Showing results for 
Search instead for 
Did you mean: 

Can't ping across remote sites

I'm working with a client who has an ASA that has site-to-site IPSec VPN connections to both an Azure environment as well as a Rackspace environment. They can access either environment from the office, but servers in Azure are unable to ping to servers at Rackspace and vice versa. I've tried everything that I know of as well as everything I've found while searching but I still cannot get this to work. Any help is greatly appreciated. 


Pared down config:


ASA Version 8.4(3) 

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address ********** 
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address standby 
interface GigabitEthernet0/2

 nameif DMZ
 security-level 50
 ip address standby 
interface GigabitEthernet0/3
 description LAN/STATE Failover Interface
interface Management0/0
 no nameif
 no security-level
 no ip address
same-security-traffic permit intra-interface

object network RackSpace-network

object-group network azure-networks

object-group network onprem-networks
 network-object object
 network-object object

object-group network azure-onprem-networks

access-list inside_access_in extended permit ip object RackSpace-network 
access-list inside_access_in extended permit ip any object-group azure-networks 

access-list VPNsplitTunnelAcl standard permit 
access-list VPNsplitTunnelAcl standard permit 
access-list VPNsplitTunnelAcl standard permit 

access-list outside1_access_in extended permit ip object RackSpace-network 

access-list outside_cryptomap extended permit ip object-group onprem-networks object RackSpace-network
access-list outside_cryptomap extended permit ip object group onprem-networks object RackSpace-network
access-list azure-vpn-acl extended permit ip object-group azure-onprem-networks object-group azure-networks 

nat (inside,outside) source static onprem-networks onprem-networks destination static RackSpace-network RackSpace-network

nat (inside,outside) source static azure-onprem-networks azure-onprem-networks destination static azure-networks azure-networks

nat (outside,outside) source static RackSpace-network RackSpace-network destination static azure-networks azure-networks

Andrew Phirsov
Rising star

I've been away a little bit, so may be not so accurate.

Check that crypto-map on each remote location includes in crypto ACL subnet for corresponding locations. I.e. crypto acl in Rackspace  should include ACL for subnet in Azure and vice versa. Then check corresponding nat-exception strings on both sides.

Also, possibly you sould enter same security traffic permit intra-interface command on central side.

Just first things that came to my mind


Unfortunately I do not have much control over the Azure end of things. Microsoft spits out a config to connect to their endpoint in Azure and that's all you get. There is an actual ASA residing at Rackspace that can be configured how I want. I think it is just a NAT issue at the central office, as I can resolve IP addresses from end to end, I just cannot get a ping to go across and come back.

I do have the same-security-traffic permit intra-interface command set on the ASA at the central location.

Recognize Your Peers
Content for Community-Ad