07-19-2006 09:52 AM - edited 02-21-2020 02:32 PM
I have a VPN between an ASA 5510 7.1 and a Pix 501 6.3. The tunnel is up and hosts on both sides can ping and access resources. However when I am telneted to the ASA or the Pix I cannot ping any hosts on the remote side. What commands do I need to enter to make it possible to ping remote hosts from either firewall?
Thanks
07-19-2006 11:02 AM
As long as your not restricting the traffic with an ACL all you have to do is add the interface in the command.
ping inside x.x.x.x
This should allow the traffic to hit the VPN ACL's and send it accross the tunnel.
Thanks,
Chad
Please rate if it helps!
07-19-2006 12:47 PM
Chad,
That did not work.
My ACL for that VPN is
access-list aclvpn permit ip 192.x.x.x 255.x.x.x 10.x.x.x 255.x.x.x
Should that cover it? Or do i need to add a permit icmp?
07-19-2006 01:09 PM
Can you ping the inside interface of the pix from the remote hosts?
07-24-2006 05:34 PM
It has been my experience where the PIX and ASA are concerned you if they are the VPN endpoints you can't ping from one to the other. The cause of this is that you are on the interface and it is generating the traffic and that means it has bypassed the interface on which it would be recognized as interesting traffic for the VPN tunnel.
07-25-2006 04:16 AM
You can ping accross a VPN from the pix when including the interface in the ping statement. As long as the inside interface is in the scope of interesting traffic.
07-25-2006 04:57 AM
I can ping the remote interface from a host on that remote subnet. I have tried #ping inside x.x.x.x on both firewalls. From either firewall I cannot ping the remote firewall or remote hosts. I can ping between host across the VPN.
07-25-2006 06:40 AM
Have you tried to use the management interface command. This should be set for an interface that the tunnel does not land on. I forget if it is available on the asa, but I believe it is. Enabling this on both sides should fix your problem, assuming the ip address are part of the encryption domain.
07-27-2006 02:35 PM
make sure that if you have an Access-list for the inside network going out and it has a deny ip any any at the end of that ACL that you have a rule that allows the traffic between the 2 networks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: