Unable to RDP or Ping to Remote Site

Unanswered Question
Mar 23rd, 2010
User Badges:

Hi


We have two ASA'S. One on Site A (asa 5510) and one on Site B (ASA 5505).


I have a VPN Site to Site tunnel connecting both sites which is working away fine. Users on the remote site can access servers here on Site A.


My problem is that from Site A I am unable to ping any PC's on Site B or RDP to them. It is essential for our IT Helpdesk to be able to RDP to these machines.


Our internal network on Site A has a 10.255.0.0 255.255.0.0 range. And the remote network has a 192.168.1.0 255.255.255.0 range.


I will upload both configs and maybe someone can shed some light as to why I cant ping or RDP to the remote machines.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Tue, 03/23/2010 - 04:52
User Badges:
  • Cisco Employee,

On site B, please remove the following line:


nat (outside) 0 access-list outside_nat0_outbound


And perform "clear xlate" after removing the above.


On site B, please also add the following:

policy-map global_policy
class inspection_default

     inspect icmp


Hope that helps.

drikilbride Tue, 03/23/2010 - 05:06
User Badges:

When I say


no nat (outside) 0 access-list outside_nat0_outbound I get the following error


ERROR: access-list outside_nat0_outbound not bound nat 0


Any ideas?

Jennifer Halim Tue, 03/23/2010 - 05:10
User Badges:
  • Cisco Employee,

Strange, because that statement is in your configuration on site B.


What does the output "sh run nat" show you?


If it's not showing that particular line, try "clear xlate" and see if you can RDP or ping to site B.


You might also want to check if "windows firewall" or other PC's firewall is turned on because sometimes they block incoming ping/connection.


Are you able to ping 192.168.1.1 from site A?

drikilbride Tue, 03/23/2010 - 05:16
User Badges:

This is what I have when I run sh nat


nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0


Actually when I ping 192.168.1.1 I do get replies, I hadn't tried that until now.


If I try to ping a PC called sph-comp-164 IP 192.168.1.21 ono Site B I get Request Timed Out.


All PC's on that end have firewalls disabled.


Thanks!

Jennifer Halim Tue, 03/23/2010 - 05:18
User Badges:
  • Cisco Employee,

Have you added this on site B:


policy-map global_policy
   class inspection_default

      inspect icmp

drikilbride Tue, 03/23/2010 - 05:23
User Badges:

On Site B I can enter the first two lines but the third throws up the following error. Am I doing something wrong?

Attachment: 
Jennifer Halim Tue, 03/23/2010 - 05:29
User Badges:
  • Cisco Employee,

If you are on ASDM, please enable it through the following:

Configuration --> Firewall --> Service Policy Rules --> highlight and edit the "inspection_default" rule --> go to "Rule Actions" tab --> enable "ICMP" --> OK --> Apply

drikilbride Tue, 03/23/2010 - 05:39
User Badges:

Okay I did that, still unable to ping 192.168.1.21


Here is what I can see through the logs. 10.255.251.82 is my PC. Not sure why the 62.77.180.162 address is appearing there.

Attachment: 
Jennifer Halim Tue, 03/23/2010 - 05:46
User Badges:
  • Cisco Employee,

What ip address does 62.77.180.162 belong to?


Does 192.168.1.21 actually respond to ping?


If you go to command line, and run "debug icmp trace" and ping, what are you seeing?


Also can you pls run "sh run all sysopt" and share the output.

drikilbride Tue, 03/23/2010 - 06:26
User Badges:

That IP Address belongs to an external email hosting company that we use and they come through the ASA on site A. I blanked that out of Site A's config. Just not sure why it is appearing on SITE B's ASA.


When I ping 192.168.1.21 I simply get request timed out.


Here is the result from sysopt.


Unfort the ASDM wont allow me run debug commands from it.

Attachment: 
Jennifer Halim Tue, 03/23/2010 - 14:35
User Badges:
  • Cisco Employee,

As far as configuration on site B is concern, it seems to be correct.


You might want to try pinging other ip addresses in the 192.168.1.x subnet. If you can ping the ASA inside interface 192.168.1.1 that means the crypto configuration is correct and the ping actually does come from site A towards site B.


Seems to be something local to your LAN subnet.


If you have a switch with SVI on the 192.168.1.x subnet, try to ping that and see if it works. Normally network device like switch or router replies to ping if no access-list is blocking it.

Actions

This Discussion