Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
489
Views
0
Helpful
8
Replies

Ping across a VPN

jimmy-lister
Level 1
Level 1

‎07-19-2006 09:52 AM - edited ‎02-21-2020 02:32 PM

I have a VPN between an ASA 5510 7.1 and a Pix 501 6.3. The tunnel is up and hosts on both sides can ping and access resources. However when I am telneted to the ASA or the Pix I cannot ping any hosts on the remote side. What commands do I need to enter to make it possible to ping remote hosts from either firewall?

Thanks

Labels:
0 Helpful
8 Replies 8

cpembleton
Level 4
Level 4

‎07-19-2006 11:02 AM

As long as your not restricting the traffic with an ACL all you have to do is add the interface in the command.

ping inside x.x.x.x

This should allow the traffic to hit the VPN ACL's and send it accross the tunnel.

Thanks,

Chad

Please rate if it helps!

0 Helpful

jimmy-lister
Level 1
Level 1
In response to cpembleton

‎07-19-2006 12:47 PM

Chad,

That did not work.

My ACL for that VPN is

access-list aclvpn permit ip 192.x.x.x 255.x.x.x 10.x.x.x 255.x.x.x

Should that cover it? Or do i need to add a permit icmp?

0 Helpful

cpembleton
Level 4
Level 4
In response to jimmy-lister

‎07-19-2006 01:09 PM

Can you ping the inside interface of the pix from the remote hosts?

0 Helpful

bob.bartlett
Level 1
Level 1
In response to cpembleton

‎07-24-2006 05:34 PM

It has been my experience where the PIX and ASA are concerned you if they are the VPN endpoints you can't ping from one to the other. The cause of this is that you are on the interface and it is generating the traffic and that means it has bypassed the interface on which it would be recognized as interesting traffic for the VPN tunnel.

0 Helpful

cpembleton
Level 4
Level 4
In response to bob.bartlett

‎07-25-2006 04:16 AM

You can ping accross a VPN from the pix when including the interface in the ping statement. As long as the inside interface is in the scope of interesting traffic.

0 Helpful

jimmy-lister
Level 1
Level 1
In response to cpembleton

‎07-25-2006 04:57 AM

I can ping the remote interface from a host on that remote subnet. I have tried #ping inside x.x.x.x on both firewalls. From either firewall I cannot ping the remote firewall or remote hosts. I can ping between host across the VPN.

0 Helpful

mgaysek
Level 1
Level 1
In response to jimmy-lister

‎07-25-2006 06:40 AM

Have you tried to use the management interface command. This should be set for an interface that the tunnel does not land on. I forget if it is available on the asa, but I believe it is. Enabling this on both sides should fix your problem, assuming the ip address are part of the encryption domain.

0 Helpful

bob.bartlett
Level 1
Level 1
In response to mgaysek

‎07-27-2006 02:35 PM

make sure that if you have an Access-list for the inside network going out and it has a deny ip any any at the end of that ACL that you have a rule that allows the traffic between the 2 networks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents