ICMP Problem

Answered Question
Jun 14th, 2010

Hi,

my Topology as below :

Host1------>FW1<-------------------->FW2------->Host 2

                                 Default Route

My FW 1and FW 2 are back to back connect and both site already configure default route to point each other, however i unable to ping the FW 2 inside interface IP address and the Host 2 IP, from Host 2 ping to FW1 Inside interface also cannot and even the Host 1.

The attachment is the configuration i configured please help!!!!

thks

-gilbert

I have this problem too.
0 votes

On FW1 change:-

access-list outside_in extended permit ip any any - REMOVE THIS

access-list outside_in extended permit icmp any any  - REMOVE THIS
access-list outside_in extended permit icmp any any echo  - REMOVE THIS

access-list outside_in extended permit icmp any any echo-reply - KEEP THIS

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 remote 255.255.255.0 - DELETE

Put the below in:-

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

On FW2 change:-

access-list outside_in extended permit ip any any - REMOVE THIS

access-list outside_in extended permit icmp any any  - REMOVE THIS
access-list outside_in extended permit icmp any any echo  - REMOVE THIS

access-list outside_in extended permit icmp any any echo-reply - KEEP THIS


access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list outside_1_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE

Add the below:-

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
gilbertcsc Tue, 06/15/2010 - 09:20

Hi ,

I already make changes on the Nat part, i'm able to get ping now however i try configure site to site vpn through wizard it can't work.

The attachment is the config file thks

-gilbert

Attachment: 
Correct Answer

On FW1 change:-

access-list outside_in extended permit ip any any - REMOVE THIS

access-list outside_in extended permit icmp any any  - REMOVE THIS
access-list outside_in extended permit icmp any any echo  - REMOVE THIS

access-list outside_in extended permit icmp any any echo-reply - KEEP THIS

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 remote 255.255.255.0 - DELETE

Put the below in:-

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

On FW2 change:-

access-list outside_in extended permit ip any any - REMOVE THIS

access-list outside_in extended permit icmp any any  - REMOVE THIS
access-list outside_in extended permit icmp any any echo  - REMOVE THIS

access-list outside_in extended permit icmp any any echo-reply - KEEP THIS


access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list outside_1_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE

Add the below:-

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

Actions

This Discussion