Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
681
Views
0
Helpful
7
Replies

Cannot access LAN-zone interface from VPN-zone

Danny Cheng Chee Wah
Level 1
Level 1

‎02-09-2014 10:31 PM - edited ‎03-11-2019 08:43 PM

Hi,

Referring to the topology below, I encounter a problem where I cannot reach Site B from Site A.

ASA.jpg

Below is the ping test performed.

FW_A (ASA5512-X)

1) Ping 10.60.186.69 >>> Success

2) Ping 192.168.88.2 >>> Success

3) Ping 192.168.88.6 >>> Success

4) Ping 10.60.187.1 >>> Fail

5) Ping 10.60.187.5 (Switch behind FW_B) >>> Success

RTR_A

* No access

RTR_B

1) Ping 192.168.88.6 >>> Success

2) Ping 10.60.187.1 >>> Fail

2) Ping 10.60.187.5 (Switch behind FW_B) >>> Success

FW_B (ASA5525-X)

1) Ping 192.168.88.5 >>> Success

2) Ping 192.168.88.1 >>> Success

3) Ping 10.60.186.70 >>> Success

4) Ping 10.60.186.81 >>> Success

5) Ping 10.60.186.85 (Switch behind FW_A) >>> Success

My main objective is to access FW_B 10.60.187.1 from LAN_A. Please advise what I need to check to be able to acieve this.

I was told that by default, I can only reach/access the ASA connected interface to my network. But if so, how am I able to reach FW_A LAN interface from FW_B. Anyone mind clearing my doubts?

P/S: The link between Site A and Site B is an IPVPN link, thus no VPN configuration needed on both FW_A and FW_B. Just listed that network portion as VPN-zone.

Thank you.

Regards,

Danny

Labels:
0 Helpful
7 Replies 7

Marius Gunnerud
VIP
VIP

‎02-10-2014 01:01 AM

So you have a site to site VPN between FW_A and FW_B? Or is this an MPLS VPN setup? or something else?

Without seeing your configuration, by default you will not be able to ping the ASA inside interface over a site to site VPN.  You will need to add the command managment-access to be able to reach the IP associated with the interface name.

But that you can not ping the inside switch could point to either a crypto ACL problem or a routing problem...depending on what your setup is.

Could you please explane in more detail your setup so that we can assist you further.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Danny Cheng Chee Wah
Level 1
Level 1
In response to Marius Gunnerud

‎02-10-2014 01:07 AM

Marius,

It's just an IPVPN link by the provider, thus no VPN configuration done. Sorry for the confusion, but I was just naming that as VPN zone.

Firewall policies and routing should be correctly configured, because from RTR_B, I can ping across to the switch behind FW_B. It's just that I cannot ping to the FW_B LAN interface.

As from FW_A, I can ping all the hops until FW_B 192.168.88.6, but cannot reach to 10.60.187.1 (FW_B LAN) and 10.60.187.5 (Site B switch).

Regards,

Danny

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Danny Cheng Chee Wah

‎02-10-2014 01:11 AM

Each hop along the path would need a route to FW_B LAN.  Are you able to ping FW_B LAN from RTR_A?

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Danny Cheng Chee Wah
Level 1
Level 1
In response to Marius Gunnerud

‎02-10-2014 01:25 AM

I don't have access to RTR_A, but from FW_A I can ping all the way to Site B switch. Hence, routing should be fine.

Both FW VPN zone security level is 50 and LAN zone security level is 100. Is it supposed that I can only ping to the connected interface of the firewall? For example, FW_A can only reach until FW_B VPN interface 192.168.88.6 and FW_B can only reach until FW_A VPN interface 10.60.186.70? If yes, I'm wondering how come FW_B can ping to FW_A LAN interface.

Regards,

Danny

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Danny Cheng Chee Wah

‎02-10-2014 02:06 AM 

Is it supposed that I can only ping to the connected interface of the firewall?

No, this is not correct.  The IPVPN configuration is done on the routers so all traffic that enters the routers will be sent over the VPN network...that includes traffic from the ASAs.

If you add the following command are you able to ping

icmp permit any inside

Where inside is the name of the interface that you are trying to ping

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Danny Cheng Chee Wah
Level 1
Level 1
In response to Marius Gunnerud

‎02-10-2014 05:02 PM

Tried that, but still not able to ping the FW_B LAN interface.

Regards,

Danny

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Danny Cheng Chee Wah

‎02-11-2014 12:23 AM

Could you post the full configuration (sanitised of course) of FW_A and FW_B please.  It is the FW_B that is the interesting firewall, but would like to compare the two configurations for myself.

Are the firewalls running different versions?

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card