09-08-2010 06:03 PM - edited 03-04-2019 09:42 AM
Hi
i replaced the cisco asa with a cisco 2811. Everything is working fine i am able to access the internet from inside and the IPSEC/VPN site to site tunnel is working well but, i am not able to ping the external (public addr) of the cisco router the circuit is up and i am able to ping the externa gateway.
regards
Logesh
09-08-2010 06:08 PM
Hello,
Do you have any access-list on the outside interface? If you do, can you
enable ICMP packets in the access-list?
Regards,
NT
09-08-2010 06:12 PM
Hi
the following line are been already configured to the router
interface FastEthernet0/0
ip access-group Incoming in
!
ip access-list extended Incoming
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit tcp any any eq 22
Regards
Logesh
09-08-2010 06:17 PM
Hello,
Can you please post the crypto access-lists here?
Regards,
NT
09-08-2010 06:22 PM
Hi
Why do you want the crypto access list
I dont see this issue is related with that access list
regards
Logesh
09-08-2010 06:26 PM
Hello,
One of the possibilities is that you have included all ICMP traffic in the
crypto ACL. If that is true, the return traffic gets encrypted.
Regards,
NT
09-08-2010 06:32 PM
Hi
No thats not incleded in the crypto traffic and moreover the same set of configuration is used else where and its working fine
Is there any other thing which need to to be checked for the ping to work
Regards
Logesh
09-08-2010 06:37 PM
Hello,
There is nothing specific that need to be checked. Do you see the hit counts
increasing on the interface access-list? Do you have any other firewall
setup on that router (ZBF, CBAC)?
Regards,
NT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide