Yes, ICMP is allowed.
On Sat, Oct 1, 2011 at 9:31 PM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
> Hi,
>
> Can you tell me how are you verifying it? Is it ICMP traffic between
> servers or what?
>
> Regards,
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security), CCSI #33705
> Technical Instructor
> website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
> blog: www.ccie1.com
>
> �If you can't explain it simply, you don't understand it well enough� -
> Albert Einstein
>
>
> 2011/10/1 Solomon Awosina <solomonawosina_at_gmail.com>
>
>> Dear Expert,
>> >
>> > I have an issue on my network that I require your help.
>> >
>> > I have a server (192.168.1.29) that needs to connect to another host
>> > (10.13.2.19) over internet thru a VPN but it is not connecting.
>> >
>> > My Architecture
>> >
>> > My Server is connected behind a Cisco ASA which is connected to a Cisco
>> > Router. It is on the router that the VPN is setup.
>> >
>> > My_Server(192.168.1.29) ==> Cisco ASA(192.168.1.17) ==> Cisco
>> > Router(192.168.1.46) <=====> Cisco ASA(196.200.119.100) ==>
>> > Other_host(10.13.2.19)
>> >
>> > internet
>> >
>> > If I put my server behind the Cisco Router, I connect successfully. Like
>> > this
>> > My_Server(192.168.1.40) ==>Cisco Router(192.168.1.46) <=====> Cisco
>> > ASA(196.200.119.100) ==> Other_host(10.13.2.19)
>> >
>> > internet
>> >
>> > Below are my config,
>> >
>> > *Cisco ASA*
>>
>> >
>> >
>> > ASA Version 7.0(7)
>> > !
>> >
>> > !
>> > interface Ethernet0/0
>> > nameif outside
>> > security-level 0
>> > ip address 192.168.1.33 255.255.255.240
>> > !
>> > interface Ethernet0/1
>> > nameif inside
>> > security-level 100
>> > ip address 172.16.1.1 255.255.255.0
>> > !
>> > interface Ethernet0/2
>> > nameif dmz1
>> > security-level 60
>> > ip address 192.168.1.17 255.255.255.240
>> >
>> >
>> > access-list outside_in extended permit icmp any any echo-reply
>> > access-list outside_in extended permit ip host 10.13.2.19 host
>> > 192.168.1.40
>> > access-list dmz1_in extended permit ip host 192.168.1.29 any
>> >
>> > static (dmz1,outside) 192.168.1.40 192.168.1.29 netmask 255.255.255.255
>> > access-group outside_in in interface outside
>> > access-group dmz1_in in interface dmz1
>> > route outside 0.0.0.0 0.0.0.0 192.168.1.46
>> >
>> >
>> > *Cisco ROUTER*
>>
>> >
>> >
>> > crypto isakmp policy 9
>> > encr aes 256
>> > authentication pre-share
>> > group 2
>> >
>> > crypto isakmp key XXXXXXXXXXXXX address 196.200.119.100
>> > !
>> > crypto ipsec security-association lifetime seconds 86400
>> > !
>> > crypto ipsec transform-set CLICKATELL esp-aes 256 esp-sha-hmac
>> > !
>> > crypto map CLICK 9 ipsec-isakmp
>> > set peer 196.200.119.100
>> > set transform-set CLICKATELL
>> > match address 198
>> > !
>> > interface GigabitEthernet0/0
>> > description VGC Internet WAN link
>> > ip address 41.220.72.126 255.255.255.248
>> > ip nbar protocol-discovery
>> > ip nat outside
>> > ip virtual-reassembly
>> > duplex auto
>> > speed auto
>> > crypto map CLICK
>> > !
>> > interface GigabitEthernet0/1
>> > description 21CTL Internet WAN link
>> > ip address 80.248.9.142 255.255.255.128
>> > ip nat outside
>> > ip virtual-reassembly
>> > duplex auto
>> > speed auto
>> > !
>> > interface FastEthernet0/0/0
>> > description LAN Interface
>> > switchport access vlan 10
>> > !
>> > interface Vlan10
>> > description LAN
>> > ip address 192.168.1.46 255.255.255.240
>> > ip verify unicast source reachable-via rx
>> > ip nat inside
>> > ip virtual-reassembly
>> > !
>> > ip route 10.13.2.19 255.255.255.255 41.220.72.121
>> > ip route 196.200.119.100 255.255.255.255 41.220.72.121
>> > !
>> > access-list 110 deny ip host 192.168.1.40 host 10.13.2.19
>> > access-list 110 permit ip host 192.168.1.40 any
>> > access-list 198 permit ip host 192.168.1.40 host 10.13.2.19
>> >
>> >
>> >
>> > WHAT ARE AM I MISSING?
>> >
>> > Kindly assist.
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sat Oct 01 2011 - 22:48:38 ART