Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

can't ping external hosts over site 2 site vpn

Hi All,

i have 2 sites configured as L2L VPN's back to my ASA5520. one site is using a PIX525 and the other an ASA5505. i can access all resources on my private netwrok without issue and all traffic from the remote sites is "protected". the issue i'm having is that i cannot ping and external hosts. for example, if i attempt to ping 4.2.2.1 from a host at a remote site it times out. i can ping any resource one my "private" networks at any site without issue. any suggestions? thanks.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: can't ping external hosts over site 2 site vpn

If you're relying on Internet access through the L2L tunnel (because you are tunneling everything), then you need to..

1) Either setup uturn and outside nat for the remote network on the headend ASA so the traffic can leave the same interface it came in on with a public IP address for the Internet:

nat (outside) 99

global (outside) 99 interface

same-security-traffic permit intra-interface

Or

2) Set up a default tunnel gateway that points to an internal router that has access to the internet

route inside 0.0.0.0 0.0.0.0 tunneled

-heather

Green

Re: can't ping external hosts over site 2 site vpn

No, you don't need the "outside" keyword at the end of the statement..disregard the warning.

If you already have

global (outside) 1 interface

then just add..

nat (outside) 1 172.24.0.0 255.255.0.0

4 REPLIES
Cisco Employee

Re: can't ping external hosts over site 2 site vpn

If you're relying on Internet access through the L2L tunnel (because you are tunneling everything), then you need to..

1) Either setup uturn and outside nat for the remote network on the headend ASA so the traffic can leave the same interface it came in on with a public IP address for the Internet:

nat (outside) 99

global (outside) 99 interface

same-security-traffic permit intra-interface

Or

2) Set up a default tunnel gateway that points to an internal router that has access to the internet

route inside 0.0.0.0 0.0.0.0 tunneled

-heather

New Member

Re: can't ping external hosts over site 2 site vpn

thanks heather. couple items:

should the command on the core ASA be

nat (outside) 99 172.24.0.0 255.255.0.0 outside?

i receive these warnings on the ASA:

WARNING: Binding inside nat statement to outermost interface.

WARNING: Keyword "outside" is probably missing.

i already have a global (outside) 1 interface statement and i can't add another. (global for this range already exists)

thanks.

Green

Re: can't ping external hosts over site 2 site vpn

No, you don't need the "outside" keyword at the end of the statement..disregard the warning.

If you already have

global (outside) 1 interface

then just add..

nat (outside) 1 172.24.0.0 255.255.0.0

Green

Re: can't ping external hosts over site 2 site vpn

5 points for the first answer too.

161
Views
5
Helpful
4
Replies
CreatePlease to create content