ASA site-to-site VPN

Unanswered Question
Apr 18th, 2008

Hi all,

Friends, i cofiged VPN site-to-site between ASA's... one side 5505 and other 5510... VPN is active, and works OK. but from 5505 inside hosts can not access internet and cannt PING as outside interface IP, as public outside IPs. static route outside ic correctly configed. and ICMP is permit (icmp permit any inside, icmp permit any outside)

Any advice ... ???

Need Ur help ... :)))

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dongdongliu Fri, 04/18/2008 - 02:29

hi

It seems like all of traffic have been "VPN".

pls checking out acl for interest traffic is not "any any"

regards

batumibatumi Fri, 04/18/2008 - 04:01

5505 side, inside interface acl is permit (sourse any, destination - any less secure networks)

and outside interface acl is deny (sourse - any, destionation - any) implicient rule ...

I configing it with ASDM ... :)

why i cant ping my ASA's outside interface IP. i configed icmp with ,,permit any inside

icmp permit any outside'' .... ?

I think that i have to open (with ACL) IP, TCP, and UDP protocols from inside to outside, to have access for internet and ping...

Am i right ... ?

P.S. its my first time practise with ASA... and that's why i look so lam...

plz, need UR advice ... :)))

Great TNX in advance :)))

Regards

wasiimcisco Sat, 04/19/2008 - 03:37

Please check, you only permit VPN traffic for no nat, if you have any any in access-list your all traffic is going without nat, please modify the access-list to allow only VPN traffic for nonat and rest all for nat so that you can browse the internet,

U cant ping outside interface of firewall from inside, do the icmp inspect in policy map

and here define insepct icmp.

batumibatumi Sat, 04/19/2008 - 04:45

(nat config) it exempt (nat) sourse - inside network 10.7.7.0/24 destination network 10.1.1.0/24. it means that only VPN connection traffic is permitted for nat.. i'm going to config PAT for inside host on the outside interface, to have access to the public resources (is this right solutions ???) except the nat should i configure ACL to permit IP protocol (have access inside host to outside ) ... ?

P.S. I'm configuring ASA's FW with ASDM.

wasiimcisco,

It was very kind from UR side... Thank you.

Regards, Batumi3

batumibatumi Sun, 04/20/2008 - 04:08

Sorry for my poor English.... What i wrote is not preaty clear 4 U ... ?!

Hope smb will reply me :)))

Actions

This Discussion