Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can ping inside IP of ASA over IPSec VPN

Hello,

I have a site to site VPN configured between 2 ASAs on 9.1.3.  Everything is working apart from 1.  We have a management server that we use to SSH and poll devices, this server can't ping the inside of the ASA over the VPN, but can others I have configured, I must be missing a step.  THis server can ping devices on the inside LAN there though.  I'm not sure if it is a NAT as the ACLs look ok:

access-list outside_cryptomap extended permit ip object internal-10.103.10.0 object-group DM_INLINE_NETWORK_1

access-list inside_access_in extended permit ip 10.103.10.0 255.255.255.0 object-group DM_INLINE_NETWORK_2

access-list inside_access_in extended permit icmp 10.103.10.0 255.255.255.0 any

object network Corp-Servers1

subnet 10.100.1.0 255.255.255.0

object network Corp-NPM

subnet 172.23.1.0 255.255.255.0

object network internal-10.103.10.0

subnet 10.103.10.0 255.255.255.0

object-group network DM_INLINE_NETWORK_1

network-object object Corp-NPM

network-object object Corp--Servers

object-group network DM_INLINE_NETWORK_2

network-object object Corp-NPM

network-object object Corp-Servers

nat (inside,any) source static internal-10.103.10.0 internal-10.103.10.0 destination static Corp-Servers Corp-2-Servers no-proxy-arp

!

object network obj_any

nat (inside,outside) dynamic interface

The inside IP is 10.103.10.1 and the remote server is 10.100.1.35.

interface Vlan10

nameif inside

security-level 100

ip address 10.103.10.1 255.255.255.0

management-access inside

ssh 10.100.1.35 255.255.255.255 inside

Currently I am using SSH to it's outside interface, plus the ASDM works.

Any ideas?

1 REPLY
Super Bronze

Can ping inside IP of ASA over IPSec VPN

Hi,

Are you also NATing the destination?

It seems the destination "object" used are different and you dont mention what the "Corp-2-Servers" contain?

If you had a basic NAT0 / Identity NAT configuration you could add "route-lookup" at the end. This usually help with the problem of connecting to an internal interface through a VPN connection.

- Jouni

152
Views
0
Helpful
1
Replies
CreatePlease login to create content