Cisco VPN :: 5520 - Unable To Ping To NAT Address Over VPN
Dec 14, 2011
i have a site to site vpn stablished, the vpn works fine (while is up), i have a cisco asa 5520 and the other end of the vpn is a jupiter device that for technical reasons needs to send a continuos ping and when it does not receive a reponse back it brings down the vpn tunnel and reestablish it again. while the vpn is up traffic flows perfectly but because i m unable to repond to the ping the vpn is brought down as reestablished by the jupiter device. the jupiter device pings the encryption domain which is an ip that is natted to the real ip in the inside network. this is my configuration of the vpn:
AAA.AAA.AAA.AAA is the ASA public ip in the outside
BBB.BBB.BBB.BBB is the jupiter device ip (part of the object group IP_LIST)
CCC.CCC.CCC.CCC is the nat ip on the ASA
10.21.0.164 is the real address in the inside(code)
View 1 Replies
ADVERTISEMENT
Jul 26, 2011
I am unable to ping inside interface (Rin) to outside interface (Rout) of my Cisco ASA 5520 runing on ASA Version 8.4(1).
ASA Version 8.4(1)
!
hostname FW5520
[Code].....
View 10 Replies
View Related
Apr 20, 2011
i have a new smc router and my local ip address and remote ip addresses are very similar. The remote ip address is updating my dns server but i am unable to ping it. Its something like 122.61.xxx.1 ?
View 8 Replies
View Related
Jan 18, 2013
From My Router that connects to Cable modem i am unable to ping website 4.2.2.2I am able to ping all other websites fines.Same website i can ping from my pc and all other switches fine.Router has only 1 ACL thats for NAT.
View 25 Replies
View Related
Dec 5, 2011
i have an ASA 5520 ver 8.4 with the following config
WAN
207.211.25.34
Production
10.11.12.1 255.255.255.0
Mgmt
10.11.11.1 255.255.255.0
i need to create a peer-2-peer VPN to a remote site ASP16 from both Prod and Mgmt
what would my nat statement look like ?
currently i have the following but can only ping from Mgmt not Prod (ASP17 is an network object group that contain the Prod and Mgmt subnets )
nat (Production,WAN) source static ASP17_VPN ASP17_VPN destination static ASP16 ASP16 no-proxy-arp route-lookup
nat (Mgmt,WAN) source static ASP17_VPN ASP17_VPN destination static ASP8_Prod ASP8_Prod
View 2 Replies
View Related
Feb 3, 2013
I cannot seem to ping from the outside of my 5520 firewall to an inside network. I have a single physical outside interface connected to a Layer 2 switch, with a laptop connected to it. This is on network 10.11.131.0/28. From there, I cannot ping to the inside interface (which is a sub interface on G0/0) with network 10.11.130.0/24/ For some reason, it doesnt work.
Now. I had access-lists in place, but have removed them for testing and it still doesnt work. I have set the security level of inside and outside to 100, and entered the same-security-traffic permit inter-interface command - still no joy. Below is the relevant configuration.
Inside Interface
interface GigabitEthernet0/0.96
description L3 Interface - Informational Zone
vlan 96
[Code].....
View 4 Replies
View Related
Apr 21, 2013
CISCO ASA 5520 -K9 .Client can connects ASA server and get ip address(172.168.31.X),but can't ping ASA inside interface ip address and other servers in lan .
View 2 Replies
View Related
May 13, 2013
I have ASA 5520. I cannot ping the host(192.168.1.20) which is inside firewall from outside hosts. Inside host (192.168.1.20) is translated into (198.24.210.226) using static NAT.From outside host, I used "PING 198.24.210.226". Is it because I used dynamic PAT for inside hosts?
interface GigabitEthernet0/0nameif outsidesecurity-level 0ip address 198.24.210.230 255.255.255.248!interface GigabitEthernet0/1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0
[Code].....
View 3 Replies
View Related
Dec 8, 2009
I got 2 x 5520 ASAs configured in active/standby mode and they are connected to 2 x 4500 switches in which too configured for failover.Telnet to ASAs is allowed only via subnet 172.18.0.0./24
I can only ping and telnet to the active ASA from subnet 172.18.0.0./24 but not the standby But i can ping and telnet to both the active and standby ASAs within the 4500 switches.
