Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

unable to ping to a nat address over a vpn

Hi, i have a site to site vpn stablished, the vpn works fine (while is up), i have a cisco asa 5520 and the other end of the vpn is a jupiter device that for technical reasons needs to send a continuos ping and when it does not receive a reponse back it brings down the vpn tunnel and reestablish it again. while the vpn is up traffic flows perfectly but because i m unable to repond to the ping the vpn is brought down as reestablished by the jupiter device. the jupiter device pings the encryption domain which is an ip that is natted to the real ip in the inside network. this is my configuration of the vpn:

AAA.AAA.AAA.AAA is the ASA public ip in the outside

BBB.BBB.BBB.BBB is the jupiter device ip (part of the object group IP_LIST)

CCC.CCC.CCC.CCC is the nat ip on the ASA

10.21.0.164 is the real address in the inside

crypto ipsec transform-set INTERNETNETWORK_TRANSFORM_SET esp-3des esp-sha-hmac

crypto map INTERNETNETWORK_CRYPTO_MAP 210 match address CHICAGO_CRYPTO_MAP_ACL

crypto map INTERNETNETWORK_CRYPTO_MAP 210 set peer Chicago

crypto map INTERNETNETWORK_CRYPTO_MAP 210 set transform-set INTERNETNETWORK_TRANSFORM_SET

crypto map INTERNETNETWORK_CRYPTO_MAP 210 set security-association lifetime seconds 3600

access-list INTERNETNETWORK_SERVICENETWORK_IN extended permit tcp object-group IP_list host CCC.CCC.CCC.CCC eq 30001

static (ServiceNetwork,InternetNetwork) tcp CCC.CCC.CCC.CCC 30001 10.21.0.164 30001 netmask 255.255.255.255

icmp deny any InternetNetwork

i have tried to remove the all icmp restrictions and add and acl to permit icmp packages to CCC.CCC.CCC.CCC but still no luck, i do not even see the icnmp packages hitting the ASA (with debug icmp trace 127 nore terminal monitor). please let me know how to accomplish this. i want them to be able to ping the nat address CCC.CCC.CCC.CCC. thanks!!!

1 REPLY
New Member

unable to ping to a nat address over a vpn

just an update, this issue was fixed was doing a 1-1 natting. pings go through successfully now.

587
Views
0
Helpful
1
Replies
CreatePlease to create content