Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
457
Views
0
Helpful
5
Replies

S2S can't ping ASA on the other side

diahvs123
Level 1
Level 1

‎09-03-2013 03:40 AM

I'm using a site 2 site tunnel with NAT, i can ping from Lan2 (192.168.200.0/22) to Lan1 (192.168.1.0/24) except to the ASA. I would like to be able to ping to the ASA (192.168.1.250) aswell. How can this be achieved?

(I can't add a route-lookup: ERROR: Option route-lookup is only allowed for static identity case)

object network LAN-NAT-BDD

subnet 192.168.153.0 255.255.255.0

object network BDD-LAN

subnet 192.168.200.0 255.255.252.0

access-list outside_cryptomap_2 extended permit ip 192.168.153.0 255.255.255.0 192.168.200.0 255.255.252.0

nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 LAN-NAT-BDD destination static BDD-LAN BDD-LAN

Labels:
0 Helpful
5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

‎09-03-2013 03:46 AM

Hi,

So you are doing NAT for the other sites LAN network? NAT for network 192.168.1.0/24 to 192.168.153.0/24? So you would actually be targeting 192.168.153.250?

Have you configured the "management-access inside" to enable ICMP to the "inside" interface through the VPN?

- Jouni

0 Helpful

diahvs123
Level 1
Level 1
In response to Jouni Forss

‎09-03-2013 03:58 AM

Hi Jouni,

That's correct.

management-access inside is also configured.

John

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to diahvs123

‎09-03-2013 04:05 AM

I guess the NAT configuration above is there for a reason? You have network 192.168.1.0/24 somewhere else?

If you have the option to let the host IP 192.168.1.250 overlap then I guess as a workaround you could try the following to configure Identity NAT for this IP only and add it to VPN.

object network ASA

host 192.168.1.250

nat (inside,outside) source static ASA ASA destination static BDD-LAN BDD-LAN route-lookup

- Jouni

0 Helpful

diahvs123
Level 1
Level 1
In response to Jouni Forss

‎09-03-2013 04:22 AM

I have tried so, but unfortunately still no ping response.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to diahvs123

‎09-03-2013 05:19 AM

Hi,

While you were trying the above, did you make sure that the L2L VPN configurations and possible routing was fine for this single IP address of 192.168.1.250?

Is there a network 192.168.1.0/24 on the other site? That is essential information as if thats the case then some directly connected route on the other network might make it impossible to forward traffic to the IP address 192.168.1.250 through the L2L VPN.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents