06-14-2010 11:26 PM - edited 03-11-2019 10:59 AM
Hi,
my Topology as below :
Host1------>FW1<-------------------->FW2------->Host 2
Default Route
My FW 1and FW 2 are back to back connect and both site already configure default route to point each other, however i unable to ping the FW 2 inside interface IP address and the Host 2 IP, from Host 2 ping to FW1 Inside interface also cannot and even the Host 1.
The attachment is the configuration i configured please help!!!!
thks
-gilbert
Solved! Go to Solution.
06-15-2010 10:38 AM
On FW1 change:-
access-list outside_in extended permit ip any any - REMOVE THIS
access-list outside_in extended permit icmp any any - REMOVE THIS
access-list outside_in extended permit icmp any any echo - REMOVE THIS
access-list outside_in extended permit icmp any any echo-reply - KEEP THIS
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 remote 255.255.255.0 - DELETE
Put the below in:-
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
On FW2 change:-
access-list outside_in extended permit ip any any - REMOVE THIS
access-list outside_in extended permit icmp any any - REMOVE THIS
access-list outside_in extended permit icmp any any echo - REMOVE THIS
access-list outside_in extended permit icmp any any echo-reply - KEEP THIS
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list outside_1_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
Add the below:-
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
06-15-2010 05:17 AM
FW2 has an incorrect ACL - you are not allowing ICMP echo-reply back or ICMP echo in the outside interface.
You are also missing NAT config on both devices.
HTH>
06-15-2010 09:20 AM
06-15-2010 10:38 AM
On FW1 change:-
access-list outside_in extended permit ip any any - REMOVE THIS
access-list outside_in extended permit icmp any any - REMOVE THIS
access-list outside_in extended permit icmp any any echo - REMOVE THIS
access-list outside_in extended permit icmp any any echo-reply - KEEP THIS
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 remote 255.255.255.0 - DELETE
Put the below in:-
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
On FW2 change:-
access-list outside_in extended permit ip any any - REMOVE THIS
access-list outside_in extended permit icmp any any - REMOVE THIS
access-list outside_in extended permit icmp any any echo - REMOVE THIS
access-list outside_in extended permit icmp any any echo-reply - KEEP THIS
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list outside_1_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
Add the below:-
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
06-16-2010 12:31 AM
Hi,
Thks alot, i got it !!!!
-gilbert
06-16-2010 01:33 AM
sure np - glad to help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide