If this works when you put the server directly behind the router (with the
same IP address) the issue must be related to tha ASA. That's why I wanted
to know how you test it. Can you elaborate more what's your test procedure?
Also try to run 'deb icmp trace' on the ASA to see what's happening.
Regards,
--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
blog: www.ccie1.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2011/10/1 Solomon Awosina <solomonawosina_at_gmail.com>
> Yes, ICMP is allowed.
>
>
> On Sat, Oct 1, 2011 at 9:31 PM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
>
>> Hi,
>>
>> Can you tell me how are you verifying it? Is it ICMP traffic between
>> servers or what?
>>
>> Regards,
>> --
>> Piotr Matusiak
>> CCIE #19860 (R&S, Security), CCSI #33705
>> Technical Instructor
>> website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
>> blog: www.ccie1.com
>>
>> �If you can't explain it simply, you don't understand it well enough� -
>> Albert Einstein
>>
>>
>> 2011/10/1 Solomon Awosina <solomonawosina_at_gmail.com>
>>
>>> Dear Expert,
>>> >
>>> > I have an issue on my network that I require your help.
>>> >
>>> > I have a server (192.168.1.29) that needs to connect to another host
>>> > (10.13.2.19) over internet thru a VPN but it is not connecting.
>>> >
>>> > My Architecture
>>> >
>>> > My Server is connected behind a Cisco ASA which is connected to a Cisco
>>> > Router. It is on the router that the VPN is setup.
>>> >
>>> > My_Server(192.168.1.29) ==> Cisco ASA(192.168.1.17) ==> Cisco
>>> > Router(192.168.1.46) <=====> Cisco ASA(196.200.119.100) ==>
>>> > Other_host(10.13.2.19)
>>> >
>>> > internet
>>> >
>>> > If I put my server behind the Cisco Router, I connect successfully.
>>> Like
>>> > this
>>> > My_Server(192.168.1.40) ==>Cisco Router(192.168.1.46) <=====> Cisco
>>> > ASA(196.200.119.100) ==> Other_host(10.13.2.19)
>>> >
>>> > internet
>>> >
>>> > Below are my config,
>>> >
>>> > *Cisco ASA*
>>>
>>> >
>>> >
>>> > ASA Version 7.0(7)
>>> > !
>>> >
>>> > !
>>> > interface Ethernet0/0
>>> > nameif outside
>>> > security-level 0
>>> > ip address 192.168.1.33 255.255.255.240
>>> > !
>>> > interface Ethernet0/1
>>> > nameif inside
>>> > security-level 100
>>> > ip address 172.16.1.1 255.255.255.0
>>> > !
>>> > interface Ethernet0/2
>>> > nameif dmz1
>>> > security-level 60
>>> > ip address 192.168.1.17 255.255.255.240
>>> >
>>> >
>>> > access-list outside_in extended permit icmp any any echo-reply
>>> > access-list outside_in extended permit ip host 10.13.2.19 host
>>> > 192.168.1.40
>>> > access-list dmz1_in extended permit ip host 192.168.1.29 any
>>> >
>>> > static (dmz1,outside) 192.168.1.40 192.168.1.29 netmask 255.255.255.255
>>> > access-group outside_in in interface outside
>>> > access-group dmz1_in in interface dmz1
>>> > route outside 0.0.0.0 0.0.0.0 192.168.1.46
>>> >
>>> >
>>> > *Cisco ROUTER*
>>>
>>> >
>>> >
>>> > crypto isakmp policy 9
>>> > encr aes 256
>>> > authentication pre-share
>>> > group 2
>>> >
>>> > crypto isakmp key XXXXXXXXXXXXX address 196.200.119.100
>>> > !
>>> > crypto ipsec security-association lifetime seconds 86400
>>> > !
>>> > crypto ipsec transform-set CLICKATELL esp-aes 256 esp-sha-hmac
>>> > !
>>> > crypto map CLICK 9 ipsec-isakmp
>>> > set peer 196.200.119.100
>>> > set transform-set CLICKATELL
>>> > match address 198
>>> > !
>>> > interface GigabitEthernet0/0
>>> > description VGC Internet WAN link
>>> > ip address 41.220.72.126 255.255.255.248
>>> > ip nbar protocol-discovery
>>> > ip nat outside
>>> > ip virtual-reassembly
>>> > duplex auto
>>> > speed auto
>>> > crypto map CLICK
>>> > !
>>> > interface GigabitEthernet0/1
>>> > description 21CTL Internet WAN link
>>> > ip address 80.248.9.142 255.255.255.128
>>> > ip nat outside
>>> > ip virtual-reassembly
>>> > duplex auto
>>> > speed auto
>>> > !
>>> > interface FastEthernet0/0/0
>>> > description LAN Interface
>>> > switchport access vlan 10
>>> > !
>>> > interface Vlan10
>>> > description LAN
>>> > ip address 192.168.1.46 255.255.255.240
>>> > ip verify unicast source reachable-via rx
>>> > ip nat inside
>>> > ip virtual-reassembly
>>> > !
>>> > ip route 10.13.2.19 255.255.255.255 41.220.72.121
>>> > ip route 196.200.119.100 255.255.255.255 41.220.72.121
>>> > !
>>> > access-list 110 deny ip host 192.168.1.40 host 10.13.2.19
>>> > access-list 110 permit ip host 192.168.1.40 any
>>> > access-list 198 permit ip host 192.168.1.40 host 10.13.2.19
>>> >
>>> >
>>> >
>>> > WHAT ARE AM I MISSING?
>>> >
>>> > Kindly assist.
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sun Oct 02 2011 - 08:14:33 ART