Hello Lydia,

Best practise is adding inspection

policy-map global_policy

class inspection_default

inspect icmp

Regards

You cannot reach the remote interface if the traffic is sourced from a local segment.

Hey,

it is what we have:

policy-map DEFAULT_POLICYMAP

class DEFAULT_CLASSMAP

…

…

Inspect icmp

Inspect icmp error

Ok, I configured:

access-list OUTSIDE_IN extended permit icmp any any echo-reply

access-list OUTSIDE_IN extended permit icmp any any source-quench

access-list OUTSIDE_IN extended permit icmp any any unreachable

access-list OUTSIDE_IN extended permit icmp any any time-exceeded

but the ping says “timeout”. In the logging of the ASA I can see:

built inbound icmp connection; source my computer, destination the gateway of my computers subnet

then teardown icmp connection; source my computer, destination the gateway of my computers subnet

then teardown icmp connection; source my computer, destination the ip of the interface we want to ping

But there is no deny.

It is not the outside interface we want to ping. It is another one we want to use for vpn. Outside-Interface, VPN-Interface and Inside-Interface are 3 physical interfaces.

greetings Lydia

Lydia,

You can remove all access-lists, if you already have inspection in place. Make sure that this default_policymap is assigned global, not to an interface.

Second, as previously mentioned, pinging an interface from a subnet bound to another interface is not possible. The only excpetion to this is IPSec VPN Tunnels that remote end terminated at the outside interface can ping the inside interface IP IF! this interface is assigned Management interface role with the command "management-access inside"

Please describe us from which subnet connected to which interface you are trying to ping which interface. Posting the sanitized config would help, it may be a routing issue

Regards

Hey,

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 10.76.221.249 255.255.255.248 standby 10.76.221.250

ospf cost 10

!

interface GigabitEthernet0/1.101 (-->it is Gateway)

vlan 101

nameif service

security-level 100

ip address 134.76.221.126 255.255.255.128 standby 134.76.221.125

ospf cost 10

!

interface GigabitEthernet0/2.106 (--> no Gateway, only one IP of the subnet)

vlan 106

nameif vpn

security-level 1

ip address 134.76.221.195 255.255.255.224

router ospf 1

router-id 12.12.12.12

network 10.76.221.248 255.255.255.248 area 10.76.216.0

network 134.76.221.0 255.255.255.128 area 10.76.216.0

area 10.76.216.0

log-adj-changes

class-map DEFAULT_CLASSMAP

description classmap fuer alles

match default-inspection-traffic

!

policy-map DEFAULT_POLICYMAP

class DEFAULT_CLASSMAP

inspect dns

inspect ftp

inspect h323 h225

inspect h323 ras

inspect http

inspect icmp

inspect icmp error

inspect netbios

inspect snmp

inspect sqlnet

inspect xdmcp

policy-map default_policymap

!

service-policy DEFAULT_POLICYMAP global

The private IP of our outside interface is an IP of a routing network. There is another router before our ASA making the connection to the internet. This router is also having the Gateway of the IP on interface 0/2.106.

My computer is in the subnet of interface 0/1.101. We want to ping the IP of the interface 0/2.106 and from the Internet because of VPN.

Lydia,

You can not ping the interface IP 134.76.221.195 from any host within 134.76.221.0/25 network and vice-versa. This is the default an non-changeable behaviour of ASA. Yet, being able to ping or being able to "connect" other interface's IP from a host connected to another interface is NOT! a necessity for any VPN operation. If you explain "We want to ping the IP of the interface 0/2.106 and from the Internet !because of VPN!" in details, then I will advise accordingly.

Yes I know that it is not neccessary.

We wanted to test if the vpn-interface is reachable from the internet etc.

To test VPN we configured it for the outside interface. It worked! But like you see, it's a private IP.

So we configured another interface for VPN with 134.76.221.195.

And VPN is not working. The Cisco VPN Client says "it's not responding".

In both cases we tested the vpn connection from another network part (not saved via our ASA).

Now its much more clear, thanks for explaination.

When ASA is involved, this design is not applicable when ASA has to terminate the VPN itself.

The Applicable design would be creating a sub-interface in next-hop router for ASA, (that is the router facing ASA g0/0 in 10.76.221.248/29), assign that sub-interface an IP in 134.76.221.0/128 (or it can be the physical interface itself facing ASA), and assign ASA's g0/0 another IP in that same subnet, then configure OSPF accordingly.

Regards

Hey,

thank you a lot for your time and your answers!

Well I think it is not the right solution for us. Our network is a little bit complicated :-)

I think we have to read first some manuals again and think about it.

We have a new idea at the moment and I think we will test it next week.

Maybe we will write again here next week :-) then with a picture of the network.

Thank you very much.

Lydia