03-23-2010 03:25 AM - edited 03-11-2019 10:24 AM
Hi
We have two ASA'S. One on Site A (asa 5510) and one on Site B (ASA 5505).
I have a VPN Site to Site tunnel connecting both sites which is working away fine. Users on the remote site can access servers here on Site A.
My problem is that from Site A I am unable to ping any PC's on Site B or RDP to them. It is essential for our IT Helpdesk to be able to RDP to these machines.
Our internal network on Site A has a 10.255.0.0 255.255.0.0 range. And the remote network has a 192.168.1.0 255.255.255.0 range.
I will upload both configs and maybe someone can shed some light as to why I cant ping or RDP to the remote machines.
Thanks
03-23-2010 04:52 AM
On site B, please remove the following line:
nat (outside) 0 access-list outside_nat0_outbound
And perform "clear xlate" after removing the above.
On site B, please also add the following:
policy-map global_policy
class inspection_default
inspect icmp
Hope that helps.
03-23-2010 05:06 AM
When I say
no nat (outside) 0 access-list outside_nat0_outbound I get the following error
ERROR: access-list outside_nat0_outbound not bound nat 0
Any ideas?
03-23-2010 05:10 AM
Strange, because that statement is in your configuration on site B.
What does the output "sh run nat" show you?
If it's not showing that particular line, try "clear xlate" and see if you can RDP or ping to site B.
You might also want to check if "windows firewall" or other PC's firewall is turned on because sometimes they block incoming ping/connection.
Are you able to ping 192.168.1.1 from site A?
03-23-2010 05:16 AM
This is what I have when I run sh nat
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
Actually when I ping 192.168.1.1 I do get replies, I hadn't tried that until now.
If I try to ping a PC called sph-comp-164 IP 192.168.1.21 ono Site B I get Request Timed Out.
All PC's on that end have firewalls disabled.
Thanks!
03-23-2010 05:18 AM
Have you added this on site B:
policy-map global_policy
class inspection_default
inspect icmp
03-23-2010 05:23 AM
03-23-2010 05:29 AM
If you are on ASDM, please enable it through the following:
Configuration --> Firewall --> Service Policy Rules --> highlight and edit the "inspection_default" rule --> go to "Rule Actions" tab --> enable "ICMP" --> OK --> Apply
03-23-2010 05:39 AM
03-23-2010 05:46 AM
What ip address does 62.77.180.162 belong to?
Does 192.168.1.21 actually respond to ping?
If you go to command line, and run "debug icmp trace" and ping, what are you seeing?
Also can you pls run "sh run all sysopt" and share the output.
03-23-2010 06:26 AM
That IP Address belongs to an external email hosting company that we use and they come through the ASA on site A. I blanked that out of Site A's config. Just not sure why it is appearing on SITE B's ASA.
When I ping 192.168.1.21 I simply get request timed out.
Here is the result from sysopt.
Unfort the ASDM wont allow me run debug commands from it.
03-23-2010 02:35 PM
As far as configuration on site B is concern, it seems to be correct.
You might want to try pinging other ip addresses in the 192.168.1.x subnet. If you can ping the ASA inside interface 192.168.1.1 that means the crypto configuration is correct and the ping actually does come from site A towards site B.
Seems to be something local to your LAN subnet.
If you have a switch with SVI on the 192.168.1.x subnet, try to ping that and see if it works. Normally network device like switch or router replies to ping if no access-list is blocking it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide