Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

S2S can't ping ASA on the other side

I'm using a site 2 site tunnel with NAT, i can ping from Lan2 (192.168.200.0/22) to Lan1 (192.168.1.0/24) except to the ASA. I would like to be able to ping to the ASA (192.168.1.250) aswell. How can this be achieved?

(I can't add a route-lookup: ERROR: Option route-lookup is only allowed for static identity case)

object network LAN-NAT-BDD

subnet 192.168.153.0 255.255.255.0

object network BDD-LAN

subnet 192.168.200.0 255.255.252.0

access-list outside_cryptomap_2 extended permit ip 192.168.153.0 255.255.255.0 192.168.200.0 255.255.252.0

nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 LAN-NAT-BDD destination static BDD-LAN BDD-LAN

5 REPLIES
Super Bronze

S2S can't ping ASA on the other side

Hi,

So you are doing NAT for the other sites LAN network? NAT for network 192.168.1.0/24 to 192.168.153.0/24? So you would actually be targeting 192.168.153.250?

Have you configured the "management-access inside" to enable ICMP to the "inside" interface through the VPN?

- Jouni

Community Member

Re: S2S can't ping ASA on the other side

Hi Jouni,

That's correct.

management-access inside is also configured.

John

Super Bronze

Re: S2S can't ping ASA on the other side

I guess the NAT configuration above is there for a reason? You have network 192.168.1.0/24 somewhere else?

If you have the option to let the host IP 192.168.1.250 overlap then I guess as a workaround you could try the following to configure Identity NAT for this IP only and add it to VPN.

object network ASA

host 192.168.1.250

nat (inside,outside) source static ASA ASA destination static BDD-LAN BDD-LAN route-lookup

- Jouni

Community Member

Re: S2S can't ping ASA on the other side

I have tried so, but unfortunately still no ping response.

Super Bronze

Re: S2S can't ping ASA on the other side

Hi,

While you were trying the above, did you make sure that the L2L VPN configurations and possible routing was fine for this single IP address of 192.168.1.250?

Is there a network 192.168.1.0/24 on the other site? That is essential information as if thats the case then some directly connected route on the other network might make it impossible to forward traffic to the IP address 192.168.1.250 through the L2L VPN.

- Jouni

174
Views
0
Helpful
5
Replies
CreatePlease to create content