Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ICMP Problem

Hi,

my Topology as below :

Host1------>FW1<-------------------->FW2------->Host 2

                                 Default Route

My FW 1and FW 2 are back to back connect and both site already configure default route to point each other, however i unable to ping the FW 2 inside interface IP address and the Host 2 IP, from Host 2 ping to FW1 Inside interface also cannot and even the Host 1.

The attachment is the configuration i configured please help!!!!

thks

-gilbert

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ICMP Problem

On FW1 change:-

access-list outside_in extended permit ip any any - REMOVE THIS

access-list outside_in extended permit icmp any any  - REMOVE THIS
access-list outside_in extended permit icmp any any echo  - REMOVE THIS

access-list outside_in extended permit icmp any any echo-reply - KEEP THIS

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 remote 255.255.255.0 - DELETE

Put the below in:-

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

On FW2 change:-

access-list outside_in extended permit ip any any - REMOVE THIS

access-list outside_in extended permit icmp any any  - REMOVE THIS
access-list outside_in extended permit icmp any any echo  - REMOVE THIS

access-list outside_in extended permit icmp any any echo-reply - KEEP THIS


access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list outside_1_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE

Add the below:-

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

5 REPLIES

Re: ICMP Problem

FW2 has an incorrect ACL - you are not allowing ICMP echo-reply back or ICMP echo in the outside interface.

You are also missing NAT config on both devices.

HTH>

New Member

Re: ICMP Problem

Hi ,

I already make changes on the Nat part, i'm able to get ping now however i try configure site to site vpn through wizard it can't work.

The attachment is the config file thks

-gilbert

Re: ICMP Problem

On FW1 change:-

access-list outside_in extended permit ip any any - REMOVE THIS

access-list outside_in extended permit icmp any any  - REMOVE THIS
access-list outside_in extended permit icmp any any echo  - REMOVE THIS

access-list outside_in extended permit icmp any any echo-reply - KEEP THIS

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 remote 255.255.255.0 - DELETE

Put the below in:-

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

On FW2 change:-

access-list outside_in extended permit ip any any - REMOVE THIS

access-list outside_in extended permit icmp any any  - REMOVE THIS
access-list outside_in extended permit icmp any any echo  - REMOVE THIS

access-list outside_in extended permit icmp any any echo-reply - KEEP THIS


access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE
access-list outside_1_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 remote 255.255.255.0 - DELETE

Add the below:-

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

New Member

Re: ICMP Problem

Hi,

Thks alot, i got it !!!!

-gilbert

Re: ICMP Problem

sure np - glad to help!

170
Views
0
Helpful
5
Replies