https://community.cisco.com/t5/network-security/cisco-asa-5505-cannot-ping-local-traffic-and-local-hosts-cannot/m-p/1968736#M401638 <HTML><HEAD></HEAD><BODY><P>Hi Bro</P><P>If you were to chop your config, and paste them here, how are we to help you?</P><P></P><P>Anyway, this is what you need to do. Let me know how it goes;</P><P></P><P>Add this command</P><P>==============<BR />global (Outside) 1 interface<BR />nat (Inside) 1 10.51.253.210 255.255.255.255</P><P></P><P>// I hope you have something like these too;</P><P>access-list inside permit ip any any</P><P>access-list outside permit ip any any</P><P>access-group inside in interface Inside</P><P>access-group outside in interface Outside</P></BODY></HTML> Thu, 26 Jul 2012 02:12:07 GMT Ramraj Sivagnanam Sivajanam 2012-07-26T02:12:07Z https://community.cisco.com/t5/network-security/cisco-asa-5505-cannot-ping-local-traffic-and-local-hosts-cannot/m-p/1968735#M401637 <P>I have, what I believe to be, a simple issue - I must be missing something.</P><P>Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209).</P><P>There is a PC (10.51.253.210) plugged into e0/1.</P><P>I know the PC is configured correctly with Windows firewall tuned off. </P><P>The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.</P><P>I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue.</P><P>Basically, the VPN is up and running but PC 10.51.253.210 cannot get out.</P><P>Any ideas? Sanitized Config is below. Thanks !</P><P></P><P></P><P>ASA Version 7.2(4)</P><P>!</P><P>hostname *****</P><P>domain-name *****</P><P>enable password N7FecZuSHJlVZC2P encrypted</P><P>passwd 2KFQnbNIdI.2KYOU encrypted</P><P>names</P><P>!</P><P>interface Vlan1</P><P>nameif Inside</P><P>security-level 100</P><P>ip address 10.51.253.209 255.255.255.248</P><P>!</P><P>interface Vlan2</P><P>nameif Outside</P><P>security-level 0</P><P>ip address ***** 255.255.255.248</P><P>!</P><P>interface Ethernet0/0</P><P>switchport access vlan 2</P><P>!</P><P>interface Ethernet0/1</P><P>!</P><P>interface Ethernet0/2</P><P>shutdown</P><P>!</P><P>interface Ethernet0/3</P><P>shutdown</P><P>!</P><P>interface Ethernet0/4</P><P>shutdown</P><P>!</P><P>interface Ethernet0/5</P><P>shutdown</P><P>!</P><P>interface Ethernet0/6</P><P>shutdown</P><P>!</P><P>interface Ethernet0/7</P><P>shutdown</P><P>!</P><P>ftp mode passive</P><P>dns server-group DefaultDNS</P><P>domain-name *****</P><P>access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0</P><P>access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250</P><P>access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200</P><P>access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9</P><P>access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14</P><P>access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15</P><P>access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16</P><P>access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0</P><P>access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0</P><P>access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240</P><P>access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0</P><P>access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250</P><P>access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200</P><P>access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9</P><P>access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14</P><P>access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15</P><P>access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16</P><P>access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0</P><P>access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0</P><P>access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240</P><P>pager lines 24</P><P>mtu Outside 1500</P><P>mtu Inside </P><P>icmp unreachable rate-limit 1 burst-size 1<BR />icmp permit any Outside<BR />no asdm history enable<BR />arp timeout 14400<BR />global (Outside) 1 interface<BR />nat (Inside) 0 access-list No_NAT<BR />route Outside 0.0.0.0 0.0.0.0 ***** 1<BR />timeout xlate 