Solved: Site-to-site VPN between ASA 8.2's, cannot ping

JonCommins · ‎12-06-2013

Two 8.2 ASA's are set up with a site-to-site VPN tunnel between them, as can be seen in the diagram:

Clients on the inside network of either ASA cannot ping clients on the inside network of the other ASA. Why not?

When pinging from the inside network of SALMONARM to the inside network of KAMLOOPS, the following debug logs can be seen on SALMONARM:

%ASA-7-609001: Built local-host outside:10.30.7.2

%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

%ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

%ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02

%ASA-7-609001: Built local-host outside:10.30.7.2

%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

%ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

%ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02

%ASA-7-609001: Built local-host outside:10.30.7.2

%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

...

Each ping attempt responds with "Request timed out" on the pinging computer.

Why can't clients ping each other over the VPN tunnel?

mvsheik123 · ‎12-06-2013

Hi,

Create a NAT0 ACL on both ends.

ex: access-list NONAT extended permit ip 10.30.0.0 255.255.0.0 10.45.0.0 255.255.0.0

nat (inside) 0 access-list NONAT

Thx

MS

Edit: Initially , I mentioned ACL #, it may not work.

mvsheik123 · ‎12-06-2013

Hi,

Create a NAT0 ACL on both ends.

ex: access-list NONAT extended permit ip 10.30.0.0 255.255.0.0 10.45.0.0 255.255.0.0

nat (inside) 0 access-list NONAT

Thx

MS

Edit: Initially , I mentioned ACL #, it may not work.

JonCommins · ‎12-06-2013

That did it. Thanks!!