View 20 Replies
View Related
Apr 18, 2013
I have a need to Remote Desktop connect to company’s employees for support then they are abroad and using Cisco AnyConnect client.Cisco AnyConnect client connection works fine, clients can reach company’s inside network without problems, but I cannot make revers connection, I cannot Remote Desktop connect or ping VPN clients from companies inside network. I cannot ping clients from ASA too.I am using ASA 5520, Cisco Adaptive Security Appliance Software Version 8.4(3) Device Manager Version 6.4(7), and Cisco AnyConnect VPN Client 2.2.0133. Protocol Encryption- AnyConnect-Parent SSL – Tunnel DTLS-RC4 RC4 AES 128.
View 0 Replies
View Related
Sep 28, 2011
I have a cisco asa 5520 version 8.2.
I found big problem with ping. I can't ping any internet ip with packet size bigger than 990.
I checked runing again. I see config every thing fine. I can't ping bigger than 990 byte.
C:Usersuaydinli>ping 172.17.97.2 -l 1000
Pinging 172.17.97.2 with 1000 bytes of data:
Request timed out.
Request timed out.
[Code]......
View 5 Replies
View Related
Nov 2, 2012
I have HQ side with ASA 5520 (8.4) & Branch Side with ASA 5505 Design
VPN LAN<------->ASA5520(8.4)----->Thomson Business TG628s----->Internet<--->ADSL Modem------>ASA5505(8.2)
Now on both modems UDP 500 & TCP/UDP 4500 ports are enabled I can ping from internal LAN of HQ to internal LAN of branch but I cant ping from internal LAN of branch to internal LAN of HQ
HQ ASA 5520 Side
ASA Version 8.4(3)
host name aljoaib-fw01
[ code]....
Branch side ASA 5505
ASA Version 8.2(5)
host name GTC- DMM- FIREWALL
domain-name ALJOAIB.COM
enable password 7pgp93AEPfHtDc5N encrypted
[Code]....
Both sides have static ip address.
View 22 Replies
View Related
Apr 17, 2012
I've just started a CCNA course and my lack of knowledge has me a bit stuck. My network is comprised of Cisco components and I'm semi familiar with them just from reading and looking through options. I currently am using a Cisco ASA 5520 on my network and I am trying to join another network via one of the interfaces. My network is 192.168.0.0 255.255.0.0 and my inside interface is 192.168.1.1 255.255.0.0. I enabled a second interface using a static ip of 10.0.0.1 with a subnet of 255.255.255.128. Connected to that interface, I have a Fortigate firewall at 10.0.0.2 255.255.255.128. I can ping just fine from the Fortigate network to the 10.0.0.1 interface on the Cisco ASA 5520 network, but I can not ping the 10.0.0.1 interface (or anything past it) on the ASA 5520 from any computer on the Cisco network. I've read that ACL's and NAT have to be done as well as enabling traffic between interfaces with the same security levels. (both interfaces have security levels of 100 and the option is checked to allow traffic).
Note: each network has it's own internet connection. The connection is to share information on servers on both networks with each other.
View 1 Replies
View Related
Mar 20, 2012
I'm trying to configure an ASA firewall (FW2) for syslog and tacacs and am experiencing strange behavior. Both the syslog and ACS server are on the inside of another firewall (CoreFW). Whenever a log message is generated on FW2 the request is dropped by CoreFW and message '%ASA-4-313004: Denied ICMP type=0, from laddr FW2 on interface outside-b2b to syslog01: no matching session' is displayed. The same thing occurs for tacacs.
It appears that the syslog and ACS requests are generating ICMP echo replies, which the core firewall drops since no session exists on a lower security interface. I have access lists configured on CoreFW to allow the syslog and tacacs requests.
FW2 is running asa825-k8.bin, CoreFW is asa824-k8.bin
View 1 Replies
View Related
May 30, 2012
I have an ASA that houses 11 VLANs, and I am trying to add a 12th.One of the VLANs is for PCs that have internet only access.The new VLAN will be similar, but for multifunction printers only.VLAN 99 is for internet only and works fine, I can ping the gateway of 10.99.3.33 from any PC in that VLAN.I am creating VLAN 98, modeling it after VLAN 99, and I cannot get a PC in the vlan to ping the gateway of10.98.3.17.Both switch and ASA show the new VLAN 98 as UP, switchport is UP/UP.I have deleted and recreated VLAN 98 a few times, but I cannot get a PC VLAN 98 connectivity.Once it is working on the core switch, I will add it to the trunk to the IDS switches. VTP is not in use, everything is manual. [code]
View 4 Replies
View Related
Nov 2, 2009
On my ASA5520 I am trying to do a IPSEC tunnel between two sites. When I ping the protected network on the other side I get this when debugging IPSEC:
IPSEC(crypto_map_check): crypt o map man map 20 does not hole match for ACL man1
Not too sure what this means...
