ping remote host behind asa 5505 across vpn tunnel
I have a site to site vpn setup between my pix515 (corporate) and an ASA5505 (remote office). From the ASA side I can ping hosts at my corporate office, but from the pix side (corporate office) I am unable to ping any hosts behind the ASA.
Corporate network behind the PIX - 10.1.0.0/16
network behind the ASA - 10.30.1.0/24
Corporate network behind the PIX - 10.1.0.0/16
network behind the ASA - 10.30.1.0/24
ASKER
I don't have ASDM installed on the pix. Below is my nonat access list
access-list nonat-vpn line 1 extended permit ip any 10.3.2.0 255.255.255.0
access-list nonat-vpn line 2 extended permit ip 10.1.0.0 255.255.0.0 192.168.3.0 255.255.255.0
access-list nonat-vpn line 3 extended permit ip 10.1.0.0 255.255.0.0 192.168.5.0 255.255.255.0
access-list nonat-vpn line 4 extended permit ip 10.1.0.0 255.255.255.0 10.3.0.0 255.255.255.0
access-list nonat-vpn line 5 extended permit ip 10.3.0.0 255.255.255.0 10.3.2.0 255.255.255.0
access-list nonat-vpn line 6 extended permit ip 10.1.0.0 255.255.0.0 10.30.1.0 255.255.255.0
access-list nonat-vpn line 7 extended permit ip 10.0.0.0 255.255.255.0 10.30.1.0 255.255.255.0
access-list nonat-vpn line 1 extended permit ip any 10.3.2.0 255.255.255.0
access-list nonat-vpn line 2 extended permit ip 10.1.0.0 255.255.0.0 192.168.3.0 255.255.255.0
access-list nonat-vpn line 3 extended permit ip 10.1.0.0 255.255.0.0 192.168.5.0 255.255.255.0
access-list nonat-vpn line 4 extended permit ip 10.1.0.0 255.255.255.0 10.3.0.0 255.255.255.0
access-list nonat-vpn line 5 extended permit ip 10.3.0.0 255.255.255.0 10.3.2.0 255.255.255.0
access-list nonat-vpn line 6 extended permit ip 10.1.0.0 255.255.0.0 10.30.1.0 255.255.255.0
access-list nonat-vpn line 7 extended permit ip 10.0.0.0 255.255.255.0 10.30.1.0 255.255.255.0
Are you using EasyVPN, or straight vpn tunnel?
If the PIX is a easyvpn client and nem is not enabled, the we see the exact symptoms you experience because the pix actually is natting.
If the PIX is a easyvpn client and nem is not enabled, the we see the exact symptoms you experience because the pix actually is natting.
ASKER
straight site to site VPN tunnel.
I'd probably have to see both complete configs to spot anything.
Do you have any access-lists applied to the inside interface of either the asa or the pix?
Perhaps you have icmp echo blocked at the asa, or the echo-reply blocked at the PIX?
Pinging one way validates routing and encryption.
One way ping usually indicates an access rule or software firewall on the pc you are trying to ping.
Some things enable a firewall that you would not expect. Cisco VPN client, for example, can enable a firewall whether you are using it or not.
Do you have any access-lists applied to the inside interface of either the asa or the pix?
Perhaps you have icmp echo blocked at the asa, or the echo-reply blocked at the PIX?
Pinging one way validates routing and encryption.
One way ping usually indicates an access rule or software firewall on the pc you are trying to ping.
Some things enable a firewall that you would not expect. Cisco VPN client, for example, can enable a firewall whether you are using it or not.
ASKER
here is what the asdm logging on the asa is seeing:
6 Oct 02 2008 08:18:17 302020 10.1.200.8 10.30.1.10 Built outbound ICMP connection for faddr 10.1.200.8/0 gaddr 10.30.1.10/768 laddr 10.30.1.10/768
6 Oct 02 2008 08:18:17 302021 10.1.200.8 10.30.1.10 Teardown ICMP connection for faddr 10.1.200.8/0 gaddr 10.30.1.10/768 laddr 10.30.1.10/768
looks like the asa is seeing the ping from my pc behind my corporate firewall, but it's not letting it through to the inside hosts.
6 Oct 02 2008 08:18:17 302020 10.1.200.8 10.30.1.10 Built outbound ICMP connection for faddr 10.1.200.8/0 gaddr 10.30.1.10/768 laddr 10.30.1.10/768
6 Oct 02 2008 08:18:17 302021 10.1.200.8 10.30.1.10 Teardown ICMP connection for faddr 10.1.200.8/0 gaddr 10.30.1.10/768 laddr 10.30.1.10/768
looks like the asa is seeing the ping from my pc behind my corporate firewall, but it's not letting it through to the inside hosts.
ASKER
nevermind that was the wrong log....standby
ASKER
6 Oct 02 2008 08:18:17 302020 10.1.3.3 10.30.1.10 Built inbound ICMP connection for faddr 10.1.3.3/768 gaddr 10.30.1.10/0 laddr 10.30.1.10/0
6 Oct 02 2008 08:22:49 302021 10.1.3.3 10.30.1.10 Teardown ICMP connection for faddr 10.1.3.3/768 gaddr 10.30.1.10/0 laddr 10.30.1.10/0
here we go....my ip is 10.1.3.3 and the host behind the asa that I'm unable to ping is 10.30.1.10
6 Oct 02 2008 08:22:49 302021 10.1.3.3 10.30.1.10 Teardown ICMP connection for faddr 10.1.3.3/768 gaddr 10.30.1.10/0 laddr 10.30.1.10/0
here we go....my ip is 10.1.3.3 and the host behind the asa that I'm unable to ping is 10.30.1.10
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you connect to the ASDM at the HOME tab you will find logging at the bottom of the page. I prefer setting it to log warnings to avoid getting to much "jitter" and then try a ping. If it gets blocked you should get a pretty good idea of what is blocking the traffic.