ASA1 is 8.4(2) @ 192.168.1.1, behind this is host1 @ 192.168.1.10
ASA2 is 8.4(3) @ 192.168.2.1, behind this is host2 @ 192.168.2.10
Pinging form host1 to host2 works, but I can't ping that inside interface (192.168.2.1) on ASA2 over the tunnel from host1. I'm not to sure where to start? I want to access all management features over the VPN so I have entered the following on ASA2;
ssh 192.168.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
But I can't ping, connect via SSH, or connect via ASDM to ASA2 from host1. ASA2 is already configured with management-access inside
for management from machines local to it.
I don't think there is any incorrect NAT configuration here, there should be no NAT between subnets;
ASA1: nat (Inside,Outside) source static 192.168.1.0/24 192.168.1.0/24 destination static 192.168.2.0/24 192.168.2.0/24
ASA2: nat (Inside,Outside) source static 192.168.2.0/24 192.168.2.0/24 destination static 192.168.1.0/24 192.168.1.0/24
What can I check or change?
UPDATE
OK I have run a packet capture on each ASA and pinged from ASA1 to ASA2 ad vice verse. For some reason, the ping's from the ASA's them selves aren't being sent over the tunnel.
ASA1# show capture testc access-list capture
1428 packets captured
155: 10:55:18.745460 ASA.1.PUBLIC.IP > 192.168.2.1: icmp: echo request
159: 10:55:18.761236 ASA.1.PUBLIC.GATEWAY > ASA.1.PUBLIC.IP: icmp: time exceeded in-transit
161: 10:55:20.742545 ASA.1.PUBLIC.IP > 192.168.2.1: icmp: echo request
163: 10:55:20.758429 ASA.1.PUBLIC.GATEWAY > ASA.1.PUBLIC.IP: icmp: time exceeded in-transit
The same results are observed on ASA2. So even though hosts on that inside subnet are using the VPN, the ASA's inside interface it's self is not. Do you think its the NAT rules above, should they have "route-lookup" on the end?
Best Answer
Have you tried to allow access to ssh and http from the outside interface for this subnet?
If you check the logging in the ASDM monitoring section you should see why your management traffic is being stopped.