Solved: ASA 5505 l2l to ASA5505 VPN pinging issue.

keithtuttle · ‎05-01-2013

I have a ASA5505 to ASA5505 L2L tunnel up and running with no problem. One side has network 192.168.1.x and the other side has 192.168.2.x.

My issue is that i can ping from the 192.168.2.x to the 192.168.1.x with no problem. However I can't ping from 192.168.1.x to 192.168.2.x.

Here is the config with packet tracer:

I am getting a acl-drop:

Jouni Forss · ‎05-01-2013

Hi,

Does both ASAs have ICMP inspection enabled?

By default it should be possible to enable it using

fixup protocol icmp

Make sure that either ASA doesnt have the following setting enabled on the ASA

no sysopt connection permit-vpn

If it is enabled, then you will have to open the ICMP traffic on the "outside" ACL.

There arent really many things on the ASA itself that should block ICMP.

- Jouni

Jouni Forss · ‎05-01-2013

Hi,

You are using a wrong source address in the "packet-tracer" command.

You are using as a source address an IP address thats located at the remote site. Not an IP address of the local site.

- Jouni

keithtuttle · ‎05-01-2013

Yes you are correct....

I made the adjustment and the packet tracer goes thru but i can't figure out why i can't ping?

any ideas?

Jouni Forss · ‎05-01-2013

Hi,

Does both ASAs have ICMP inspection enabled?

By default it should be possible to enable it using

fixup protocol icmp

Make sure that either ASA doesnt have the following setting enabled on the ASA

no sysopt connection permit-vpn

If it is enabled, then you will have to open the ICMP traffic on the "outside" ACL.

There arent really many things on the ASA itself that should block ICMP.

- Jouni

keithtuttle · ‎05-01-2013

I added fixup protocol icmp

still no luck.

I am not able to RDP.

keithtuttle · ‎05-01-2013

I am able to RDP....

We are all good now.