View 11 Replies
View Related
Jun 14, 2011
I have installed quite recently a cisco ASA 5520 replacing a linux based firewall I have only 2 zones ..one is internal netowrk and other external the internal network has web servers, dns and mail server all having public IPs Every thing is OK but i have seen that if I try to ping an external server for example [URL] i cannot ping says
[sylvan@kmdns1 ~]$ ping www.yahoo.com
PING eu-fp.wa1.b.yahoo.com (87.248.112.181) 56(84) bytes of data.
--- eu-fp.wa1.b.yahoo.com ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5010ms
but I can ping from systems which are outside my firewall perfectly with the linux firewall i had before i could ping perfectly to yahoo from any of my internal servers?
View 5 Replies
View Related
Sep 24, 2012
2 windows 7 machines.at work..They are both laptops. one acts as a server for a piece of software to the other one.on the "client" laptop I can map a drive to the "server" and browse files through that maped drive etc.I can also ping the IP address of the "server" but I get a timed out when I try to ping the computer name.Server had Macafee firewall, I uninstalled that, and I turned off Windows firewall on both machines.the software needs to be able to ping by name I guess in order to work..
View 2 Replies
View Related
Apr 24, 2011
I have an iPAD. It connects to my ASA5520 via IPSEC. When it connects it gets an IP address from the ASA but it does not get any of the other stuff. Specifically the DNS suffix. How to correct it?
View 3 Replies
View Related
Aug 28, 2012
I bought a usb printer server to connect my usb printer to my router. USB cable to the print server and cat 5 from the print server to the router. The print server has a static fixed ip of 169.254.10.10 and a subnet mask of 255.255.0.0 I can ping the printer server and it works perfect from my windows 7 laptop. When I attempt to set it up on my windows xp (SP3) laptop I am not even able to ping the 169.254.10.10 address. On the windows 7 laptop i can navigate to the print servers menu by placing 169.254.10.10 in the address bar of internet explorer. No so with the xp laptop.What is different about the ip configuration between win xp and win7. how to get the xp laptop to "see" the print server. Want to keep the print server at the default settings if possible.
View 22 Replies
View Related
Aug 13, 2011
My lan ip address is 192.168.1.45 and when I try to ping 192.168.1.63 it comes "request time out".but I went and check 192.168.1.63, it's up and working. I can ping other ip addresses though.
View 8 Replies
View Related
Aug 31, 2011
I have a HP Pavilion DV6000 that I just tried connecting to my network through wireless. It says connected, pulls an IP adress, and gets the gateway but it will not pull up web pages, ping google, or ping any other computers on the network.. I have one other computer connected to the network, wired. It can connect fine to webpages, but it wont ping the HP laptop. The router interface shows that it's giving the HP an IP but thats all it seems to be doing..
View 2 Replies
View Related
Feb 22, 2012
I'm running into a strange problem and cant seem to figure it out. I have an asa running 8.2(1). I have an ipsec vpn setup and working great. I can ping hosts on the inside of the network and everything seems to be fine. However there is one single ip address that i know for a fact is live, but i cannot ping through the vpn. If i ping the address from the asa i get a reply, if i ping the address from inside the network i get a reply, but if i ping when connected through the vpn no reply.
View 4 Replies
View Related
Jan 31, 2013
After I changed customer router to CISCO 2911 from H3C firewall, the WAN interface can not ping its gateway after about 10 minites, I do not know why. it works well before I change the device. [code]
View 10 Replies
View Related
Feb 2, 2012
I have a problem with an ACE 4710 regarding to the ping of especially one VIP address.
[code]...
At the Box I setup 10 Servcies, all with different VIP addresses, also the IP is not used duplicate somewhere in the network.
in the class defined under Policy-Map Multi-Match I setup identical to the others loadbalance vip icmp-replay active, the VIP is usable by the defined service http, the serverfarm is up and running all ok so far but this VIP does not respond to ping even the correct arp resolution was done.
I started also a capture locally on the ACE and see the ICMP - Echo coming in, but the box sends no echo-reply back.
In the access-lists Management and so on I allowed icmp and also on all interfaces the icmp guard is disabled...
