10-22-2009 10:31 AM - edited 03-11-2019 09:29 AM
Dear ALL,
i am tying to ping a public ip address from a remote site router but the packet is being denied.Split tunneling is configured on the central site asa so the remote sites can have access to internet through the asa.Here is a copy of the asa the logs on the asa and the remote site router.Please Help.
10-22-2009 06:53 PM
Pls. provide us a topology like below and let us know what path these ICMP requests are supposed to take.
ASA(LAN)128.223.125.232----(128.223.125.230)Router
Which IP address are you trying to ping and from where?
The syslogs indicate that the replies from 128.223.125.230 are being dropped.
ICMP type 0 is reply.
Here is the link to the syslog
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4771116
Do you know when the requests are sent and when the replies come back?
Captures on the ASA's LAN interface would show this.
cap caplan int LAN match icmp any any
do the ping test
sh cap caplan
Try the following:
conf t
timeout icmp 0:0:4
10-23-2009 01:26 AM
Here is te topology
BranchRTR(inside)131.223.124.230---BranchRTR(outside)196.1.1.4---HQRTR(outside)196.1.1.1---HQRTR(inside)192.168.1.250---ASA(outside)192.168.1.232---ASA(LAN)128.223.125.232---ISA SERVER(128.223.125.111)---INTERNETMODEM
I am trying to ping 81.91.225.18(our isp dns) from the branch router outside interface.Are my access-lists and config OK for the branch to access the internet ?What is wrong ?
10-23-2009 09:43 AM
Hi,
1. your log there is no information about icmp packets with the addresses you said.
2. there is no routing for way back on the ASA_AA for your Transfernetwork 196.1.1.0/24 Youd need - route liaison_BLR 196.1.1.0 255.255.255.0 192.168.1.250 -
PS: traceroute is your friend
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide