ASA 5505 VPN Issue

Unanswered Question

We have a Cisco 515 as a headend firewall with ~30 VPN connections to remote sites. The existing remote sites are using Cisco 506 firewalls and work fine. I am trying to setup an ASA 5505 as a rmote firewall as a future replacement for the PIX 506's. I am able to get the site to site tunnels up just fine. The issue is that once the tunnels are up I am not able to ping the inside interface of the remote ASA from the headend LAN. I am able to telnet to the ASA and run the ASDM but no ping. I am also not able to ping from the ASA to the headend LAN but I can ping from a device on the remote ASA LAN to the headend LAN. I have rebuilt the configs manually and with the ASDM with the same results. The remote Ipsec rules prtect the outside interface to headend LAN just like I do on the 506's. It is almost like the ASA will not build a tunnel from the outside interface to the remote LAN. Can anyone tell me what I am missing or what is different about the ASA over the PIX? Any help appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Thu, 01/17/2008 - 14:51

To ping the remote ASA inside interface you have to add the command "management-access inside".

Thanks for your reply. This is already set allong with the following.

icmp permit any inside

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

When looking at the logs it looks like it builds an inbound connection and tears it down. On the PIX's it builds the inbound and outbound connection and then tears them down.

When I do an inspect on the ping packets from the remote LAN I get an interesting result.


input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (ipsec-spoof) IPSEC Spoof detected

srue Thu, 01/17/2008 - 17:52

once you had the "icmp permit any inside" command, other icmp traffic to the asa device is denied on every interface. You need to add icmp permit any outside.

also, unless 'sysopt connection permit-vpn' is enabled, your acl on your outside interfaces needs to allow whatever traffic you want to allow , even over the vpn. (sysopt connection permit-ipsec in 7.0 and earlier)


This Discussion