[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Unable to ping across VPN tunnel

Posted on 2008-09-29
17
Medium Priority
?
3,126 Views
Last Modified: 2012-05-05
I have a site to site vpn between an ASA 5505 (remote site) and PIX 515 (corporate headquarters) using the easy vpn feature. When the tunnel is up I'm able to access all the resources at corporate from behind the ASA, but I'm unable to ping anything. Also from corporate I'm unable to ping the inside interface of the ASA. On the ASA I have the easy vpn configuration completed. Below is the config of the PIX at my corporate office that pertains to the vpn tunnel to the ASA.

access-list nonat-vpn extended permit ip 10.1.0.0 255.255.0.0 10.30.1.0 255.255.255.0
access-list nonat-vpn extended permit ip 10.30.1.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list ezvpn1 extended permit ip 10.1.0.0 255.255.0.0 10.30.1.0 255.255.255.0
access-list ezvpn1 extended permit ip 10.30.1.0 255.255.255.0 10.1.0.0 255.255.0.0

global (outside) 1 interface
nat (inside) 0 access-list nonat-vpn
nat (inside) 1 0.0.0.0 0.0.0.0


group-policy ASA internal
group-policy ASA attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ezvpn1
 nem enable

tunnel-group ASAtest type ipsec-ra
tunnel-group ASAtest general-attributes
 default-group-policy ASA
tunnel-group ASAtest ipsec-attributes
 pre-shared-key *

What I'm trying to accomplish is to be able to ping the ASA's inside interface and hosts behind the ASA from the corporate office. Likewise I would also like to be able to ping from behind the ASA to hosts on my corporate office network.
0
Comment
Question by:dtadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 4
  • +1
17 Comments
 
LVL 11

Expert Comment

by:billwharton
ID: 22601787
pinging to pix and asa interfaces is sometimes tricky and is disallowed at times. However, you should be able to ping hosts across the other network just fine. Did you enable icmp inspection on both the pix and asa? what code are you running? v6 or v7?
0
 

Author Comment

by:dtadmin
ID: 22602109
i enabled icmp inspection on the ASA.

the PIX is running 7.2(2)
the ASA is running 7.2(4)
0
 
LVL 11

Expert Comment

by:billwharton
ID: 22602115
enable it on the pix too
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 

Author Comment

by:dtadmin
ID: 22602138
just did. I will test in the morning and update this posting.
0
 
LVL 11

Expert Comment

by:billwharton
ID: 22602141
ok...
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22602589
The reason you are having this trouble is because of the fundamental way Easy VPN works - it is not a bi-directional tunnel.
Easy VPN is meant to be a quick and easy way for big companies to roll out remote offices with minimal configuration. Easy VPN allows the VPN client to access corporate resources on the main network, but DOES NOT ALLOW ANY COMMUNICATION AT ALL back to the remote-site VPN hardware client.
To have bi-directional communication you need to setup a true site-to-site tunnel.
Easy VPN will not do the job. I suggest you review the requirements of the job and start over. If you've got SmartNET, get TAC to help you.
I've attached a Cisco document that explains what the different Site-to--site VPN types are used for.
Cheers! I hope this helps! :-)

Cisco-Site-to-Site-VPN-Technolog.pdf
0
 

Author Comment

by:dtadmin
ID: 22603785
any good links to documentation for a true site to site vpn between a pix515 and ASA5505?
0
 

Author Comment

by:dtadmin
ID: 22605169
well, i got the ping issue from the ASA to work. I can now ping from behind the ASA to hosts on the corporate network behind the PIX. My last question is this. Is it possible to remotely control a PC behind the ASA from the Corporate office? I understand that easy vpn is not bi-directional, but is it possible to initiate a support session from corporate to a host behind the ASA?
0
 
LVL 11

Expert Comment

by:billwharton
ID: 22605366
sure it is. Use something like webex. You can also use listening vnc viewer
http://www.realvnc.com/pipermail/vnc-list/2005-June/051087.html

For vpn examples, i always use this page which lists tons of them
http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22605634
I do not believe it is via RDP. You'd have to have some remote support app like bill says.
Basically, if you want to do it in-house - UltraVNC will do the job. Just put a repeater (aka a server accessible on the web - not through the VPN) outside of the VPN and have all computers connect through that. It's very good and it's free.
http://www.uvnc.com/ 
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22605645
We use UVNC to support some clients remotely for quick fixes. Remote file transfer and chat and other features are included - and it's free!
0
 

Author Comment

by:dtadmin
ID: 22606312
I found alot of site to site vpn configuration examples, but I'm having trouble locating one that is an example of the ASA side using a dynamic address.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22606504
Hmmm... why not use a static address? If you are doing a one-off deployment then there is no need for dynamic addressing of S2S VPN nodes.
0
 

Author Comment

by:dtadmin
ID: 22606525
I have 76 sites that are DHCP with Fortinet VPN appliances. We are going to be replacing those with Cisco ASA units.
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 1500 total points
ID: 22606754
Ooohh... you didn't mention that. I thought you just had 1.
Even with 76 sites, I still will recommend using static addressing so you can manage them remotely over the VPN tunnel and never have any confusion as to which device has which address.
On the remote-end ASA just enable the command management-access <insert interface name that has telnet or SSH (recommended) enabled.
This is what I've setup in the past. Plus, you can have up to 254 sites with this scheme and then just add more later with another subnet.
0
 

Expert Comment

by:globalsage
ID: 24534906
Hi dtadmin,

How do you get corporate network to access the hosts behind the client site (ASA)? I am facing the same problem of yours...

Cheers
Alex
0
 

Author Comment

by:dtadmin
ID: 24535505
you cannot do that with the EZ VPN feature. You need to setup up an actual remote access vpn between the remote office asa and corporate.
0

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question