Site-to-Site VPN - Can't ping remote subnet

Answered Question
Apr 13th, 2010
User Badges:

Hi all.

I have a site-to-site IPSEC VPN running between a 5510(HQ) and 5505(Remote). All is working on the tunnel. Crypto maps and ACLs are symmetrical. I see the tunnel is up for the required subnets. However I cannot ping from internal subnets inside 5510 to remote LAN inside 5505 and vice-versa. I have other VPN spokes to 5510 where I can ping inside x.x.x.x from remote LAN with success. Can figure out what I am missing. I can ping internet items but cannot ping HQ.


Any suggestions?


Also I am a now learning the ASAs so I am not an expert.  I do know that I am allowing ICMP from outside. Both my NONAT statement and crypto map are running off same object group that lists the HQ subnets.



Thanks in advance.

Correct Answer by Federico Coto F... about 7 years 1 month ago

The 5505 is missing the command:


management-access inside


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Tue, 04/13/2010 - 12:44
User Badges:
  • Green, 3000 points or more

Hi,


Enable on both sides access to the inside interface via VPN with the command:


management access-inside


Then, try to PING from the ASA to the other's ASA inside IP address, like this:


ping inside x.x.x.x


If it works, then check the internal subnet has a route pointing to the ASA for the interesting traffic.


Federico.

geotech333 Tue, 04/13/2010 - 12:50
User Badges:

Also to add....I can ping all 5510 inside subnets from clients on the 5505 LAN. Just cant from the 5505 itself via the ping inside x.x.x.x command.

I also can't ping the remote 5505 LAN from anywhere inside the 5510. 


Makes sense?

Correct Answer
Federico Coto F... Tue, 04/13/2010 - 12:55
User Badges:
  • Green, 3000 points or more

The 5505 is missing the command:


management-access inside


Federico.

geotech333 Tue, 04/13/2010 - 12:58
User Badges:

You the man Federico!


Thanks for the quick reply!

That worked!!!

Actions

This Discussion