01-17-2008 02:25 PM - edited 02-21-2020 03:29 PM
We have a Cisco 515 as a headend firewall with ~30 VPN connections to remote sites. The existing remote sites are using Cisco 506 firewalls and work fine. I am trying to setup an ASA 5505 as a rmote firewall as a future replacement for the PIX 506's. I am able to get the site to site tunnels up just fine. The issue is that once the tunnels are up I am not able to ping the inside interface of the remote ASA from the headend LAN. I am able to telnet to the ASA and run the ASDM but no ping. I am also not able to ping from the ASA to the headend LAN but I can ping from a device on the remote ASA LAN to the headend LAN. I have rebuilt the configs manually and with the ASDM with the same results. The remote Ipsec rules prtect the outside interface to headend LAN just like I do on the 506's. It is almost like the ASA will not build a tunnel from the outside interface to the remote LAN. Can anyone tell me what I am missing or what is different about the ASA over the PIX? Any help appreciated.
01-17-2008 02:51 PM
To ping the remote ASA inside interface you have to add the command "management-access inside".
01-17-2008 03:04 PM
Thanks for your reply. This is already set allong with the following.
icmp permit any inside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
When looking at the logs it looks like it builds an inbound connection and tears it down. On the PIX's it builds the inbound and outbound connection and then tears them down.
When I do an inspect on the ping packets from the remote LAN I get an interesting result.
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected
01-17-2008 05:52 PM
once you had the "icmp permit any inside" command, other icmp traffic to the asa device is denied on every interface. You need to add icmp permit any outside.
also, unless 'sysopt connection permit-vpn' is enabled, your acl on your outside interfaces needs to allow whatever traffic you want to allow , even over the vpn. (sysopt connection permit-ipsec in 7.0 and earlier)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide