Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco ASA can't establish Site-to-Site VPN or ping outside, but servers inside (NAT'd) can?!

Hi,

I've got an issue where servers within an internal network connected to the ASA can access the internet (These are Dynamically NAT'd as expected).

However, when I try to ping from the ASAs outside interface to the internet, I can't - I also can't establish site-to-site VPN connectivity because of this also.

How on earth is it possible for a device on an inside network able to access the internet, but trying to directly from the interface it is NATing to, not functioning?

3 REPLIES

Cisco ASA can't establish Site-to-Site VPN or ping outside, but

Hello,

from the ASAs outside interface to the internet, I can't -

Can you share the show run icmp (make sure you are permitting that traffic on the outside).

I also can't establish site-to-site VPN connectivity because of this also.

Why do you say that, I Mean ICMP traffic not being allowed is different than UDP 500 or NAT-T.

How on earth is it possible for a device on an inside network able to  access the internet, but trying to directly from the interface it is  NATing to, not functioning?

I would say because of the Deny ICMP rule

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Cisco ASA can't establish Site-to-Site VPN or ping outside, but

Hi Julio,

Ping works from CLI (icmp permit OUTSIDE) - However pinging from Packet Tracer results in an issue with an ACL (implicit, despite there being an active any any acl above this).

Again, the above ACL should be allowing the VPN to connect also?

Thanks,

Cisco ASA can't establish Site-to-Site VPN or ping outside, but

Hello,

Do not rely on packet-tracer for everything .

So what's not working is the VPN.

Can u share ur config

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
115
Views
0
Helpful
3
Replies
CreatePlease to create content