Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1637
Views
0
Helpful
2
Replies

Cisco ASA 5505 Cannot ping local traffic and local hosts cannot get out

CSCO11589626
Level 1
Level 1

‎07-25-2012 03:52 PM - edited ‎03-11-2019 04:34 PM

I have, what I believe to be, a simple issue - I must be missing something.

Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209).

There is a PC (10.51.253.210) plugged into e0/1.

I know the PC is configured correctly with Windows firewall tuned off.

The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.

I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue.

Basically, the VPN is up and running but PC 10.51.253.210 cannot get out.

Any ideas? Sanitized Config is below. Thanks !

ASA Version 7.2(4)

!

hostname *****

domain-name *****

enable password N7FecZuSHJlVZC2P encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif Inside

security-level 100

ip address 10.51.253.209 255.255.255.248

!

interface Vlan2

nameif Outside

security-level 0

ip address ***** 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

dns server-group DefaultDNS

domain-name *****

access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0

access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250

access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200

access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9

access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14

access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15

access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16

access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0

access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0

access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240

access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0

access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250

access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200

access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9

access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14

access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15

access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16

access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0

access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0

access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240

pager lines 24

mtu Outside 1500

mtu Inside

icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list No_NAT
route Outside 0.0.0.0 0.0.0.0 ***** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set DPS_Set esp-3des esp-md5-hmac
crypto map DPS_Map 10 match address Outside_VPN
crypto map DPS_Map 10 set peer *****
crypto map DPS_Map 10 set transform-set *****
crypto map DPS_Map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 60
console timeout 0
management-access Inside

username test password P4ttSyrm33SV8TYp encrypted
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8d0adca63eab6c6c738cc4ab432f609d
: end

1500

Labels:
0 Helpful
2 Replies 2

Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎07-25-2012 07:12 PM

Hi Bro

If you were to chop your config, and paste them here, how are we to help you?

Anyway, this is what you need to do. Let me know how it goes;

Add this command

==============
global (Outside) 1 interface
nat (Inside) 1 10.51.253.210 255.255.255.255

// I hope you have something like these too;

access-list inside permit ip any any

access-list outside permit ip any any

access-group inside in interface Inside

access-group outside in interface Outside

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful

nkarthikeyan
Level 7
Level 7

‎07-25-2012 09:35 PM

Hi Martin,

Which way you are trying. Sending traffic via site to site is not working or traffic which you generate to outside world is not working?

But you say ASA connected interface to PC itself is not pinging that is strange. But try setting up the specific rules for the outgoing connection and check. Instead of not having any ACL.

If it is outside world the you may need to check on the NAT rules which is not correct.

If it is site to site then you may need to check few other things.

Please do rate for the helpful posts.

By

Karthik

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card