to allow ICMP "through" the ASA you need to add ICMP to the global inspection policy, try this:
policy-map global_policy
class inspection_default
inspect icmp
2. to allow ICMP traffic TO an interface on the ASA you need to add icmp allow statements:
icmp permit <network> <mask> echo...
If its being "blocked" you should receive an ICMP type 3 destination unreachable diagnostic message from the device that's blocked the connection attempt. tcpdump / wireshark would verify this.
If its being "dropped" you won't receive any notification.
Cheers,
Scott.
if nat-control is enabled you must have a nat statement in order for the traffic to be forwarded, NAT / NAT0 or otherwise.
If you disable nat-control and remove the nat statements it should still work.
Do you have a route back to the source network on the router that your sending icmp echo...
there doesn't look a great deal wrong with that tbh. you dont need the deny statement in the 104 access list though.
are you able to post the config from the remote device... or even better both configs with the private stuff removed?
$8ct@
can the NCL router ping 192.168.100.1 interface on the LON router across the p2p link? if so i'd work backwards from there...
have you set the correct default-gateway on the PC1 (i assume it should be, 170.10.1.0) can you ping the default gateway?
does the LON have a valid route back to...
has the neighbour relationship formed ?? theres a mismatched subnet on the point-to-point serial link, that would be my first stop. you've used a /30 on one side and a /24 on the other (according to the diagram)
run
show ip ospf neighbors (and if there aren't any neighbours listed)
run...
are you able to post the configs? it looks like there is still a nat issue there. have you got a deny statement to specify that traffic crossing the VPN should not be translated? i may be mistaken but it also looks like your missing a transform set and optional security-association for the phase...
you should just be able to add a deny statement to the beginning of the list that specifies which traffic you wish to translate..
ip nat inside source list 101 interface atm0 overload
access-list 101 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255 (Don't nat the Interesting VPN Traffic)...
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode adsl2+
interface ATM0.1 point-to-point
description ***OUTSIDE_INTERFACE***
ip address A.B.C.D 255.255.248.0
ip verify unicast...
Just change the "Interface Metric" value on the NIC you wish to use as the primary card for internet access etc. It will be set to auto, you could change it to "1" and the other as "2". All remote traffic will then be sent from this interface. You will find this under TCP/IP v4 -> General Tab ->...
Forgive me if i'm wrong but i would agree with TUI with regards to the RDP Traffic
You've specified 3389 as the destination port both ways which it isnt, you need to select it as the source port for returning traffic, destination port would be "any" (>1024)
i.e
access-list XXX permit...
Hi,
I'm hoping some of the cisco guru's out there might be able to help. I'm having a small issue with my 877w ISR. All i am wanting to do is allow my XBOX 360 traffic for Xbox live. I'm using the "Zone Based Firewall" not CBAC. For whatever reason my version of SDM (2.5) / Windows 7 / Java...
It depends on your budget but i would definately recommend a 2509 / 2511 Router to use as an access server. If you've got more than 4 or 5 devices, swapping the console cable over each time soon gets annoying.
I'd definately recommend the CBT Nugget video's by Jeremy Cioara and also the...
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.