Showing results for 
Search instead for 
Did you mean: 

ASA Tunnel up and passing traffic but Can't ping inside interface

We have an ipsec vpn tunnel between a Cisco ASA and PA firewall.  The tunnel is fully functional as far as passing traffic in both directiosn but from the PA side I cannot ping the inside interface (default gateway for local networks) on the ASA and we need to be able to do so.  Below is the config:


ASA Version 9.1(7)23
domain-name XXXXXXXXX
enable password XXXXXXXXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XXXXXXXXXXX encrypted
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.XX
boot system disk0:/asa917-23-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name XXXXXXXXXX
object network obj-
object network obj_any
object network obj-
object network obj-
object network obj-10.100..0
object-group network DM_INLINE_NETWORK_1
access-list vpn extended permit ip object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-792.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static obj- obj- destination static obj- obj- no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic obj-
object network obj-
nat (inside,outside) dynamic interface
route outside XX.XX.XX.XXX 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable 8080
http server idle-timeout 30
http inside
http inside
http inside
http outside
snmp-server host inside poll community ***** version 2c
snmp-server host inside poll community ***** version 2c
snmp-server host inside community ***** version 2c
snmp-server location Arlington
snmp-server contact City IT
snmp-server enable traps syslog
snmp-server enable traps entity config-change
crypto ipsec ikev1 transform-set Trans1 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set Trans2 esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map vpnmap 10 match address vpn
crypto map vpnmap 10 set peer XX.XX.XX.XXX
crypto map vpnmap 10 set ikev1 transform-set Trans2
crypto map vpnmap 10 set security-association lifetime seconds 14400
crypto map vpnmap interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 28800
telnet timeout 5
ssh stricthostkeycheck
ssh inside
ssh inside
ssh inside
ssh inside
ssh XX.XX.XX.XXX outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns
dhcpd lease 7200
dhcpd address inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password Eoye1oGYHaZPfpfC encrypted
tunnel-group XX.XXX.XX.XXX type ipsec-l2l
tunnel-group XX.XXX.XX.XXX ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
profile CiscoTAC-1
no active
destination address http
destination address email
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end

Cisco Employee

Re: ASA Tunnel up and passing traffic but Can't ping inside interface

Hi dbuckley77,


In order to get response from the interface at the other end of the tunnel (ASA) you need to add the following command:


management-access inside


Hope this info helps!!


Rate if helps you!!