Can't ping ASA5505 over IPSEC VPN 8.2(5)

Jeff M · ‎02-27-2013

Hi, I'm a CIsco ISR, not an ASA guy. Setting up my first ASA, which seems to be going well.

I've setup an IPSEC VPN to a non Cisco device. And have connectivity between devices in each subnet.

Subnet A - non Cisco - 10.10.13.0/24

Subnet B - ASA 5505 - 192.168.2.0/24 (ASA is .254)

From Subnet A I can ping every device except the ASA on .254.

I know it must be something obvious, but I can't seem to figure out what is happening here.

Edited Config attached, IP's changed for privacy, passwords removed.Let me know if I've removed too much of the config.

Andrew Phirsov · ‎02-27-2013

That's security feature. You shouldn't be able to ping ASA's interface ip address from a subnet, connected throug the other interface. So, for example, you can't ping outside interface's ip address from inside even if acl's and policies permit traffic throug the device.

In your case you can have access to the asa's inside interface through vpn-tunnel for management purposes (asdm, ssh, etc) if you enter command management-access inside from the global config mode. But i'm not sure that you'll be able to ping that interface.

Jeff M · ‎02-28-2013

Is there any way to turn this off? I've got a RADIUS server at the main site (non Cisco) that I'd like the ASA to authenticate against.

James Leinweber · ‎02-28-2013

> Is there any way to turn this off?

No.

Cisco firewalls don't allow "inside" ping, exiting from the firewall outbound to one of its own interfaces. They only allow "outside" ping, approaching inbound on an interface.

Conceptually, the IPSEC tunnel terminates on the firewall past the outside interface, and from there you can't ping any of the firewall interfaces.

The exception is an interface designated for management access. That one you would be able to ping from both sides. You ought to be able to do RADIUS with such an interface, I would think.

-- Jim Leinweber