3:00:00<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />aaa authentication enable console LOCAL<BR />aaa authentication serial console LOCAL<BR />aaa authentication ssh console LOCAL<BR />http server enable<BR />no snmp-server location<BR />no snmp-server contact<BR />snmp-server community *****<BR />snmp-server enable traps snmp authentication linkup linkdown coldstart<BR />crypto ipsec transform-set DPS_Set esp-3des esp-md5-hmac<BR />crypto map DPS_Map 10 match address Outside_VPN<BR />crypto map DPS_Map 10 set peer *****<BR />crypto map DPS_Map 10 set transform-set *****<BR />crypto map DPS_Map interface Outside<BR />crypto isakmp enable Outside<BR />crypto isakmp policy 10<BR />authentication pre-share<BR />encryption 3des<BR />hash md5<BR />group 2<BR />lifetime 28800<BR />crypto isakmp policy 65535<BR />authentication pre-share<BR />encryption 3des<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />telnet timeout 5<BR />ssh 0.0.0.0 0.0.0.0 Outside<BR />ssh timeout 60<BR />console timeout 0<BR />management-access Inside</P><P>username test password P4ttSyrm33SV8TYp encrypted<BR />tunnel-group ***** type ipsec-l2l<BR />tunnel-group ***** ipsec-attributes<BR />pre-shared-key *<BR />!<BR />class-map inspection_default<BR />match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR />parameters<BR />&nbsp; message-length maximum 512<BR />policy-map global_policy<BR />class inspection_default<BR />&nbsp; inspect dns preset_dns_map<BR />&nbsp; inspect ftp<BR />&nbsp; inspect h323 h225<BR />&nbsp; inspect h323 ras<BR />&nbsp; inspect netbios<BR />&nbsp; inspect rsh<BR />&nbsp; inspect rtsp<BR />&nbsp; inspect skinny<BR />&nbsp; inspect esmtp<BR />&nbsp; inspect sqlnet<BR />&nbsp; inspect sunrpc<BR />&nbsp; inspect tftp<BR />&nbsp; inspect sip<BR />&nbsp; inspect xdmcp<BR />!<BR />service-policy global_policy global<BR />prompt hostname context<BR />Cryptochecksum:8d0adca63eab6c6c738cc4ab432f609d<BR />: end</P><P>1500</P> Mon, 11 Mar 2019 23:34:34 GMT https://community.cisco.com/t5/network-security/cisco-asa-5505-cannot-ping-local-traffic-and-local-hosts-cannot/m-p/1968735#M401637 CSCO11589626 2019-03-11T23:34:34Z https://community.cisco.com/t5/network-security/cisco-asa-5505-cannot-ping-local-traffic-and-local-hosts-cannot/m-p/1968736#M401638 <HTML><HEAD></HEAD><BODY><P>Hi Bro</P><P>If you were to chop your config, and paste them here, how are we to help you?</P><P></P><P>Anyway, this is what you need to do. Let me know how it goes;</P><P></P><P>Add this command</P><P>==============<BR />global (Outside) 1 interface<BR />nat (Inside) 1 10.51.253.210 255.255.255.255</P><P></P><P>// I hope you have something like these too;</P><P>access-list inside permit ip any any</P><P>access-list outside permit ip any any</P><P>access-group inside in interface Inside</P><P>access-group outside in interface Outside</P></BODY></HTML> Thu, 26 Jul 2012 02:12:07 GMT https://community.cisco.com/t5/network-security/cisco-asa-5505-cannot-ping-local-traffic-and-local-hosts-cannot/m-p/1968736#M401638 Ramraj Sivagnanam Sivajanam 2012-07-26T02:12:07Z https://community.cisco.com/t5/network-security/cisco-asa-5505-cannot-ping-local-traffic-and-local-hosts-cannot/m-p/1968737#M401639 <HTML><HEAD></HEAD><BODY><P>Hi Martin,</P><P></P><P>Which way you are trying. Sending traffic via site to site is not working or traffic which you generate to outside world is not working?</P><P></P><P>But you say ASA connected interface to PC itself is not pinging that is strange. But try setting up the specific rules for the outgoing connection and check. Instead of not having any ACL.</P><P></P><P>If it is outside world the you may need to check on the NAT rules which is not correct.</P><P></P><P>If it is site to site then you may need to check few other things.</P><P></P><P>Please do rate for the helpful posts.</P><P></P><P>By</P><P></P><P>Karthik</P></BODY></HTML> Thu, 26 Jul 2012 04:35:27 GMT https://community.cisco.com/t5/network-security/cisco-asa-5505-cannot-ping-local-traffic-and-local-hosts-cannot/m-p/1968737#M401639 nkarthikeyan 2012-07-26T04:35:27Z