Re: ASA VPN Client verification can't ping inside interface

michael murphy · ‎02-14-2006

I have a VPN client tunneled in but all the inside devices have a different def gw until we test the ASA. The VPN client can't PING the inside ASA interface. How can I make this work to test / verify the tunnel?

joneschw1 · ‎02-14-2006

I do not believe you can ping the gateway under any circumstance. I know there has been talk about needing that functionality, I just haven't followed it closely enough to know if 7.x has introduced the feature. Why not just change a printer's default gateway or something and try the ping test. Or stick an old box up and use the new DG.

yongl · ‎02-15-2006

Hi,

You can configure 'management-access inside' if you want to ping ASA inside interface IP over IPSec tunnel.

michael murphy · ‎02-16-2006

I tried configuring management-access inside but I get message to remove management access first (its set for outside). Since I SSH into the PIX from outside, I don't want to remove management-access from outside. Can't I have management access on both inside and outside? whats my option here? thanks.

yongl · ‎02-16-2006

Hi,

'management-access' is used for user to manage firewall over IPSec tunnel. Do you want to enable ssh over IPSec or ssh directly to PIX ?

Please refer to command usage from :

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/mr.htm#wp1531255

michael murphy · ‎02-17-2006

I got the connection to work but I CAN'T PING the remote VPN site. My internal LAN is .35, my VPN client addr is 10.1.1.1 and the site-site VPN remote off the same ASA is .35. Do I need a static route to the .35 network and what would I use for my next hop address? How do I point it out the site-site VPN?