Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
377
Views
0
Helpful
1
Replies

Can ping inside IP of ASA over IPSec VPN

Andy White
Level 3
Level 3

‎01-10-2014 07:38 AM - edited ‎03-11-2019 08:28 PM

Hello,

I have a site to site VPN configured between 2 ASAs on 9.1.3.  Everything is working apart from 1.  We have a management server that we use to SSH and poll devices, this server can't ping the inside of the ASA over the VPN, but can others I have configured, I must be missing a step.  THis server can ping devices on the inside LAN there though.  I'm not sure if it is a NAT as the ACLs look ok:

access-list outside_cryptomap extended permit ip object internal-10.103.10.0 object-group DM_INLINE_NETWORK_1

access-list inside_access_in extended permit ip 10.103.10.0 255.255.255.0 object-group DM_INLINE_NETWORK_2

access-list inside_access_in extended permit icmp 10.103.10.0 255.255.255.0 any

object network Corp-Servers1

subnet 10.100.1.0 255.255.255.0

object network Corp-NPM

subnet 172.23.1.0 255.255.255.0

object network internal-10.103.10.0

subnet 10.103.10.0 255.255.255.0

object-group network DM_INLINE_NETWORK_1

network-object object Corp-NPM

network-object object Corp--Servers

object-group network DM_INLINE_NETWORK_2

network-object object Corp-NPM

network-object object Corp-Servers

nat (inside,any) source static internal-10.103.10.0 internal-10.103.10.0 destination static Corp-Servers Corp-2-Servers no-proxy-arp

!

object network obj_any

nat (inside,outside) dynamic interface

The inside IP is 10.103.10.1 and the remote server is 10.100.1.35.

interface Vlan10

nameif inside

security-level 100

ip address 10.103.10.1 255.255.255.0

management-access inside

ssh 10.100.1.35 255.255.255.255 inside

Currently I am using SSH to it's outside interface, plus the ASDM works.

Any ideas?

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎01-10-2014 07:48 AM

Hi,

Are you also NATing the destination?

It seems the destination "object" used are different and you dont mention what the "Corp-2-Servers" contain?

If you had a basic NAT0 / Identity NAT configuration you could add "route-lookup" at the end. This usually help with the problem of connecting to an internal interface through a VPN connection.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card