https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594634#M1089305 <P>NAT exception must include traffic for both.</P><P><BR />do you run packet tracer ?</P><P>&nbsp;</P><P><SPAN>packet-tracer input <STRONG>Inside</STRONG>&nbsp;icmp&nbsp;ASA 8 0 Site-C detailed</SPAN></P> Mon, 18 Apr 2022 16:35:16 GMT MHM Cisco World 2022-04-18T16:35:16Z https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594546#M1089294 <P>Hi,</P><P>&nbsp;</P><P>I have 3 sites, A, B, and C.&nbsp;</P><P>A - Would be the HUB.</P><P>B - Spoke - Working</P><P>C - Spoke - Not working.</P><P>&nbsp;</P><P>From site A end device I can ping the ASA from site B, but I can't ping site C even with the same configs and tunnels are up I still can't ping ASA site C. I can confirm that behind the ASA - C end devices is reachable, only the ASA is not.<BR /><BR />I already enabled inspect ICMP added ACL for ICMP made sure interesting traffic is passing thru and UN-NAT is in place.&nbsp;</P> Mon, 18 Apr 2022 14:54:40 GMT https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594546#M1089294 baroncse 2022-04-18T14:54:40Z https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594548#M1089295 <P>same IPSec tunnel I mention before that there is issue with it or this new IPSec tunnel ?</P> Mon, 18 Apr 2022 14:56:23 GMT https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594548#M1089295 MHM Cisco World 2022-04-18T14:56:23Z https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594559#M1089296 <P>different one sir. need some help tshooting this.</P> Mon, 18 Apr 2022 15:08:13 GMT https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594559#M1089296 baroncse 2022-04-18T15:08:13Z https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594564#M1089297 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1254272">@baroncse</a>&nbsp;wrote:<BR /> <P>&nbsp;I can confirm that behind the ASA - C end devices is reachable, only the ASA is not.</P> <HR /></BLOCKQUOTE> <P>so are you actually just trying to ping the ASA C's inside interface over the VPN tunnel?</P> <P>If so use the command "management-access &lt;inside interface&gt;" to permit that traffic.</P> <P>&nbsp;</P> <P>Make sure you ping from a device behind ASA A not from the ASA itself.</P> Mon, 18 Apr 2022 15:14:03 GMT https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594564#M1089297 Rob Ingram 2022-04-18T15:14:03Z https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594570#M1089298 <P>sorry forgot to mention I also have this configured as well "management-access inside"</P><P>And yes from site A end device going to site C ASA no pings. but from site A end device going to site B ASA working perfectly.</P><P>&nbsp;</P><P>C and B have the same configs for the tunnel going to site A.</P> Mon, 18 Apr 2022 15:18:47 GMT https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594570#M1089298 baroncse 2022-04-18T15:18:47Z https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594572#M1089299 <P><SPAN>A - Would be the HUB&lt;- issue here&nbsp;<BR /><BR />I think you config&nbsp;ONE Policy ACL with two line for both spoke??<BR />that wrong&nbsp;<BR />config two&nbsp;policy ACL one for each Spoke.<BR /><BR />and two tunnel one for each Spoke.</SPAN></P> Mon, 18 Apr 2022 15:22:39 GMT https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594572#M1089299 MHM Cisco World 2022-04-18T15:22:39Z https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594591#M1089301 <P>they have separate configs for ACL and Tunnels. Lets just say spoke to spoke (A to C) for the tunnels.&nbsp;</P><P>I can confirm tunnel is up because from A end device to C end device they have connectivity I can RDP and ICMP, but the ASA - C is the only issue. I need the ASA - C be pingable from A end device.</P> Mon, 18 Apr 2022 15:38:46 GMT https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594591#M1089301 baroncse 2022-04-18T15:38:46Z https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594603#M1089302 <P>can I see the config for both ACL and tunnel ?</P> Mon, 18 Apr 2022 15:50:13 GMT https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594603#M1089302 MHM Cisco World 2022-04-18T15:50:13Z https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594625#M1089304 <P>Not sure if this is relevant but as I told you tunnel is up I can reach from A end device going to C end device, it's just the ASA - C is not pingable.</P><P>&nbsp;</P><P>&nbsp;</P><P>Site A - ASA confg:</P><P>&nbsp;</P><P>access-list int1/1_cryptomap_2 extended permit ip object 10.16.169.0 object 10.16.174.0</P><P>&nbsp;</P><P>crypto map int1/1_map 2 match address int1/1_cryptomap_2<BR />crypto map int1/1_map 2 set peer B.B.B.B<BR />crypto map int1/1_map 2 set ikev1 **********</P><P>&nbsp;</P><P>tunnel-group B.B.B.B type ipsec-l2l<BR />tunnel-group B.B.B.B ipsec-attributes<BR />ikev1 pre-shared-key *********</P><P>&nbsp;</P><P>========================================================</P><P>access-list int1/1_cryptomap_3 extended permit ip object 10.16.169.0 object 10.16.174.128</P><P>&nbsp;</P><P>crypto map int1/1_map 3 match address int1/1_cryptomap_3<BR />crypto map int1/1_map 3 set peer C.C.C.C<BR />crypto map int1/1_map 3 set ikev1 *****</P><P><BR />tunnel-group C.C.C.C type ipsec-l2l<BR />tunnel-group C.C.C.C ipsec-attributes<BR />ikev1 pre-shared-key *************<BR /><BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 18 Apr 2022 16:18:45 GMT https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594625#M1089304 baroncse 2022-04-18T16:18:45Z https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594634#M1089305 <P>NAT exception must include traffic for both.</P><P><BR />do you run packet tracer ?</P><P>&nbsp;</P><P><SPAN>packet-tracer input <STRONG>Inside</STRONG>&nbsp;icmp&nbsp;ASA 8 0 Site-C detailed</SPAN></P> Mon, 18 Apr 2022 16:35:16 GMT https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594634#M1089305 MHM Cisco World 2022-04-18T16:35:16Z https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594640#M1089306 <P>As I said tunnel works fine the problem is Cisco ASA Site C is not replying from my ICMP request from Site A end device. Any other suggestions?</P> Mon, 18 Apr 2022 16:35:41 GMT https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594640#M1089306 baroncse 2022-04-18T16:35:41Z https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594680#M1089309 <P>Do Packet-tracer ASA-A to Site-B<BR />Do Packet-tracer ASA-A to Site C<BR />check if the <STRONG>traffic-ID &amp;&nbsp;SPI</STRONG> is same&nbsp;<BR /><BR />check Other Site "Site-C" have route back to tunnel<BR />&nbsp;</P> Mon, 18 Apr 2022 17:23:47 GMT https://community.cisco.com/t5/network-security/can-t-ping-asa-from-end-device-via-ipsec-tunnel/m-p/4594680#M1089309 MHM Cisco World 2022-04-18T17:23:47Z