cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
532
Views
0
Helpful
1
Replies

Pinging outside interface of remote ASA5510 VPN peer

rscho
Level 1
Level 1

Hi Group, hope someone here can help.

We have two sites, A and B each with an ASA5510 providing a backup VPN for a fibre link between the sites. Both the fibre & VPN links work fine.

Site A has an internal network monitor that continuously pings our network infrastructure and alerts us when something goes down.

We need to ping the external interface of Site B's ASA5510 to monitor the link through both sites' ISP's, however the monitors' pings all fail.

We have set icmp inspection at both sites and hosts from inside each site can ping other external hosts with:

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply outside

icmp permit any unreachable outside

icmp permit host SiteB_External outside

icmp permit any outside                                        <--------- allow external icmp requests from anywhere for testing

policy-map global_policy

class inspection_default

.

.

  inspect tftp

  inspect icmp

So from home or any other external network we can ping the external interfaces of both ASA's. However from within the network or from the ASA's themselves we get no response when trying to ping the remote ASA external interface.

The ASA versions are 8.2 for site A & 8.4 for site B. I suspect the VPN is in some way influencing the situation, or perhaps even NAT but am not proficient enough to confirm this.

Any help would be much appreciated.

1 Reply 1

pbuch
Level 1
Level 1

The interfaces will answer to ping without any configuration.

But you need to permit icmp from inside, and echo reply from outside.

However, pinging from the outside interface should be possible.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: