08-08-2018 09:05 AM - edited 02-21-2020 08:04 AM
Hello,
I was trying to con\figure VPN but that failed and I noticed I can't ping from inside ASA1 to inside ASA2
here is how it is setup.
from 192.168.10.100 to 192.168.20.100
PC---ASA(NY)---ASA(LA)---PC
PC192.168.10.100 --192.168.10.1--ASA--192.168.1.100----192.168.1.200--ASA--192.168.20.1--192.168.20.100
I configure ACL to alow icmp from any to any but that didn't work
I did "ICMP enable outside/inside. but that didn't work
I did add ICMP to the policy map but that didn't work.
I did static route and OSPF same thing it didn't work.
here is a configuration of one of one the ASA.
ASA-NY# sh ro
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
S 192.168.20.0 255.255.255.0 [1/0] via 192.168.1.200, outside
C 192.168.1.0 255.255.255.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.1.100 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
access-list outside_access_in extended permit tcp any 192.168.10.0 255.255.255.0 object-group TCP_Service_Group
access-list outside_access_in extended permit tcp any object User_Access_Net object-group TCP_Service_Group
access-list outside_access_in extended permit tcp any object User_Access_Net object-group RDP
access-list global_access extended permit icmp any any object-group Ping_testing_group
access-list VPN extended permit ip object-group LOCAL-NETWORK object-group REMOTE-NETWORK
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 192.168.11.0 255.255.255.0 192.168.10.5 1
route outside 192.168.20.0 255.255.255.0 192.168.1.200 1
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
thank you.
08-08-2018 09:53 AM
08-08-2018 11:13 AM
Hi,
I did what you asked and still the same issue. please see below from the packet tracer
ASA-NY# packet-tracer input inside icmp 192.168.10.100 8 0 192.168.20.100
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.20.0 255.255.255.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group global_access global
access-list global_access extended permit icmp any any object-group Ping_testing_group
object-group icmp-type Ping_testing_group
icmp-object alternate-address
icmp-object conversion-error
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object unreachable
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 38, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
ASA-NY#
08-08-2018 11:41 AM
08-08-2018 11:59 AM
Hi,
I did the packet racer from the other ASA and it came back fine. then I checked the windows FW and you are right they were on, I could have sworn I turned them off.
so now I can ping from PC to PC, however I can't ping the inside interface of ASA 192.168.20.1 from 192.168.10.100. do you know why?
thank you
08-08-2018 12:16 PM
Try configuring the management-access command, reference here.
"if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH,Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface".
HTH
08-08-2018 12:49 PM
Hi,
this is looking way better,
however I noticed that each client device is able to ping everything but its outside interface. I added acl to allow icmp from any any but that did not work.
any suggestions?
thanks
08-08-2018 01:02 PM
08-08-2018 01:15 PM
Hi,
I had the feeling that you will say that but I waited for you to suggest, unfortunately that didn't help and it seems to get worse, now I am not able to ping the outside interface or the inside interface of the other FW.
thank you
08-08-2018 01:17 PM
08-08-2018 01:25 PM - edited 08-08-2018 01:29 PM
hi,
please see attached, just an FYI this is my personal lab/training.
thanks for your help.
08-08-2018 02:19 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide