Hi All,
I have an ASA 5520 in the US with remote access VPN capabilities via Cisco VPN Client. I have another site over in the UK that the US ASA has a site to site VPN to. In addition to that, the US ASA has site to site VPN's to about 140 other ASA's throughout the world. When connected to the remote access VPN, I can ping all of those sites, EXCEPT for this UK site...BUT....the actual services are accessible over this remote access VPN for the users in the US reaching out to the UK. I just can't ping the IP of the very same server that is successfully providing these users access, from the remote access VPN subnet. If I go to the US site and try to ping it (off the remote access VPN), it replies fine.
Packet tracer shows ICMP is permitted in both directions on both of the ASA's. The sniffer shows this:
An ICMP session is removed in the fast-path when stateful ICMP is enabled using the inspect icmp command
Inspect ICMP is on the UK side, not the US side. Tried turning it off. Didn't matter.
No comments:
Post a Comment