Solved: Site-to-Site VPN - Can't ping remote subnet

geotech333 · ‎04-13-2010

Hi all.

I have a site-to-site IPSEC VPN running between a 5510(HQ) and 5505(Remote). All is working on the tunnel. Crypto maps and ACLs are symmetrical. I see the tunnel is up for the required subnets. However I cannot ping from internal subnets inside 5510 to remote LAN inside 5505 and vice-versa. I have other VPN spokes to 5510 where I can ping inside x.x.x.x from remote LAN with success. Can figure out what I am missing. I can ping internet items but cannot ping HQ.

Any suggestions?

Also I am a now learning the ASAs so I am not an expert. I do know that I am allowing ICMP from outside. Both my NONAT statement and crypto map are running off same object group that lists the HQ subnets.

Thanks in advance.

Federico Coto Fajardo · ‎04-13-2010

The 5505 is missing the command:

management-access inside

Federico.

View solution in original post

Federico Coto Fajardo · ‎04-13-2010

Hi,

Enable on both sides access to the inside interface via VPN with the command:

management access-inside

Then, try to PING from the ASA to the other's ASA inside IP address, like this:

ping inside x.x.x.x

If it works, then check the internal subnet has a route pointing to the ASA for the interesting traffic.

Federico.

geotech333 · ‎04-13-2010

Also to add....I can ping all 5510 inside subnets from clients on the 5505 LAN. Just cant from the 5505 itself via the ping inside x.x.x.x command.

I also can't ping the remote 5505 LAN from anywhere inside the 5510.

Makes sense?

Federico Coto Fajardo · ‎04-13-2010

The 5505 is missing the command:

management-access inside

Federico.

geotech333 · ‎04-13-2010

You the man Federico!

Thanks for the quick reply!

That worked!!!