cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8995
Views
0
Helpful
5
Replies

Can't ping ASA 5510 inside interface

bc4switch
Level 1
Level 1

Hello, everyone,

I  ran into a very strange icmp ping issue that I could not seem to undersatand, hope someone can provide a troubleshooting tip on this. The network has been working fine other than the issue listed below, L2L VPN works

fine and all three data centers can access each other via L2L VPN.


I have three ASA5510: 

     asa10

          Location: datacenter10

          Inside IP: 10.10.10.254

          L2LVPN:  asa10TOasa20, asa10TOasa30

     asa20

          Location: datacenter20

          Inside IP: 10.20.20.254

          L2LVPN:  asa10TOasa20, asa10TOasa30

     asa30

          Location: datacenter30

          Inside IP: 10.30.30.254

          L2LVPN:  asa10TOasa20, asa10TOasa30

Other than, global IP addresses, subnet IP addresses, the run configs are pretty much the same.

Problems:

From network 10.10.10.0, can ping 10.10.10.254, 10.20.20.254

Can't ping 10.30.30.254

From network 10.20.20.0, can ping 10.10.10.254, 10.20.20.254

Can't ping 10.30.30.254

From network 10.30.30.0, can ping 10.20.20.254, 10.30.30.254

Can't ping 10.10.10.254,

Please help by providing your insights or troubleshooting tips. My customer would not allow me to post configs.

Thanks.


1 Accepted Solution

Accepted Solutions

Simerjeet Singh
Cisco Employee
Cisco Employee

Assuming that u have the vpn config in place, pls ensure that you have the following configured in the config mode on asa30

man inside

Where "inside" is the name of the interface u r trying to ping.




Sent from Cisco Technical Support Android App

View solution in original post

5 Replies 5

Paul Preston
Level 1
Level 1

Hi Bin,

I have spent hours trying to resolve it first time...

In my case the issue was with dynamic nat. When you use object definition for PAT, please use range (excluding ip of the firewall) as opposed to subnet.

Let me know if that helps.

Kind Regards,

--
Paul Preston
Proxar IT Ltd. Registered in England and Wales: 6744401- VAT: 942985479
Tubs Hill House, London Road, Sevenoaks, Kent, TN13 1BL
Tel:  (+44) 0844 809 4335
Fax: (+44) 01732 468 574
Mob: (+44) 077 9509 3450
Web: www.proxar.co.uk
Email: paul.preston@proxar.co.uk

-- Paul Preston Proxar IT Ltd. Registered in England and Wales: 6744401- VAT: 942985479 Tubs Hill House, London Road, Sevenoaks, Kent, TN13 1BL Tel: (+44) 0844 809 4335 Fax: (+44) 01732 468 574 Mob: (+44) 077 9509 3450 Web: www.proxar.co.uk Email

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Bin,

add the route-lookup to the nat statement,

without configs we are blind

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Simerjeet Singh
Cisco Employee
Cisco Employee

Assuming that u have the vpn config in place, pls ensure that you have the following configured in the config mode on asa30

man inside

Where "inside" is the name of the interface u r trying to ping.




Sent from Cisco Technical Support Android App

Thanks. "man inside" did work.

But do you have to do this for L2L VPN? I mean is "man inside" a required configuration?

Thanks.

Simerjeet Singh
Cisco Employee
Cisco Employee

Bin, it is only required if u have management traffic directed towards interface over the vpn tunnel.

Regards,
Sim.

Please mark resolved questions as "Answered"


Sent from Cisco Technical Support Android App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: