09-06-2013 03:43 AM
Hi,
I configured a Lan 2 Lan VPN and it works fine.
VPN use IKEv2 and certificate authentication.
Computer 1 can join Computer 2 without problem.
From computer 1, I tried to access to IP inside 2 (ping, ASDM...) but I get this error: Failed to locate egress interface
I don't understand why I can access to IP Computer 2 but not to IP inside 2 Those 2 IPs are on same network and packets are pass through same devices...
How can I solve this problem?
Thanks for your help,
Patrick
Solved! Go to Solution.
09-06-2013 03:50 AM
Hi,
I imagine that both devices we are talking about are Cisco firewalls? I mean the devices doing the VPN.
Cisco firewalls dont allow ICMP from behind one interface to another interface on the same device. The only exception to this is when traffic is coming through VPN and a specific configuration command has been entered to the device to which you are trying to ICMP from behind a VPN connection.
So if Computer 1 needs to ICMP Inside 2 then the firewall that has the Inside 2 interface must be configured with the command
management-access
Same configuration is required on the other firewall if Computer 2 needs to ICMP Inside 1
There might also be NAT related configurations that might need modification but this depends on the software level of your firewalls which we dont know.
- Jouni
09-06-2013 03:50 AM
Hi,
I imagine that both devices we are talking about are Cisco firewalls? I mean the devices doing the VPN.
Cisco firewalls dont allow ICMP from behind one interface to another interface on the same device. The only exception to this is when traffic is coming through VPN and a specific configuration command has been entered to the device to which you are trying to ICMP from behind a VPN connection.
So if Computer 1 needs to ICMP Inside 2 then the firewall that has the Inside 2 interface must be configured with the command
management-access
Same configuration is required on the other firewall if Computer 2 needs to ICMP Inside 1
There might also be NAT related configurations that might need modification but this depends on the software level of your firewalls which we dont know.
- Jouni
09-06-2013 04:01 AM
Hi Jouni,
Thanks for your quick answer
I use 2 Cisco ASA 5515-X on 9.1(2) version
Your solution works great !
I saw the management-access option but I didnt think that it will unblock ping
Thanks again,
Patrick
05-10-2019 09:45 AM
I have the same scenario. But the thing is I use computer1 to access both of the ASA firewall by SSH. I use IP outside2 to access the second firewall. Now If I use the management-access command in the IP Inside2 interface then am I going to loose the SSH connectivity from the Computer 1 to the IP outside 2 of the second ASA firewall?
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide