Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
419
Views
2
Helpful
5
Replies

icmp not successful from inside host to remote through vpn

Go to solution
suthomas1
Level 6
Level 6

‎01-09-2011 03:01 AM

A strange problem is seen while working on an ipsec vpn on asa.

ASA inside : 192.168.100.1 255.255.255.240

client host connected directly to asa inside: 192.168.100.2

tunnel forms properly. when remote client 10.20.15.5 is pinged from asa it responds.

the same ping when tried from client 192.168.100.2 connected directly to asa inside doesnt work.

& doing this also doesnt bring the tunnel up.

from asa ping to 192.168.100.1 & vice versa is fine.

packet tracer & running configuration is attached. Capture of ping traffic from host to asa inside interface doesnt show any output.

Please help.

thanks.

Labels:
78343-vpn.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to suthomas1

‎01-09-2011 02:55 PM

That doesn't sound right.

If it goes through the VPN tunnel, the traffic will be encrypted and you shouldn't be able to see the hop for your internet provider.

Can you please clear the xlate and connections for that host: clear local 192.168.100.2

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-09-2011 03:21 AM

Base on the packet tracer, there is no configuration error on the ASA. However, just double checking that you have configured NAT exemption on the ASA, ie: "nat (inside) 0 access-list ", and the ACL permits traffic between the 192.168.100.0/28 and 10.20.15.0/26

Does the 192.168.100.2 host have default gateway configured to be the ASA inside interface (192.168.100.1)?

0 Helpful

Go to solution
suthomas1
Level 6
Level 6
In response to Jennifer Halim

‎01-09-2011 03:35 AM

exemption was tried , but did not help.

i removed exemption configuration as no nat is currently happening on this device.

yes, gateway for the host is 192.168.100.1. I can reach gateway from host.

very strange though, when i trace from this client 100.2 , hops show it taking path towards my internet connection provider. is it because the vpn tunnel is not used for this ping or tracert from the client.

thanks.

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to suthomas1

‎01-09-2011 08:47 AM

Hi,

What are you trying to traceroute to from the PC?

Its interesting that you do not see captures when trying to ping the 10.x.x.x host from the machine. Do you see captures when trying to ping the ASA's IP 192.168.100.1 from the 100.2 machine?Please check the ARP table on the PC and confirm that it maps 192.168.100.1 to the MAC address of the ASA's inside interface.

Cheers,

Prapanch

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to suthomas1

‎01-09-2011 02:55 PM

That doesn't sound right.

If it goes through the VPN tunnel, the traffic will be encrypted and you shouldn't be able to see the hop for your internet provider.

Can you please clear the xlate and connections for that host: clear local 192.168.100.2

0 Helpful

Go to solution
suthomas1
Level 6
Level 6
In response to Jennifer Halim

‎01-10-2011 04:40 PM

thanks Jennifer & Prapanch, the client host was able to communicate via the tunnel from inside interface after i rebooted the asa.

strange, but after trying options including ones suggested by you , i tried with reboot & it went off fine.

Appreciate your help provided on this.

0 Helpful
Customers Also Viewed These Support Documents