Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
296
Views
0
Helpful
1
Replies

ICMP Traffice across EZVPN tunnel

rtjensen4
Level 4
Level 4

‎02-04-2008 10:57 AM - edited ‎03-09-2019 08:02 PM

Hello, I'm having an issue with pinging across a VPN tunnel that I have established via EZVPN NEM. I have a PIX501 acting as the EZVPN client and an ASA5520 (7.2(3)) as the EZVPN server. The tunnel establishes fine, I can transfer files from the PIX (config etc) across the tunnel, but I'm not able to ping across the tunnel from the 501 to the network across the VPN tunnel. My PIX network is 10.200.128.0/24, i'm trying to ping a 10.1.1.0/24 network across the VPN. I get the following log message on the ASA when I ping from the PIX:

Pix: ping in 10.1.1.20

Log message on ASA: Deny inbound icmp src inside:10.1.1.20 dst inside:10.200.128.1 (type 0, code 0)

Here's the relevant config on the ASA:

: Saved

:

ASA Version 7.2(3)

!

hostname Cosmos-ASA

domain-name

enable ...

names

dns-guard

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 10.1.1.3 255.255.255.0 standby 10.1.1.5

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address ....

!

access-list no-nat extended permit ip 10.0.0.0 255.0.0.0 10.200.128.0 255.255.255.0

access-list acl_in extended permit tcp any 192.168.0.0 255.255.128.0 range 137 netbios-ssn

access-list acl_in extended permit udp any 192.168.0.0 255.255.128.0 range netbios-ns 139

access-list acl_in extended deny tcp any any eq 6667

access-list acl_in extended deny tcp any any range 137 netbios-ssn

access-list acl_in extended deny udp any any range netbios-ns 139

access-list acl_in extended permit ip any any

access-list testEZ extended permit ip 10.1.1.0 255.255.255.0 10.205.0.0 255.255.0.0

access-list testEZ extended permit ip 10.1.2.0 255.255.255.0 10.205.0.0 255.255.0.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

nat (inside) 0 access-list no-nat

rypto ipsec transform-set mySET esp-3des esp-md5-hmac

crypto dynamic-map myDYN-MAP 5 set transform-set mySET

crypto map myMAP 60 ipsec-isakmp dynamic myDYN-MAP

crypto map myMAP interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

group-policy TestGroup internal

group-policy TestGroup attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value testEZ

nem enable

username testUser password xxx

tunnel-group TestPIXGroup type ipsec-ra

tunnel-group TestPIXGroup general-attributes

default-group-policy TestGroup

tunnel-group TestPIXGroup ipsec-attributes

pre-shared-key *

I think that's everything that's relevant. Any ideas as to why this isn't working? Thanks in advance.

Labels:
0 Helpful
1 Reply 1

amritpatek
Level 6
Level 6

‎02-08-2008 01:53 PM

Check first if you are able to ping (extended) from the vpn interface of the ASA to a host in the internal network. The message on the ASA indicates that the Ping is being denied by some access rules and this is not a problem of VPN. Following links may help you

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents