Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
308
Views
0
Helpful
3
Replies

Cisco ASA can't establish Site-to-Site VPN or ping outside, but servers inside (NAT'd) can?!

Sleedizzle36
Level 1
Level 1

‎12-12-2013 06:00 AM - edited ‎03-11-2019 08:17 PM

Hi,

I've got an issue where servers within an internal network connected to the ASA can access the internet (These are Dynamically NAT'd as expected).

However, when I try to ping from the ASAs outside interface to the internet, I can't - I also can't establish site-to-site VPN connectivity because of this also.

How on earth is it possible for a device on an inside network able to access the internet, but trying to directly from the interface it is NATing to, not functioning?

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎12-12-2013 06:24 AM

Hello,

from the ASAs outside interface to the internet, I can't -

Can you share the show run icmp (make sure you are permitting that traffic on the outside).

I also can't establish site-to-site VPN connectivity because of this also.

Why do you say that, I Mean ICMP traffic not being allowed is different than UDP 500 or NAT-T.

How on earth is it possible for a device on an inside network able to  access the internet, but trying to directly from the interface it is  NATing to, not functioning?

I would say because of the Deny ICMP rule

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Sleedizzle36
Level 1
Level 1
In response to Julio Carvajal

‎12-12-2013 06:56 AM

Hi Julio,

Ping works from CLI (icmp permit OUTSIDE) - However pinging from Packet Tracer results in an issue with an ACL (implicit, despite there being an active any any acl above this).

Again, the above ACL should be allowing the VPN to connect also?

Thanks,

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Sleedizzle36

‎12-12-2013 11:02 AM

Hello,

Do not rely on packet-tracer for everything .

So what's not working is the VPN.

Can u share ur config

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card