topic Re: Unable to ping remote subnet after tunnel is established in Network Security

Unable to ping remote subnet after tunnel is established

kltconsulting — Fri, 21 Feb 2020 09:30:39 GMT

I am connecting a Cisco ASA 5505 and a Symantec Gateway 460R device via site to site VPN tunnel, and the Phase 1 (IKE) and Phase 2 (IPSec) negotiations go thru just fine. I show 1 active IKE and 1 active ipsec on the monitoring screen. However, when I try to ping a device on the remote subnet, the pings time-out. I can ping the public IP of the outside interface on the peer device, but if I try to ping anything on the inside interface, I get a time-out. If the tunnel is established, shouldn't my subnet be able to communicate with the remote subnet?

Re: Unable to ping remote subnet after tunnel is established

acomiskey — Tue, 08 May 2007 23:17:09 GMT

A little more info may be needed here. ASA config would be nice.

Re: Unable to ping remote subnet after tunnel is established

kltconsulting — Wed, 09 May 2007 01:19:30 GMT

The config file is attached.

Re: Unable to ping remote subnet after tunnel is established

james.rugh — Thu, 21 Jun 2007 21:37:12 GMT

I am having the same problem between an ASA and an 871w. The tunnel is up. However, on the ASA, if I do a "debug icmp trace", and then ping from a device on the remote end to the ASA inside interface, I see the icmp echo requests come in to the inside interface, but the ASA echo replies go back out the outside interface. It's as though traffic is not routing to the remote properly through the tunnel. I've checked the no-nat access-list - looks ok to me.

Re: Unable to ping remote subnet after tunnel is established

reido2131 — Wed, 26 Sep 2007 21:01:24 GMT

Without knowing a litle more about how each end of the network is set up, it might be a little hard to narrow this down with just the config file. If you do a tracert, does that completely fail?

The next 2 issues to look at would be 1-Are there any ACLs, or the like, on either end that is blocking ICMP Ping traffic? and 2-Does the host that you are pinging on the other end know where to send the response?

You may need to add a static route to the host on the other end to make sure that it knows which interface or IP on the network to send the response back out through.

Be aware, that if you add a static route to a Windows Server or Workstation, it will stay in there only as long as the computer has not been rebooted. I haven't found a way to keep it in there permanently.

Reido

Re: Unable to ping remote subnet after tunnel is established

thomasdzubin — Fri, 28 Sep 2007 14:21:39 GMT

You can add a "permanent" route to a MS-Windows system by using the "-p" flag on the ROUTE ADD command. Here's a screen cut-and-paste from the help shown when you just give the ROUTE command without any argument:

" -p When used with the ADD command, makes a route persistent across

boots of the system. By default, routes are not preserved

when the system is restarted. Ignored for all other commands,

which always affect the appropriate persistent routes. This

option is not supported in Windows 95."