cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
611
Views
0
Helpful
5
Replies

Unable to ping remote subnet after tunnel is established

kltconsulting
Level 1
Level 1

I am connecting a Cisco ASA 5505 and a Symantec Gateway 460R device via site to site VPN tunnel, and the Phase 1 (IKE) and Phase 2 (IPSec) negotiations go thru just fine. I show 1 active IKE and 1 active ipsec on the monitoring screen. However, when I try to ping a device on the remote subnet, the pings time-out. I can ping the public IP of the outside interface on the peer device, but if I try to ping anything on the inside interface, I get a time-out. If the tunnel is established, shouldn't my subnet be able to communicate with the remote subnet?

5 Replies 5

acomiskey
Level 10
Level 10

A little more info may be needed here. ASA config would be nice.

The config file is attached.

Without knowing a litle more about how each end of the network is set up, it might be a little hard to narrow this down with just the config file. If you do a tracert, does that completely fail?

The next 2 issues to look at would be 1-Are there any ACLs, or the like, on either end that is blocking ICMP Ping traffic? and 2-Does the host that you are pinging on the other end know where to send the response?

You may need to add a static route to the host on the other end to make sure that it knows which interface or IP on the network to send the response back out through.

Be aware, that if you add a static route to a Windows Server or Workstation, it will stay in there only as long as the computer has not been rebooted. I haven't found a way to keep it in there permanently.

Reido

You can add a "permanent" route to a MS-Windows system by using the "-p" flag on the ROUTE ADD command. Here's a screen cut-and-paste from the help shown when you just give the ROUTE command without any argument:

" -p When used with the ADD command, makes a route persistent across

boots of the system. By default, routes are not preserved

when the system is restarted. Ignored for all other commands,

which always affect the appropriate persistent routes. This

option is not supported in Windows 95."

james.rugh
Level 1
Level 1

I am having the same problem between an ASA and an 871w. The tunnel is up. However, on the ASA, if I do a "debug icmp trace", and then ping from a device on the remote end to the ASA inside interface, I see the icmp echo requests come in to the inside interface, but the ASA echo replies go back out the outside interface. It's as though traffic is not routing to the remote properly through the tunnel. I've checked the no-nat access-list - looks ok to me.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: