Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-site VPN between ASA 8.2's, cannot ping

Two 8.2 ASA's are set up with a site-to-site VPN tunnel between them, as can be seen in the diagram:

http://i.imgur.com/nqI1t0Z.png

Here is my configuration for both.

Clients on the inside network of either ASA cannot ping clients on the inside network of the other ASA. Why not?

When pinging from the inside network of SALMONARM to the inside network of KAMLOOPS, the following debug logs can be seen on SALMONARM:

%ASA-7-609001: Built local-host outside:10.30.7.2

%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

%ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

%ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02

%ASA-7-609001: Built local-host outside:10.30.7.2

%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

%ASA-6-302021: Teardown ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

%ASA-7-609002: Teardown local-host outside:10.30.7.2 duration 0:00:02

%ASA-7-609001: Built local-host outside:10.30.7.2

%ASA-6-302020: Built outbound ICMP connection for faddr 10.30.7.2/0 gaddr 192.168.0.216/55186 laddr 10.45.7.1/512

...

Each ping attempt responds with "Request timed out" on the pinging computer.

Why can't clients ping each other over the VPN tunnel?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Site-to-site VPN between ASA 8.2's, cannot ping

Hi,

Create a NAT0 ACL on both ends.

ex: access-list NONAT extended permit ip 10.30.0.0 255.255.0.0 10.45.0.0 255.255.0.0

nat (inside) 0 access-list NONAT

Thx

MS

Edit: Initially , I mentioned ACL #, it may not work.

2 REPLIES

Re: Site-to-site VPN between ASA 8.2's, cannot ping

Hi,

Create a NAT0 ACL on both ends.

ex: access-list NONAT extended permit ip 10.30.0.0 255.255.0.0 10.45.0.0 255.255.0.0

nat (inside) 0 access-list NONAT

Thx

MS

Edit: Initially , I mentioned ACL #, it may not work.

New Member

Site-to-site VPN between ASA 8.2's, cannot ping

That did it. Thanks!!

2209
Views
0
Helpful
2
Replies