I have cisco ASA 5505 which create a VPN tunnel to Datacenter. When I try to ping server in DC from ASA's inside interface, the ping is ok. (like this "ping ins SERVER-IP-ADDRESS")
But if I tried to ping some host behind ASA from this server, the ping is fail. But the ping from DC to inside interface IP (10.33.0.1) is OK. (asa's management access inside command do that work, the ping fail if I will detete this command)
I tried to apply ACL to inside interface with icmp any any permit but it doesn't make some result. What's wrong?
ping from ASA to host in 10.33.0.0/24 is OK. Then I make capture and test ICMP from server 172.17.214.0/24 subnet to 10.33.0.0/24 I see packets in ASA's CLI. (request, but not reply)
ASA# sh cry isa sa There are no IKEv1 SAs IKEv2 SAs: Session-id:11, Status:UP-ACTIVE, IKE count:1, CHILD count:1 Tunnel-id Local Remote Status Role 1640376487 x.x.x.x x.x.x.x READY INITIATOR Encr: DES, Hash: SHA384, DH Grp:21, Auth sign: PSK, Auth verify: PSK Life/Active Time: 7200/1483 sec Child sa: local selector 10.33.0.0/0 - 10.33.0.255/65535 remote selector 172.17.0.0/0 - 172.17.255.255/65535 ESP spi in/out: access-list ACL-FROM-GIL42 remark traffic from Gil42 access-list ACL-FROM-GIL42 extended permit ip object-group GO-nets object inside-net access-list ACL-FROM-GIL42 extended permit icmp object-group GO-nets object inside-net access-list ACL-FROM-GIL42 extended permit icmp object inside-net object-group GO-nets
access-group ACL-FROM-GIL42 in interface inside
object-group network GO-nets network-object 172.16.0.0 255.240.0.0 object network inside-net subnet 10.33.0.0 255.255.255.0