Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ping remote host behind asa 5505 across vpn tunnel

Posted on 2008-10-02
9
Medium Priority
?
790 Views
Last Modified: 2012-05-05
I have a site to site vpn setup between my pix515 (corporate) and an ASA5505 (remote office). From the ASA side I can ping hosts at my corporate office, but from the pix side (corporate office) I am unable to ping any hosts behind the ASA.

Corporate network behind the PIX - 10.1.0.0/16

network behind the ASA - 10.30.1.0/24

0
Comment
Question by:dtadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 8

Expert Comment

by:Jay_Gridley
ID: 22623488
This is probably a problem with an access-list, or lack there-off...

If you connect to the ASDM  at the HOME tab you will find logging at the bottom of the page. I prefer setting it to log warnings to avoid getting to much "jitter" and then try a ping. If it gets blocked you should get a pretty good idea of what is blocking the traffic.
0
 

Author Comment

by:dtadmin
ID: 22623521
I don't have ASDM installed on the pix. Below is my nonat access list

access-list nonat-vpn line 1 extended permit ip any 10.3.2.0 255.255.255.0
access-list nonat-vpn line 2 extended permit ip 10.1.0.0 255.255.0.0 192.168.3.0 255.255.255.0
access-list nonat-vpn line 3 extended permit ip 10.1.0.0 255.255.0.0 192.168.5.0 255.255.255.0
access-list nonat-vpn line 4 extended permit ip 10.1.0.0 255.255.255.0 10.3.0.0 255.255.255.0  
access-list nonat-vpn line 5 extended permit ip 10.3.0.0 255.255.255.0 10.3.2.0 255.255.255.0
access-list nonat-vpn line 6 extended permit ip 10.1.0.0 255.255.0.0 10.30.1.0 255.255.255.0
access-list nonat-vpn line 7 extended permit ip 10.0.0.0 255.255.255.0 10.30.1.0 255.255.255.0
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22623628
Are you using EasyVPN, or straight vpn tunnel?
If the PIX is a easyvpn client and nem is not enabled, the we see the exact symptoms you experience because the pix actually is natting.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:dtadmin
ID: 22623637
straight site to site VPN tunnel.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22623749
I'd probably have to see both complete configs to spot anything.
Do you have any access-lists applied to the inside interface of either the asa or the pix?
Perhaps you have icmp echo blocked at the asa, or the echo-reply blocked at the PIX?
Pinging one way validates routing and encryption.
One way ping usually indicates an access rule or software firewall on the pc you are trying to ping.
Some things enable a firewall that you would not expect. Cisco VPN client, for example, can enable a firewall whether you are using it or not.
0
 

Author Comment

by:dtadmin
ID: 22625172
here is what the asdm logging on the asa is seeing:

6      Oct 02 2008      08:18:17      302020      10.1.200.8      10.30.1.10       Built outbound ICMP connection for faddr 10.1.200.8/0 gaddr 10.30.1.10/768 laddr 10.30.1.10/768


6      Oct 02 2008      08:18:17      302021      10.1.200.8      10.30.1.10       Teardown ICMP connection for faddr 10.1.200.8/0 gaddr 10.30.1.10/768 laddr 10.30.1.10/768

looks like the asa is seeing the ping from my pc behind my corporate firewall, but it's not letting it through to the inside hosts.
0
 

Author Comment

by:dtadmin
ID: 22625182
nevermind that was the wrong log....standby
0
 

Author Comment

by:dtadmin
ID: 22625208
6      Oct 02 2008      08:18:17      302020      10.1.3.3      10.30.1.10       Built inbound ICMP connection for faddr 10.1.3.3/768 gaddr 10.30.1.10/0 laddr 10.30.1.10/0

6      Oct 02 2008      08:22:49      302021      10.1.3.3      10.30.1.10       Teardown ICMP connection for faddr 10.1.3.3/768 gaddr 10.30.1.10/0 laddr 10.30.1.10/0

here we go....my ip is 10.1.3.3 and the host behind the asa that I'm unable to ping is 10.30.1.10
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 22625439
Looks like the host 10.30.1.10 has a firewall enabled because the firewall is doing exactly what is expected.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question