Hi Cisco Community.

I have a site to site VPN set up using an ASA 5505 (remote) and a checkpoint firewall managed by a third party (head office). I cannot ping either the external interface or the internal interface of the remote firewall. From the remote location, I am able to ping and connect to devices located at head office. Unfortunately at this moment in time I only have the firewall at the remote site so I cannot try and ping anything else behind it.

I am concerned as we will be replicating data and syncing between the two so communication between the two locations needs to be bi-directional.

I think that I have configured ICMP to be allowed at the remote end, and the third party managing the head office firewall say they are allowing it through too. Interesting thing is that I can ping the router that the ASA at the DR site is connected to (it's route outside) and I am getting a response, so ICMP is indeed getting back through. I'm just wondering is there is anything I have overlooked on the configuration of the ASA?

Any help would be greatly appreciated. The running configuration is attached below. Thanks in advance to anyone who may be able to help.

xxxxx# show run

: Saved

:

ASA Version 8.2(5)

!

hostname xxxxx

domain-name xxxxx

enable password 9tc.bMMQOdcEzWlK encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.4.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.248

!

ftp mode passive

dns server-group DefaultDNS

domain-name xxxxx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service DM-INLINE-SERVICE

service-object icmp

service-object tcp eq www

service-object tcp eq https

object-group network VPN-REMOTE

network-object 192.168.1.0 255.255.255.0

object-group protocol PROTOCOL-LIST

protocol-object ip

protocol-object icmp

protocol-object pim

protocol-object pcp

protocol-object snp

protocol-object udp

protocol-object igmp

protocol-object ipinip

protocol-object gre

protocol-object esp

protocol-object ah

protocol-object tcp

protocol-object eigrp

protocol-object ospf

protocol-object igrp

protocol-object nos

access-list inside-access-in extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside-access-in extended permit ip any any

access-list inside-access-in extended permit ip 192.168.4.0 255.255.255.0 any

access-list inside-access-in extended permit icmp any any

access-list outside-access-in extended permit object-group DM-INLINE-SERVICE any any

access-list outside-1-cryptomap extended permit ip 192.168.4.0 255.255.255.0 host xxx.xxx.xxx.xxx

access-list outside-1-cryptomap extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 101 extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside-nat0-outbound extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside-nat0-outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside-access-in in interface inside

access-group outside-access-in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

route outside 192.168.1.0 255.255.255.0 xxx.xxx.xxx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http xxx.xxx.xxx.xxx 255.255.255.255 outside

http 192.168.4.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside-map 1 match address outside-1-cryptomap

crypto map outside-map 1 set peer xxx.xxx.xxx.xxx

crypto map outside-map 1 set transform-set ESP-3DES-SHA

crypto map outside-map interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username Admin password LUZB8j2zj03xvSeF encrypted

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l

tunnel-group xxx.xxx.xxx.xxx ipsec-attributes

pre-shared-key *****

!

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:bf3a098c48cf6ef8da2568a489ecc903

: end