain_vpn General-attributes

  address domain_vpn_pool pool

  Group Policy - by default-domain_vpn

  domain_vpn group of tunnel ipsec-attributes

  pre-shared-key *.

  Telnet 192.168.10.0 255.255.255.0 inside

  Telnet timeout 5

  Console timeout 0

  VPDN group ISP request dialout pppoe

  VPDN group ISP localname [email protected] / * /

  VPDN group ISP ppp authentication chap

  VPDN username [email protected] / * / password *.

  dhcpd dns 212.23.3.100 212.23.6.100

  dhcpd lease 691200

  dhcpd ping_timeout 500

  domain.local domain dhcpd

  !

  dhcpd address 192.168.10.10 - 192.168.10.200 inside

  dhcpd allow inside

  !

  management of 192.168.1.2 - dhcpd address 192.168.1.254

  enable dhcpd management

  !

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:1234567890987654321

  : end

  Hello

  Seems to me that you are atleast lack the NAT0 configuration for your VPN Client connection.

  This configuration is intended to allow the VPN Client to communicate with the local network with their original IP addresses. Although the main reason that this is necessary is to avoid this traffic to the normal rule of dynamic PAT passing this traffic and that traffic is falling for the corresponding time.

  You can add an ACL rule to the existing ACL NAT0, you have above and the NAT configuration should go next

  Add this

  permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0

  Hope this helps

  Let me know how it goes

  -Jouni

• Cisco 5505, inside, I cannot ping the external IP of the router, but inside I can ping anything else

  Hello

  5505 Cisco's internal IP: 10.10.0.1 static, securty level 100

  External IP of Cisco 5505: 36.X.X.23 Dhcp, 0 security level

  of within peut all host external example ping by host 10.10.0.3 to google.com

  inside peut ping all domestic example of the host, host 10.10.0.3 to 10.10.0.5 included the internal IP of Cisco 10.10.0.1

  inside peut ping ip network address different on the same network from my router external example the host 36.x.x.25

  cannot ping inside the IP 36.X.X.23?

  from outside peuvent ping the IP 36.X.X.23

  outside peuvent ping different extenal network 36.X.X.X network ip

   
  How can I ping the 36.X.X.23 of the Interior, any suggestions?

  It's called background management which is not supported in the ASA

  https://Tools.Cisco.com/bugsearch/bug/CSCtd86651

  That's why is not and this will never work the ASA design does not

  It will be useful.

• Localhost unreachable destination to the LAN address

  Windows Vista Home Prem / 2.1 Ghz/3 GB RAM AMD

  I'm having this problem where I am unable to access certain local IP on my LAN addresses. I have what I think are routes in the routing table, so I'm completely puzzled as to why I get inaccessible Destination. They seem to be generated by the output interface and I get only the message for some hosts.  Any thoughts would be IMMENSELY appreciated.

  routing table:
  ===========================================================================
  List of the interface
  16... 02 00 4 c 4f 4f 50... Microsoft Loopback adapter
  11.. 00 24 d2 06 5 b 4 b... Atheros AR5007EG Wireless Network adapt
  10... 1st 00 33 9 c 92 b5... Realtek RTL8102E Family PCI - E Fast Ethernet OR
  1 ........................... Software Loopback Interface 1
  18.. 00 00 00 00 00 00 00 e0 isatap.gateway.2wire.net
  12... 02 00 54 55 4th 01... Teredo Tunneling Pseudo-Interface
  19 00 00 00 00 00 00 00 e0 isatap. {1B026F0F-03DE-4F71-BFF6-DD768DB11D48}
  20... 00 00 00 00 00 00 00 e0 isatap. {B0F31E43-512B-499E-AAA1-E7828F7C5D43}
  ===========================================================================

  IPv4 routing table
  ===========================================================================
  Active routes:
  Network Destination gateway metric Interface subnet mask
  0.0.0.0 0.0.0.0 172.30.255.254 172.30.255.1 80
  0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.101 25
  127.0.0.0 255.0.0.0 127.0.0.1 on route 306
  127.0.0.1 255.255.255.255 127.0.0.1 on route 306
  127.255.255.255 255.255.255.255 on-link 127.0.0.1 306
  172.30.255.0 255.255.255.0 on a 172.30.255.1 route 286
  172.30.255.1 255.255.255.255 on a 172.30.255.1 route 286
  172.30.255.255 255.255.255.255 on a 172.30.255.1 route 286
  192.168.43.0 255.255.255.0 on a 192.168.43.101 route 281
  192.168.43.101 255.255.255.255 on a 192.168.43.101 route 281
  192.168.43.255 255.255.255.255 on a 192.168.43.101 route 281
  224.0.0.0 240.0.0.0 on-link 127.0.0.1 306
  224.0.0.0 240.0.0.0 on a 172.30.255.1 route 286
  224.0.0.0 240.0.0.0 on a 192.168.43.101 route 281
  255.255.255.255 255.255.255.255 on-link 127.0.0.1 306
  255.255.255.255 255.255.255.255 on a 172.30.255.1 route 286
  255.255.255.255 255.255.255.255 on a 192.168.43.101 route 281
  ===========================================================================
  Persistent routes:
  Network gateway address mask network address metric
  0.0.0.0 0.0.0.0 172.30.255.254 50
  ===========================================================================

  IPv6 routing table
  ===========================================================================
  Active routes:
  If metric network Destination Gateway
  1 306: 1/128 liaison
  1 306 ff00: / 8 On-link
  ===========================================================================

  out of ping (work / does not):

  Ping 192.168.43.11 with 32 bytes of data:
  Reply from 192.168.43.11: bytes = 32 time = 4 ms TTL = 255
  Reply from 192.168.43.11: bytes = 32 time = 2ms TTL = 255

  inging 192.168.43.20 with 32 bytes of data:
  eply to 192.168.43.101: impossible to reach the Destination host.

  ipconfig for the relevant interfaces:
  NIC Loopback0 (172.30.255.1):

  The connection-specific DNS suffix. :
  ... Description: Microsoft Loopback adapter
  Physical address.... : 02-00-4C-4F-4F-50
  DHCP active...: No.
  Autoconfiguration enabled...: Yes
  IPv4 address...: 172.30.255.1 (Preferred)
  ... Subnet mask: 255.255.255.0.
  ... Default gateway. : 172.30.255.254
  NetBIOS over TCP/IP...: enabled

  Wireless network connection Wireless LAN adapter:

  The connection-specific DNS suffix. : gateway.2wire.net
  ... Description: Atheros AR5007EG Wireless Network adapt
  Physical address.... : 00-24-D2-06-5B-4B
  DHCP active...: Yes
  Autoconfiguration enabled...: Yes
  IPv4 address...: 192.168.43.101 (Preferred)
  ... Subnet mask: 255.255.255.0.
  Lease obtained...: Wednesday, February 10, 2010 10:03:57
  End of the lease...: Thursday, February 11, 2010 10:03:57
  ... Default gateway. : 192.168.43.1.
  DHCP server...: 192.168.43.1.
  DNS servers...: 192.168.1.254
  NetBIOS over TCP/IP...: enabled

  The loopback adapter is one that I use for an emulation program, and I've assigned a metric higher to the default gateway for the network. I tried to remove the route persistent this default GW (172.30.255.254), no change.  I don't understand why Windows reports no road, when there is clearly a in the routing table.  When I disable the loopback interface, there is no change.

  I deleted IPv6 on both interfaces, I disabled the firewall, both networks are on private networks. I'm out of ideas.

  Well as annoying as it is, my two old days, the countless curse-word problem has been resolved.  No matter how much you (think you) know, and no matter how much experience you have, always always ALWAYS check layer 1.

  I was sure that the server is connected to the network, but alas it was not.  What is real interesting here is that windows vista will report an inaccessible local address, even if it's a road.  Maybe it has to do with an ARP request failed?

  Feel stupid now.

• Cisco ezvpn ASAs cannot ping each other inside interfaces

  I have a set ezvpn in place with a 5506 (position B) client-side and a 5520 (location A) server-side. I have successfully connected vpn, and traffic flows. My problem is that I can't SSH in the location b. investigate this more than I can not ping is within the interface of the ASA opposing, or the machines inside each ASA ASA.

  I found the following links that describes a scenario similar to mine, but nothing on one of them helped me.
  http://www.experts-exchange.com/questions/28388142/cannot-ping-ASA-5505-inside-interface-across-VPN.html
  https://www.fir3net.com/firewalls/Cisco/Cisco-ASA-proxy-ARP-gotcha.html
  https://supportforums.Cisco.com/discussion/11755586/Cisco-ASA-VPN-established-cant-ping

  I joined sanitized versions of these two configs. Any help is appreciated.

  Hi Adam

  The site of B I'm not able to see "management of access to inside. Please try to set up the same. He could solve the problem.

  Also on the instruction of the ASA takes place nat can you please try to add keywords 'search non-proxy-arp route'.

  something like:

  nat (inside,outside) source static (Location A)_Networks (Location A)_Networks destination static (location B)-remote_network (location B)-remote_network no-proxy-arp route-lookup

  as I have noted problems with inside access to interface via the VPN when those keywords are not applied. If I remember correctly 8.6.x ASA version had a bug regarding the same. Cordially Véronique