Link to home
Start Free TrialLog in
Avatar of cassini12
cassini12

asked on

IPSEC Tunnel Vlans cant Ping Across

Hi, So this used to work so I am baffeled at the moment. Lets say the networks are below.. 2 Cisco ASA 5501 one on side 5510 on other.

TUNNEL IS UP:
VLAN location 1: X.X.20.0 /24
VLAN location 2: X.X.30.0 /24

I see on both asdm the icmp packages being transmitted, "built" never says fail.  but it does not ping on local clients.
if I do a traceroute from 5505 it atleast goes out a few hops.
but if I go to the 5510, I get zero hops, as if its not leaving the asa at all..

I see network objects defined for both, I have static routes defined for both

anything I am missing ? without me pasting my config I mean, just anything very obvious?? TY ALL
Avatar of Mike
Mike

any "icmp deny *interface* *interface*" statements in the firewall.
or if the clients' firewall blocking ICMP traffics (e.g.  Windows 7 Firewall > Advanced Settings > Inbound Rules > Private/public :File and Printer Sharing (Echo Request - ICMPv4-In)"
Hi,

did you use the wizard? It is pretty straight forward. Sometimes it messes up the NAT translation - that could be a cause you dont get anything through. Else, what Mike said - local firewall on PCs block ICMP (why is a miracle to me) or ICMP deny on interfaces.

Side note
For correct communication you need a few ICMP types enabled. Echo and Echo Reply is just for kicks to see if your device is reachable. But "ICMP unreachable" for example arranges the packet size between network devices and some other things.

IF you have a router or switch that you can ping from, they do not block that by default, in case you cannot disable the local windows firewall...

Markus
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.