View 10 Replies
View Related
Mar 9, 2013
*I have 2 cisco routers 2811 router A&B*using 0/0 for WAN and 0/1 for LAN on both routers*both routers are connected together with crossover cable to 0/0. recieve link and activity*both routers are on the same subnet Router A:0/0 192.168.1.1/24 - router A:0/1 192.168.2.1/24 ; Router B:0/0 *192.16.1.2/24 router B:0/1 192.168.3.1/24*I can ping the inside and outside address of both router from PCs connected at its respectable end. *PC A 192.168.2.2/24 PC B 192.168.3.2/24 *when connected to router A 0/1 and I try to ping router B 0/0 it times out in DOS* but I AM (CAN) able to ping from PC A to router B 0/0 in hyperterminal, telnet and Cisco SDM. I just CANNOT ping in DOS?
View 10 Replies
View Related
Nov 22, 2011
We recently upgraded to Windows 7 at work and my laptop was part of the first deployment. Laptops are imaged so that all configurations/software are already set and done. My problem is as follows, my laptop is part of domain, when I am at work I can ping anything just fine (network computers, printers) BUT when I am at home, I can't even ping my own PC. It returns back with the same address over and over. No matter what I ping when I am at home, it returns back with the same address. I can ping blah and it will display same address over and over. The weird part is I can ping websites no problem, but if i ping random names it will format as follow.Lets say I want to ping lost, below is what i get (I made changes to hide domain and IP)
Pinging lost.domain.com [70.99.199.99] with 32 bytes of data:
Reply from 70.99.199.99: bytes=32 time=57ms TTL=50
Reply from 70.99.199.99: bytes=32 time=58ms TTL=50
Reply from 70.99.199.99: bytes=32 time=57ms TTL=50
Reply from 70.99.199.99: bytes=32 time=58ms TTL=50
[code].....
Notice how my domain always shows up? When I am connected to the VPN at home, I have to log onto our intranet using the IP, I can't use the name, it wont direct to it.
View 2 Replies
View Related
Mar 25, 2011
I have created a site to site Ipsec vpn with a cisco 2610 and a linksys RV042. Running a show "crypto isakmp sa" command I get a qm_idle status and when running a "show crypto ipsec sa" I see that packets are being decrypted and encrypted. Also when running the "show ip access-lists" command I do have matches to that connection.The problem is that I am unable to ping hosts from one network to another. For example, from the Cisco router in network 192.168.0.0 I am unable to ping the remote network 192.168.2.0 and vice versa.
I am not sure what is happening. Do I need to create a route to that remote network? I guess it could also be a problem with NAT or an ACL.Here is what running-config shows:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
View 5 Replies
View Related
Oct 26, 2012
I am connecting a 2600 router to an ISP. Interface 0/0 is connected to the ISP using DHCP. Interface 0/1 is connected to the inside providing DHCP services to the inside. At least it should only be providing DHCP services to the inside. I also have a public static IP that is NAT to a private static IP. Everything is working except the computer on the static IP. From the router I am able to ping inside and out from each interface. I am able to ping both interfaces of the router from the computer on the static IP but I cannot ping outside the router. If I do a debug all I see a reject for the gateway of the static IP but it has “mobile IP” in the text string. Not sure what mobile IP is relating to. Networks are as follows:
0/0 DHCP 10.X.X.X
0/1 192x.x.x
Static 75.X.X.X
[Code].....
View 13 Replies
View Related
Apr 26, 2012
I have the following setup where the Cisco ME 3400 provided by the ISP.
My Cisco 2911 is configured as below:
CORE_Router#sh run
Building configuration...
Current configuration : 6075 bytes
[Code].....
View 6 Replies
View Related
Aug 18, 2011
I've been called upon to fix the SSL VPN issues in our ASA5505. The issue I am having is that I am able to log into the vpn, access the internet, but I'm unable to access anything on the LAN. I can't use ping or use DNS.
I'm using ASDM v. 6.2(1) and ASA verison 8.2(1). I'm not comfortable using the CLI and prefer the GUI.
View 13 Replies
View Related
Jul 25, 2008
CAn we filter MAC address in LAN using ASA 5520 , whats the method ?
View 2 Replies
View Related
Oct 7, 2012
We recently replaced our Cisco 5510 with a 5520. I had the SSL Client VPN working on the 5510, I cannot get it working on the 5520. The IOS version is 8.2(5) and the ASDM version is 6.4.I run through the SSL Client wizard and get everything set up. When I try to get to my outside interface Internet Explorer just comes up with an error. When I try to connect through the Cisco AnyConnect client on my Android it used to come up with a "No address available for SVC connection". After deleting an address pool not even related to my SSL VPN profile I cannot get that far. I just get a "login failed". Even after I create a user with level 15 privilege and assign to my vpn group policy.I still get the "No address available for SVC connection" when I try to connect to the default profile, which doesn't really go anywhere.
View 23 Replies
View Related
