02-04-2008 10:57 AM - edited 03-09-2019 08:02 PM
Hello, I'm having an issue with pinging across a VPN tunnel that I have established via EZVPN NEM. I have a PIX501 acting as the EZVPN client and an ASA5520 (7.2(3)) as the EZVPN server. The tunnel establishes fine, I can transfer files from the PIX (config etc) across the tunnel, but I'm not able to ping across the tunnel from the 501 to the network across the VPN tunnel. My PIX network is 10.200.128.0/24, i'm trying to ping a 10.1.1.0/24 network across the VPN. I get the following log message on the ASA when I ping from the PIX:
Pix: ping in 10.1.1.20
Log message on ASA: Deny inbound icmp src inside:10.1.1.20 dst inside:10.200.128.1 (type 0, code 0)
Here's the relevant config on the ASA:
: Saved
:
ASA Version 7.2(3)
!
hostname Cosmos-ASA
domain-name
enable ...
names
dns-guard
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.1.1.3 255.255.255.0 standby 10.1.1.5
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address ....
!
access-list no-nat extended permit ip 10.0.0.0 255.0.0.0 10.200.128.0 255.255.255.0
access-list acl_in extended permit tcp any 192.168.0.0 255.255.128.0 range 137 netbios-ssn
access-list acl_in extended permit udp any 192.168.0.0 255.255.128.0 range netbios-ns 139
access-list acl_in extended deny tcp any any eq 6667
access-list acl_in extended deny tcp any any range 137 netbios-ssn
access-list acl_in extended deny udp any any range netbios-ns 139
access-list acl_in extended permit ip any any
access-list testEZ extended permit ip 10.1.1.0 255.255.255.0 10.205.0.0 255.255.0.0
access-list testEZ extended permit ip 10.1.2.0 255.255.255.0 10.205.0.0 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
nat (inside) 0 access-list no-nat
rypto ipsec transform-set mySET esp-3des esp-md5-hmac
crypto dynamic-map myDYN-MAP 5 set transform-set mySET
crypto map myMAP 60 ipsec-isakmp dynamic myDYN-MAP
crypto map myMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
group-policy TestGroup internal
group-policy TestGroup attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value testEZ
nem enable
username testUser password xxx
tunnel-group TestPIXGroup type ipsec-ra
tunnel-group TestPIXGroup general-attributes
default-group-policy TestGroup
tunnel-group TestPIXGroup ipsec-attributes
pre-shared-key *
I think that's everything that's relevant. Any ideas as to why this isn't working? Thanks in advance.
02-08-2008 01:53 PM
Check first if you are able to ping (extended) from the vpn interface of the ASA to a host in the internal network. The message on the ASA indicates that the Ping is being denied by some access rules and this is not a problem of VPN. Following links may help you
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: