Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1199
Views
0
Helpful
2
Replies

Cisco ASA denied ping from one host to another in VPN tunnel.

SKSoglasye
Level 1
Level 1

‎06-06-2019 02:08 AM - edited ‎02-21-2020 09:11 AM

 

I have cisco ASA 5505 which create a VPN tunnel to Datacenter. When I try to ping server in DC from ASA's inside interface, the ping is ok. (like this "ping ins SERVER-IP-ADDRESS")

But if I tried to ping some host behind ASA from this server, the ping is fail. But the ping from DC to inside interface IP (10.33.0.1) is OK. (asa's management access inside command do that work, the ping fail if I will detete this command)

I tried to apply ACL to inside interface with icmp any any permit but it doesn't make some result. What's wrong?

ping from ASA to host in 10.33.0.0/24 is OK. Then I make capture and test ICMP from server 172.17.214.0/24 subnet to 10.33.0.0/24 I see packets in ASA's CLI. (request, but not reply)

 

ASA# sh cry isa sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:11, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
1640376487   x.x.x.x     x.x.x.x      READY    INITIATOR
      Encr: DES, Hash: SHA384, DH Grp:21, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 7200/1483 sec
Child sa: local selector  10.33.0.0/0 - 10.33.0.255/65535
          remote selector 172.17.0.0/0 - 172.17.255.255/65535
          ESP spi in/out:   

access-list ACL-FROM-GIL42 remark traffic from Gil42
access-list ACL-FROM-GIL42 extended permit ip object-group GO-nets object inside-net 
access-list ACL-FROM-GIL42 extended permit icmp object-group GO-nets object inside-net 
access-list ACL-FROM-GIL42 extended permit icmp object inside-net object-group GO-nets 

access-group ACL-FROM-GIL42 in interface inside

object-group network GO-nets
 network-object 172.16.0.0 255.240.0.0
object network inside-net
 subnet 10.33.0.0 255.255.255.0
0 Helpful
2 Replies 2

Dennis Mink
VIP Alumni
VIP Alumni

‎06-06-2019 12:25 PM

Can you explicitly add permit icmp from remote to local subnet. Have same added on both vpn peers

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

GRANT3779
Spotlight
Spotlight

‎06-07-2019 04:28 AM

Hi There,

 

Are you inspecting ICMP as part of your service policy?

Can we see output from

show run policy-map

sh run service-policy

 

Under the policy-map try adding inspect icmp, e.g

 

policy-map global_policy
class inspection_default
inspect icmp

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card