Site-to-Site VPN - Can't ping remote subnet

Answered Question
Apr 13th, 2010

Hi all.

I have a site-to-site IPSEC VPN running between a 5510(HQ) and 5505(Remote). All is working on the tunnel. Crypto maps and ACLs are symmetrical. I see the tunnel is up for the required subnets. However I cannot ping from internal subnets inside 5510 to remote LAN inside 5505 and vice-versa. I have other VPN spokes to 5510 where I can ping inside x.x.x.x from remote LAN with success. Can figure out what I am missing. I can ping internet items but cannot ping HQ.

Any suggestions?

Also I am a now learning the ASAs so I am not an expert.  I do know that I am allowing ICMP from outside. Both my NONAT statement and crypto map are running off same object group that lists the HQ subnets.

Thanks in advance.

Correct Answer by Federico Coto F... about 6 years 10 months ago

The 5505 is missing the command:

management-access inside


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Federico Coto F... Tue, 04/13/2010 - 12:44


Enable on both sides access to the inside interface via VPN with the command:

management access-inside

Then, try to PING from the ASA to the other's ASA inside IP address, like this:

ping inside x.x.x.x

If it works, then check the internal subnet has a route pointing to the ASA for the interesting traffic.


geotech333 Tue, 04/13/2010 - 12:50

Also to add....I can ping all 5510 inside subnets from clients on the 5505 LAN. Just cant from the 5505 itself via the ping inside x.x.x.x command.

I also can't ping the remote 5505 LAN from anywhere inside the 5510. 

Makes sense?


This Discussion