Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
478
Views
5
Helpful
4
Replies

can't ping external hosts over site 2 site vpn

Go to solution
bmarms
Level 1
Level 1

‎11-05-2009 10:26 AM

Hi All,

i have 2 sites configured as L2L VPN's back to my ASA5520. one site is using a PIX525 and the other an ASA5505. i can access all resources on my private netwrok without issue and all traffic from the remote sites is "protected". the issue i'm having is that i cannot ping and external hosts. for example, if i attempt to ping 4.2.2.1 from a host at a remote site it times out. i can ping any resource one my "private" networks at any site without issue. any suggestions? thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
hdashnau
Cisco Employee
Cisco Employee

‎11-05-2009 10:36 AM

If you're relying on Internet access through the L2L tunnel (because you are tunneling everything), then you need to..

1) Either setup uturn and outside nat for the remote network on the headend ASA so the traffic can leave the same interface it came in on with a public IP address for the Internet:

nat (outside) 99

global (outside) 99 interface

same-security-traffic permit intra-interface

Or

2) Set up a default tunnel gateway that points to an internal router that has access to the internet

route inside 0.0.0.0 0.0.0.0 tunneled

-heather

View solution in original post

Go to solution
acomiskey
Level 10
Level 10
In response to bmarms

‎11-05-2009 12:15 PM

No, you don't need the "outside" keyword at the end of the statement..disregard the warning.

If you already have

global (outside) 1 interface

then just add..

nat (outside) 1 172.24.0.0 255.255.0.0

View solution in original post

0 Helpful
4 Replies 4

Go to solution
hdashnau
Cisco Employee
Cisco Employee

‎11-05-2009 10:36 AM

If you're relying on Internet access through the L2L tunnel (because you are tunneling everything), then you need to..

1) Either setup uturn and outside nat for the remote network on the headend ASA so the traffic can leave the same interface it came in on with a public IP address for the Internet:

nat (outside) 99

global (outside) 99 interface

same-security-traffic permit intra-interface

Or

2) Set up a default tunnel gateway that points to an internal router that has access to the internet

route inside 0.0.0.0 0.0.0.0 tunneled

-heather

Go to solution
bmarms
Level 1
Level 1
In response to hdashnau

‎11-05-2009 11:44 AM

thanks heather. couple items:

should the command on the core ASA be

nat (outside) 99 172.24.0.0 255.255.0.0 outside?

i receive these warnings on the ASA:

WARNING: Binding inside nat statement to outermost interface.

WARNING: Keyword "outside" is probably missing.

i already have a global (outside) 1 interface statement and i can't add another. (global for this range already exists)

thanks.

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to bmarms

‎11-05-2009 12:15 PM

No, you don't need the "outside" keyword at the end of the statement..disregard the warning.

If you already have

global (outside) 1 interface

then just add..

nat (outside) 1 172.24.0.0 255.255.0.0

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to acomiskey

‎11-05-2009 12:34 PM

5 points for the first answer too.

0 Helpful
Customers Also Viewed These Support Documents