Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA site-to-site VPN

Hi all,

Friends, i cofiged VPN site-to-site between ASA's... one side 5505 and other 5510... VPN is active, and works OK. but from 5505 inside hosts can not access internet and cannt PING as outside interface IP, as public outside IPs. static route outside ic correctly configed. and ICMP is permit (icmp permit any inside, icmp permit any outside)

Any advice ... ???

Need Ur help ... :)))

6 REPLIES
New Member

Re: ASA site-to-site VPN

hi

It seems like all of traffic have been "VPN".

pls checking out acl for interest traffic is not "any any"

regards

New Member

Re: ASA site-to-site VPN

5505 side, inside interface acl is permit (sourse any, destination - any less secure networks)

and outside interface acl is deny (sourse - any, destionation - any) implicient rule ...

I configing it with ASDM ... :)

why i cant ping my ASA's outside interface IP. i configed icmp with ,,permit any inside

icmp permit any outside'' .... ?

I think that i have to open (with ACL) IP, TCP, and UDP protocols from inside to outside, to have access for internet and ping...

Am i right ... ?

P.S. its my first time practise with ASA... and that's why i look so lam...

plz, need UR advice ... :)))

Great TNX in advance :)))

Regards

New Member

Re: ASA site-to-site VPN

Any Idea ???

New Member

Re: ASA site-to-site VPN

Please check, you only permit VPN traffic for no nat, if you have any any in access-list your all traffic is going without nat, please modify the access-list to allow only VPN traffic for nonat and rest all for nat so that you can browse the internet,

U cant ping outside interface of firewall from inside, do the icmp inspect in policy map

and here define insepct icmp.

New Member

Re: ASA site-to-site VPN

(nat config) it exempt (nat) sourse - inside network 10.7.7.0/24 destination network 10.1.1.0/24. it means that only VPN connection traffic is permitted for nat.. i'm going to config PAT for inside host on the outside interface, to have access to the public resources (is this right solutions ???) except the nat should i configure ACL to permit IP protocol (have access inside host to outside ) ... ?

P.S. I'm configuring ASA's FW with ASDM.

wasiimcisco,

It was very kind from UR side... Thank you.

Regards, Batumi3

New Member

Re: ASA site-to-site VPN

Sorry for my poor English.... What i wrote is not preaty clear 4 U ... ?!

Hope smb will reply me :)))

139
Views
0
Helpful
6
Replies