topic Re: Cannot reach Inside Interface of ASA through L2L Tunnel in Network Security

Cannot reach Inside Interface of ASA through L2L Tunnel

AGINetworkGroup — Mon, 11 Mar 2019 12:37:30 GMT

Hi All

We have a site to site tunnel running between two sites SiteA and SiteB from both the sites we are able to ping devices internally in the network but not to the inside interface of the ASA.

I have enabled the management interface as the inside interface of both the ASA and to manage the remote ASA through L2L I need to reach the remote ASA through the inside interface. Inspect is enabled too. There are acl's applied but as of now all have permit ip any any on both the internal and external interface.

Also noted that previously when we had a site to site with Pix501 we used to test the L2L VPN by using "ping inside" command but in ASA it is not working any reason ? Any method to reach the remote network from the ASA for testing the L2L connectivity.

Can anyone suggest me the missing configuration I need to do.

Regards,

Krissh

Re: Cannot reach Inside Interface of ASA through L2L Tunnel

rkalia1 — Sun, 27 Apr 2008 15:44:54 GMT

Just try 'ping'command on ASA

Re: Cannot reach Inside Interface of ASA through L2L Tunnel

AGINetworkGroup — Sun, 27 Apr 2008 16:40:13 GMT

Tried it No luck

Re: Cannot reach Inside Interface of ASA through L2L Tunnel

rkalia1 — Sun, 27 Apr 2008 16:47:18 GMT

do you have the command "icmp permit any inside"on the ASA? Also, pls send the config of your ASA if u can.

Re: Cannot reach Inside Interface of ASA through L2L Tunnel

AGINetworkGroup — Sun, 27 Apr 2008 17:14:36 GMT

Yes that is there in it. here is the asa config i have changed the public ip's in the asa due to security reasons.

Re: Cannot reach Inside Interface of ASA through L2L Tunnel

rkalia1 — Sun, 27 Apr 2008 17:34:14 GMT

If you can ping the hosts on the other side while the tunnel is up then you have verified the connectivity already. I dont think ASA lets you ping any of its interfaces unless you are behind that particular interface which you are pinging.

Re: Cannot reach Inside Interface of ASA through L2L Tunnel

AGINetworkGroup — Sun, 27 Apr 2008 17:45:50 GMT

Well I dont think i can totally agree with this as I have checked this on the same model and version in a different site where in I can reach the internal IP of the ASA (Inside interface of the remote ASA) and manage the firewall too through SSH and HTTP.

Re: Cannot reach Inside Interface of ASA through L2L Tunnel

rkalia1 — Sun, 27 Apr 2008 17:53:17 GMT

I am not saying you cannot reach the other side ASA's inside interface. I mean to say that you cannot ping the inside interface of that ASA form anywhere except when you are in the same network as the inside interface. There are two things - one is ping through he ASA and other is pinging the interfaces of the ASA. When you are pinging through the ASA fixup icmp or ip inpect come into play for the return path. When you ping only the interface then you can do only from the network attached to that interface only. You cannot ping the internal interface from a host sitting in for example DMZ even if you have proper access-lists allowing ping traffic as this is traffic to the interface and not through the box.

Re: Cannot reach Inside Interface of ASA through L2L Tunnel

AGINetworkGroup — Sun, 27 Apr 2008 18:04:49 GMT

The only thing i want to succeed is I want to reach site B's ASA(inside interface) from Site A and through the site to site tunnel which was pretty much possible and was working with pix 501's and is not happening after changing to ASA's. Can you help me find the missing configuration in the ASA to do so.

Re: Cannot reach Inside Interface of ASA through L2L Tunnel

rkalia1 — Sun, 27 Apr 2008 18:29:26 GMT

I think your crypto access-list should be like this :

crypto map HEVPN 10 match address nonat