03-26-2013 08:52 AM
Hi Cisco Community.
I have a site to site VPN set up using an ASA 5505 (remote) and a checkpoint firewall managed by a third party (head office). I cannot ping either the external interface or the internal interface of the remote firewall. From the remote location, I am able to ping and connect to devices located at head office. Unfortunately at this moment in time I only have the firewall at the remote site so I cannot try and ping anything else behind it.
I am concerned as we will be replicating data and syncing between the two so communication between the two locations needs to be bi-directional.
I think that I have configured ICMP to be allowed at the remote end, and the third party managing the head office firewall say they are allowing it through too. Interesting thing is that I can ping the router that the ASA at the DR site is connected to (it's route outside) and I am getting a response, so ICMP is indeed getting back through. I'm just wondering is there is anything I have overlooked on the configuration of the ASA?
Any help would be greatly appreciated. The running configuration is attached below. Thanks in advance to anyone who may be able to help.
xxxxx# show run
: Saved
:
ASA Version 8.2(5)
!
hostname xxxxx
domain-name xxxxx
enable password 9tc.bMMQOdcEzWlK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.4.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM-INLINE-SERVICE
service-object icmp
service-object tcp eq www
service-object tcp eq https
object-group network VPN-REMOTE
network-object 192.168.1.0 255.255.255.0
object-group protocol PROTOCOL-LIST
protocol-object ip
protocol-object icmp
protocol-object pim
protocol-object pcp
protocol-object snp
protocol-object udp
protocol-object igmp
protocol-object ipinip
protocol-object gre
protocol-object esp
protocol-object ah
protocol-object tcp
protocol-object eigrp
protocol-object ospf
protocol-object igrp
protocol-object nos
access-list inside-access-in extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside-access-in extended permit ip any any
access-list inside-access-in extended permit ip 192.168.4.0 255.255.255.0 any
access-list inside-access-in extended permit icmp any any
access-list outside-access-in extended permit object-group DM-INLINE-SERVICE any any
access-list outside-1-cryptomap extended permit ip 192.168.4.0 255.255.255.0 host xxx.xxx.xxx.xxx
access-list outside-1-cryptomap extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside-nat0-outbound extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside-nat0-outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside-access-in in interface inside
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route outside 192.168.1.0 255.255.255.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http xxx.xxx.xxx.xxx 255.255.255.255 outside
http 192.168.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside-map 1 match address outside-1-cryptomap
crypto map outside-map 1 set peer xxx.xxx.xxx.xxx
crypto map outside-map 1 set transform-set ESP-3DES-SHA
crypto map outside-map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username Admin password LUZB8j2zj03xvSeF encrypted
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:bf3a098c48cf6ef8da2568a489ecc903
: end
Solved! Go to Solution.
03-29-2013 01:15 AM
Try to configure the following:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
03-26-2013 02:35 PM
I assume that your firewall inside interface is plugged into something to show that the interface is actually UP.
If the interface is UP, you would need to add "management-access inside" to be able to ping the ASA inside interface from HQ.
03-27-2013 05:02 AM
Hi Jennifer.
After adding the management-access inside command I can now ping the internal I.P. address of the ASA from Head Office.
However I cannot ping my laptop (192.168.4.100) which is connected to the ASA from Head Office.
03-27-2013 03:39 PM
Do you have any windows firewall or any other host firewall on your laptop that might be preventing inbound ping from different subnet?
03-28-2013 02:48 AM
Unfortunately no, Windows firewall is turned off and I use Security Essentials as my antivirus.
03-29-2013 01:15 AM
Try to configure the following:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
04-03-2013 05:40 AM
Hi Jennifer.
Thanks for the above response. Fortunately we have it working now; turns out it was something to do with the NATing being carried out on the 3rd party firewall at HQ. They disabled it and traffic is now flowing bi-directionally through the VPN tunnel.
Thank you for your time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide