ICMP Problem

Answered Question
Jun 14th, 2010
User Badges:

Hi,


my Topology as below :



Host1------>FW1<-------------------->FW2------->Host 2

                                 Default Route



My FW 1and FW 2 are back to back connect and both site already configure default route to point each other, however i unable to ping the FW 2 inside interface IP address and the Host 2 IP, from Host 2 ping to FW1 Inside interface also cannot and even the Host 1.


The attachment is the configuration i configured please help!!!!



thks



-gilbert

Correct Answer by andrew.prince@m... about 7 years 1 month ago

On FW1 change:-


access-list outside_in extended permit ip any any - REMOVE THIS

access-list outside_in extended permit icmp any any  - REMOVE THIS
access-list outside_in extended permit icmp any any echo  - REMOVE THIS

access-list outside_in extended permit icmp any any echo-reply - KEEP THIS


access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 remote 255.255.255.0 - DELETE


Put the below in:-

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0


On FW2 change:-


access-list outside_in extended permit ip any any - REMOVE THIS

access-list outside_in extended permit icmp any any  - REMOVE THIS
access-list outside_in extended permit icmp any any echo  - REMOVE THIS

access-list outside_in extended permit icmp any any echo-reply - KEEP THIS


access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list outside_1_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE


Add the below:-

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
andrew.prince@m... Tue, 06/15/2010 - 05:17
User Badges:
  • Green, 3000 points or more

FW2 has an incorrect ACL - you are not allowing ICMP echo-reply back or ICMP echo in the outside interface.


You are also missing NAT config on both devices.


HTH>

gilbertcsc Tue, 06/15/2010 - 09:20
User Badges:

Hi ,


I already make changes on the Nat part, i'm able to get ping now however i try configure site to site vpn through wizard it can't work.


The attachment is the config file thks


-gilbert

Attachment: 
Correct Answer
andrew.prince@m... Tue, 06/15/2010 - 10:38
User Badges:
  • Green, 3000 points or more

On FW1 change:-


access-list outside_in extended permit ip any any - REMOVE THIS

access-list outside_in extended permit icmp any any  - REMOVE THIS
access-list outside_in extended permit icmp any any echo  - REMOVE THIS

access-list outside_in extended permit icmp any any echo-reply - KEEP THIS


access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 remote 255.255.255.0 - DELETE


Put the below in:-

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0


On FW2 change:-


access-list outside_in extended permit ip any any - REMOVE THIS

access-list outside_in extended permit icmp any any  - REMOVE THIS
access-list outside_in extended permit icmp any any echo  - REMOVE THIS

access-list outside_in extended permit icmp any any echo-reply - KEEP THIS


access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list outside_1_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE


Add the below:-

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

Actions

This Discussion