ICMP Traffice across EZVPN tunnel

Unanswered Question
Feb 4th, 2008
User Badges:
  • Bronze, 100 points or more

Hello, I'm having an issue with pinging across a VPN tunnel that I have established via EZVPN NEM. I have a PIX501 acting as the EZVPN client and an ASA5520 (7.2(3)) as the EZVPN server. The tunnel establishes fine, I can transfer files from the PIX (config etc) across the tunnel, but I'm not able to ping across the tunnel from the 501 to the network across the VPN tunnel. My PIX network is 10.200.128.0/24, i'm trying to ping a 10.1.1.0/24 network across the VPN. I get the following log message on the ASA when I ping from the PIX:

Pix: ping in 10.1.1.20

Log message on ASA: Deny inbound icmp src inside:10.1.1.20 dst inside:10.200.128.1 (type 0, code 0)


Here's the relevant config on the ASA:


: Saved

:

ASA Version 7.2(3)

!

hostname Cosmos-ASA

domain-name

enable ...

names

dns-guard

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 10.1.1.3 255.255.255.0 standby 10.1.1.5

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address ....

!

access-list no-nat extended permit ip 10.0.0.0 255.0.0.0 10.200.128.0 255.255.255.0

access-list acl_in extended permit tcp any 192.168.0.0 255.255.128.0 range 137 netbios-ssn

access-list acl_in extended permit udp any 192.168.0.0 255.255.128.0 range netbios-ns 139

access-list acl_in extended deny tcp any any eq 6667

access-list acl_in extended deny tcp any any range 137 netbios-ssn

access-list acl_in extended deny udp any any range netbios-ns 139

access-list acl_in extended permit ip any any

access-list testEZ extended permit ip 10.1.1.0 255.255.255.0 10.205.0.0 255.255.0.0

access-list testEZ extended permit ip 10.1.2.0 255.255.255.0 10.205.0.0 255.255.0.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

nat (inside) 0 access-list no-nat


rypto ipsec transform-set mySET esp-3des esp-md5-hmac

crypto dynamic-map myDYN-MAP 5 set transform-set mySET

crypto map myMAP 60 ipsec-isakmp dynamic myDYN-MAP

crypto map myMAP interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20



group-policy TestGroup internal

group-policy TestGroup attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value testEZ

nem enable

username testUser password xxx

tunnel-group TestPIXGroup type ipsec-ra

tunnel-group TestPIXGroup general-attributes

default-group-policy TestGroup

tunnel-group TestPIXGroup ipsec-attributes

pre-shared-key *



I think that's everything that's relevant. Any ideas as to why this isn't working? Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
amritpatek Fri, 02/08/2008 - 13:53
User Badges:
  • Silver, 250 points or more

Check first if you are able to ping (extended) from the vpn interface of the ASA to a host in the internal network. The message on the ASA indicates that the Ping is being denied by some access rules and this is not a problem of VPN. Following links may help you

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Actions

This Discussion