cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
619
Views
0
Helpful
5
Replies

ICMP Problem

gilbertcsc
Level 1
Level 1

Hi,

my Topology as below :

Host1------>FW1<-------------------->FW2------->Host 2

                                 Default Route

My FW 1and FW 2 are back to back connect and both site already configure default route to point each other, however i unable to ping the FW 2 inside interface IP address and the Host 2 IP, from Host 2 ping to FW1 Inside interface also cannot and even the Host 1.

The attachment is the configuration i configured please help!!!!

thks

-gilbert

1 Accepted Solution

Accepted Solutions

On FW1 change:-

access-list outside_in extended permit ip any any - REMOVE THIS

access-list outside_in extended permit icmp any any  - REMOVE THIS
access-list outside_in extended permit icmp any any echo  - REMOVE THIS

access-list outside_in extended permit icmp any any echo-reply - KEEP THIS

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 remote 255.255.255.0 - DELETE

Put the below in:-

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

On FW2 change:-

access-list outside_in extended permit ip any any - REMOVE THIS

access-list outside_in extended permit icmp any any  - REMOVE THIS
access-list outside_in extended permit icmp any any echo  - REMOVE THIS

access-list outside_in extended permit icmp any any echo-reply - KEEP THIS


access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list outside_1_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE

Add the below:-

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

View solution in original post

5 Replies 5

andrew.prince
Level 10
Level 10

FW2 has an incorrect ACL - you are not allowing ICMP echo-reply back or ICMP echo in the outside interface.

You are also missing NAT config on both devices.

HTH>

Hi ,

I already make changes on the Nat part, i'm able to get ping now however i try configure site to site vpn through wizard it can't work.

The attachment is the config file thks

-gilbert

On FW1 change:-

access-list outside_in extended permit ip any any - REMOVE THIS

access-list outside_in extended permit icmp any any  - REMOVE THIS
access-list outside_in extended permit icmp any any echo  - REMOVE THIS

access-list outside_in extended permit icmp any any echo-reply - KEEP THIS

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 remote 255.255.255.0 - DELETE

Put the below in:-

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

On FW2 change:-

access-list outside_in extended permit ip any any - REMOVE THIS

access-list outside_in extended permit icmp any any  - REMOVE THIS
access-list outside_in extended permit icmp any any echo  - REMOVE THIS

access-list outside_in extended permit icmp any any echo-reply - KEEP THIS


access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list outside_1_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE

Add the below:-

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

Hi,

Thks alot, i got it !!!!

-gilbert

sure np - glad to help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: