Solved

Cannot ping ASA 5505 INSIDE INTERFACE across VPN.

Posted on 2014-03-13
20
7,959 Views
Last Modified: 2014-03-14
Hello,

I cannot ping one of our remote offices ASA 5505's across the site-to-site VPN tunnel.  I've compared the configs of our offices and they do not look any different, so I do not know what I'm missing.

Site 1 cannot ping the inside interface of site 2, however site 2 can ping the inside interface of site 1.

ICMP traffic is being allowed through the firewall and ICMP is enabled in the global policy settings to be inspected.  

Quick note, I can ping site 2's inside interface from a system within site 2, I just can't do it across the VPN.

I'm working via ASDM, so any help fixing this via ASDM would be greatly appreciated.
0
Comment
Question by:CKilmer1975
  • 8
  • 7
  • 5
20 Comments
 
LVL 26

Expert Comment

by:pony10us
Comment Utility
Are you getting unreachable or time out?

Unreachable would mean the issue is probably at Site 1 (the originator of the failing ping)
Time Out would mean the issue is probably at Site 2 (the responder of the failing ping)
0
 

Author Comment

by:CKilmer1975
Comment Utility
I'm getting 'Request timed out."
0
 
LVL 26

Expert Comment

by:pony10us
Comment Utility
Okay, that means that the ping is probably getting from Site 1 to Site 2 but Site 2 is unable or refusing to send a response.

I would start by looking at the ACL's on Site 2 for an implicit deny.
0
 

Author Comment

by:CKilmer1975
Comment Utility
I've attached a screenshot of my ACL.  There are no implicit deny's for ICMP traffic.
ACL.png
0
 
LVL 26

Expert Comment

by:pony10us
Comment Utility
How about Device Management
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
Which firmware version are you using?

Also can you post your NAT statements?


-BB
0
 

Author Comment

by:CKilmer1975
Comment Utility
Hi,

@ pony10us, I have nothing listed on that ICMP screen.

ASA : 8.2(5)
ASDM: 6.4(5)

I have attached my NAT info.

NAT info
0
 
LVL 16

Accepted Solution

by:
Michael Ortega (Internetwerx, Inc.) earned 250 total points
Comment Utility
Upgrade your firmware to the latest (or at least 8.4.2) and then enter this at the end of your NAT configuration for the tunnel:

no-proxy-arp route-lookup

MO/BB
0
 

Author Comment

by:CKilmer1975
Comment Utility
We do not have a service agreement with Cisco, so I do not have the ability to download firmware from their site.  Is there another way to procure it?
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
No legal ways that I know of. The goal is basically to turn proxy arp off on your tunnel NAT configuration.

MO
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:CKilmer1975
Comment Utility
Ahh, and I suppose there's no way to do it in my current firmware?
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
I don't believe so. Sorry about that. Support contract on a 5505 for 8x5 NBD is pretty reasonable. I believe it's only $100. Maybe $150 for the upgraded 24x7, 4 hour hardware replacement warranty. Either one will give you access to Cisco.com so you can download the latest system and asdm software.

MO
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
I believe the above costs are for the 50 User licensed 5505. If this is a 10 User licensed 5505 it's even cheaper for SMARTnet.

MO
0
 
LVL 26

Expert Comment

by:pony10us
Comment Utility
I have a 5505 with:

ASA 8.2(2)4
ASDM 7.0(2)

Arp Proxy settings
0
 

Author Comment

by:CKilmer1975
Comment Utility
Thanks for pointing that out pony10us.  Here is my screen:

proxyarp

Will unchecking something here in anyway help?
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
Would advise against that. Those are proxy arp settings on physical interfaces which you most likely need intact. We're talking about turning the proxy arp off specially on the tunnel NAT.

MO
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
Here's a good read on how proxy arp works on an ASA: http://www.packetu.com/2011/11/07/the-asas-arp-behavior/

I would advise against turning it off globally on an interface. Since the issue is with how proxy-arp works across a VPN tunnel then you only need the ability to turn off proxy-arp on the NAT (or no NAT, technically) associated with the VPN tunnel.

MO
0
 

Author Comment

by:CKilmer1975
Comment Utility
Thanks for the info MO, I'll read up on it.  I'm still trying to figure out how to purchase a service contract.  Cisco's site redirects me to resellers, but the reseller sites aren't listing cisco service contracts so I'm emailing sales to get some answers.
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
Get one through CDW. That's probably the easiest.

MO
0
 
LVL 26

Expert Comment

by:pony10us
Comment Utility
mgortega:

I see what you are getting at now.  Makes sense.  Here is another good article:  http://www.fir3net.com/Cisco-ASA/cisco-asa-proxy-arp-gotcha.html
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Sonicwall Possible port scan dropped 5 31
Watchguard XTM 2 50
Backup UPS - email alert 3 81
SMB Routers with GB WAN 12 31
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now