topic Re: FirePower/ASA | Can't Ping Interfaces in Network Security

FirePower/ASA | Can't Ping Interfaces

zekebashi — Fri, 21 Feb 2020 16:04:47 GMT

Hello,

I am using an ASA on the Firepower 2110. I was trying to traffic flow between interfaces and configured one interface E1/5 with ip address 10.1.215.115/24; security-level 100 and another interface E1/6 with ip address 10.1.253.115/25; security-level 100). I allowed icmp from any to each interface. I created an ACL to allow icmp to each interface. I attahced two laptops to each interface( laptop215: 10.1.215.100/24- GW: 10.1.215.115 and laptop253: 10.1.253.100/24- GW: 10.1.253.115).

From laptop215, I can ping it's GW (10.1.215.115 just fine. From laptop253, I can also ping it's GW: 10.1.253.115 just fine.

On the ASA, I can ping each interface just fine, but the issue I am facing is that when I try to ping from laptop215 to interface E1/6 - 10.1.253.115, it fails. The same thing happens when I try to ping from laptop253 to interface E1/5 - 10.1.215.115.

I can't figure out why I can't ping from each host (laptop) to the other interface or laptop. Why can't I ping from one host 10.1.253.100 to interface 10.1.251.115 or host 10.1.215.100 to 10.1.253.115?

Any assistance would be greatly appreciated.

Best, ~zK

Re: FirePower/ASA | Can't Ping Interfaces

Rob Ingram — Wed, 08 Aug 2018 19:34:41 GMT

Hi, Do you have the command "same-security-traffic permit inter-interface" configured?

If the 2 interfaces have the same security level, the default security policy will not permit traffic to pass between the two interfaces.

If you do, can you please run packet-tracer and upload the output

HTH

Re: FirePower/ASA | Can't Ping Interfaces

zekebashi — Wed, 08 Aug 2018 21:08:00 GMT

Yes, the "same-security-traffic" command was enabled.

Attached is the output of packet tracer.

Thanks in advance.... ~zK s

Re: FirePower/ASA | Can't Ping Interfaces

Rob Ingram — Wed, 08 Aug 2018 21:27:35 GMT

Ok, packet-trace confirms it should be allowed.

If I understand you correctly you are attempting to ping an interface of the ASA that you are not connected to (as in the interface connected to the other laptop). Try configuring the management-access command, reference here.

If you cannot ping the laptops, do they have a local firewall enabled?

HTH

Re: FirePower/ASA | Can't Ping Interfaces

zekebashi — Wed, 08 Aug 2018 21:45:21 GMT

That's correct. I am trying to ping from one laptop that's directly connected to one interface (10.1.251.x) to another on the ASA (10.1.253.x) and vice versa. Win FW is disabled on both laptops. The issue is when I try to ping from laptop 10.1.253.100 to ASA interface 10.1.251.115, ping fails!

I attached the ASA intfs configs and test results.

Thanks..

Re: FirePower/ASA | Can't Ping Interfaces

Rob Ingram — Wed, 08 Aug 2018 21:51:18 GMT

Ok, but did you enable the management-access command like I previously suggested?

Re: FirePower/ASA | Can't Ping Interfaces

zekebashi — Thu, 09 Aug 2018 06:39:11 GMT

Yes. I did!

Re: FirePower/ASA | Can't Ping Interfaces

zekebashi — Fri, 10 Aug 2018 22:35:47 GMT

I ended up rebooting the ASA and it worked.

Thanks for your assistance.

Re: FirePower/ASA | Can't Ping Interfaces

Corey Davies — Fri, 10 Aug 2018 23:34:17 GMT

I have noticed a few areas lately when working with the Cisco ASA firewalls that a reboot or "clear conn" has fixed the odd issue(s). In the latest case I was running 9.9(2). Glad it worked out for you.