Re: ASA itself no connect to internet

RobertoCervero · ‎08-17-2018

Greetings.

I have a problem with a firewall. The outside interface has a private IP 192.168.1.1 (192.168.1.0/24); the inside interface has public IP 66.66.228.2 (66.66.224.0/21).

The equipment of the subnet 66.66.224.0/21 can connect to the internet (if the ACLs allow it), but the firewall itself (66.66.228.2) is not capable.

I am trying to create a site-to-site VPN with another site and the firewall can not raise the tunnel because it can not communicate with the other end.

Could you help me?

Thanks in advance.
Roberto Cervero.

*not the real IPs

mshaoaib · ‎08-17-2018

Hi Roberto,

Can you confirm whether there is a MAC address entry on the ASA for the default gateway, as well the machine having the gateway IP address has the MAC entry of ASA against the IP address 66.66.228.2. On the ASA you can confirm ARP entry with the help of the following command.

Show arp

RobertoCervero · ‎08-18-2018

Hi!. Thank you for your answer.

Yes, there is a MAC entry for the default gateway on the ASA. I cannot confirm if there is a MAC entry of ASA in that machine because i have no control over it.
I guess there is because there is communication between both of them. I can make ping to this machine from ASA and it's answered

Thanks in advance.
Roberto Cervero.

Marvin Rhoads · ‎08-18-2018

Your site-site VPN needs to connect to your ASA's outside address (or the NAT that the upstream gateway assigns to it).

You cannot connect a site-site VPN that is reached via the outside interface if it peers to the ASA inside address.