Site-to-Site VPN - Can't ping remote subnet

Answered Question
Apr 13th, 2010

Hi all.

I have a site-to-site IPSEC VPN running between a 5510(HQ) and 5505(Remote). All is working on the tunnel. Crypto maps and ACLs are symmetrical. I see the tunnel is up for the required subnets. However I cannot ping from internal subnets inside 5510 to remote LAN inside 5505 and vice-versa. I have other VPN spokes to 5510 where I can ping inside x.x.x.x from remote LAN with success. Can figure out what I am missing. I can ping internet items but cannot ping HQ.

Any suggestions?

Also I am a now learning the ASAs so I am not an expert.  I do know that I am allowing ICMP from outside. Both my NONAT statement and crypto map are running off same object group that lists the HQ subnets.

Thanks in advance.

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 7 months ago

The 5505 is missing the command:

management-access inside


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Federico Coto F... Tue, 04/13/2010 - 12:44


Enable on both sides access to the inside interface via VPN with the command:

management access-inside

Then, try to PING from the ASA to the other's ASA inside IP address, like this:

ping inside x.x.x.x

If it works, then check the internal subnet has a route pointing to the ASA for the interesting traffic.


geotech333 Tue, 04/13/2010 - 12:50

Also to add....I can ping all 5510 inside subnets from clients on the 5505 LAN. Just cant from the 5505 itself via the ping inside x.x.x.x command.

I also can't ping the remote 5505 LAN from anywhere inside the 5510. 

Makes sense?


This Discussion