cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Webcast SD-WAN
189
Views
0
Helpful
1
Replies
Beginner

ASA Tunnel up and passing traffic but Can't ping inside interface

We have an ipsec vpn tunnel between a Cisco ASA and PA firewall.  The tunnel is fully functional as far as passing traffic in both directiosn but from the PA side I cannot ping the inside interface (default gateway for local networks) on the ASA and we need to be able to do so.  Below is the config:

 

ASA Version 9.1(7)23
!
hostname XXXXXXXXXXX
domain-name XXXXXXXXX
enable password XXXXXXXXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XXXXXXXXXXX encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.100.14.1 255.255.255.128
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.XX 255.255.255.248
!
boot system disk0:/asa917-23-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name XXXXXXXXXX
object network obj-10.100.0.0
subnet 10.100.0.0 255.255.0.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj-10.100.14.0
subnet 10.100.14.0 255.255.255.128
object network obj-10.100..0
object-group network DM_INLINE_NETWORK_1
network-object 10.100.6.0 255.255.255.0
network-object 10.100.95.0 255.255.255.192
network-object 10.100.5.0 255.255.255.0
access-list vpn extended permit ip 10.100.14.0 255.255.255.128 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 10.100.14.0 255.255.255.128 10.100.0.0 255.255.0.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-792.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static obj-10.100.14.0 obj-10.100.14.0 destination static obj-10.100.0.0 obj-10.100.0.0 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic obj-0.0.0.0
object network obj-10.100.14.0
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XXX 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable 8080
http server idle-timeout 30
http 10.100.14.0 255.255.255.128 inside
http 10.100.95.0 255.255.255.0 inside
http 10.100.6.23 255.255.255.255 inside
http 71.181.12.192 255.255.255.224 outside
snmp-server host inside 10.100.5.114 poll community ***** version 2c
snmp-server host inside 10.100.5.40 poll community ***** version 2c
snmp-server host inside 10.100.95.50 community ***** version 2c
snmp-server location Arlington
snmp-server contact City IT
snmp-server enable traps syslog
snmp-server enable traps entity config-change
crypto ipsec ikev1 transform-set Trans1 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set Trans2 esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map vpnmap 10 match address vpn
crypto map vpnmap 10 set peer XX.XX.XX.XXX
crypto map vpnmap 10 set ikev1 transform-set Trans2
crypto map vpnmap 10 set security-association lifetime seconds 14400
crypto map vpnmap interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 28800
telnet timeout 5
ssh stricthostkeycheck
ssh 10.100.6.23 255.255.255.255 inside
ssh 10.100.95.0 255.255.255.0 inside
ssh 10.100.5.34 255.255.255.255 inside
ssh 10.100.14.0 255.255.255.128 inside
ssh XX.XX.XX.XXX 255.255.255.224 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 10.100.5.11 10.100.6.4
dhcpd lease 7200
!
dhcpd address 10.100.14.50-10.100.14.81 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password Eoye1oGYHaZPfpfC encrypted
tunnel-group XX.XXX.XX.XXX type ipsec-l2l
tunnel-group XX.XXX.XX.XXX ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:83cda4102f25185d01dd356ebbe8cc5f
: end

1 REPLY 1
Highlighted
Cisco Employee

Re: ASA Tunnel up and passing traffic but Can't ping inside interface

Hi dbuckley77,

 

In order to get response from the interface at the other end of the tunnel (ASA) you need to add the following command:

 

management-access inside

 

Hope this info helps!!

 

Rate if helps you!! 

 

-JP-