topic Is your network on the other in Network Security

Can't ping inside interface coming from a network across MPLS

wribeiro2305 — Tue, 12 Mar 2019 08:55:33 GMT

Hi all,

I've been facing this issue. I can't ping the ASA interface from a network across the MPLS connection. I can ping from local LAN.
I have a Cisco ASA 5510.

Cisco Adaptive Security Appliance Software Version 8.4(7)30
Device Manager Version 7.1(4)

Some of my configuration

icmp unreachable rate-limit 1 burst-size 1
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
inspect icmp
inspect icmp error

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

management-access Inside

It's not route, because access to the internal LAN across the MPLS works fine.

Watching the logs on ASDM and it's being allowed.

I run out of options.

Thanks.

Is your network on the other

rikshit4aggarwal — Mon, 13 Feb 2017 12:04:53 GMT

Is your network on the other end, also an Internal Network and have same or higher security level as management?

Regards,

Rikshit

You cannot ping (or ssh/https

Rahul Govindan — Mon, 13 Feb 2017 12:09:21 GMT

You cannot ping (or ssh/https for that matter) to an interface of an ASA when coming in through another interface. This is by design and cannot be changed AFAIK. The only exception to this is when you are coming in through a VPN tunnel interface on another interface - for which "management-access" is required.

We have monitoring Server

wribeiro2305 — Mon, 13 Feb 2017 12:14:47 GMT

We have monitoring Server within 192.168.22.0/24 on HQ. However I can't ping my Inside interface on a ASA (192.168.100.0/24) in a remote site across our MPLS link. I can ping the MPLS interface and I can ping Servers within 192.168.100.0/24, but not the ASA interface.

Inside interface on the ASA 192.168.100.201 has the same security level as management (100).

Hi Rahul, I can't do either

wribeiro2305 — Mon, 13 Feb 2017 12:21:57 GMT

Hi Rahul,

I can't do either of them (ping, ssh or https).
I have the management-access enabled on Inside interface.

The ACL is allowing and when I watch the logs on ASDM I can see the connection building up.

Thanks.

Yes, that is by design. If

Rahul Govindan — Mon, 13 Feb 2017 12:32:01 GMT

Yes, that is by design. If you are coming in via an MPLS interface, you wont be able to access the ASA inside interface. You can access everything else on the inside network, except the inside interface. It does not matter what ACL rules are in place. You can only ping the inside interface from the inside network, Mpls interface from MPLS network etc.

Thanks for the info... I didn

wribeiro2305 — Mon, 13 Feb 2017 12:37:48 GMT

Thanks for the info... I didn't know that.

Yeah this feature is a carry

Rahul Govindan — Mon, 13 Feb 2017 12:49:01 GMT

Yeah this feature is a carry over from the PIX days. It has been documented here:

The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html

Also doc bug is here:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtd86651/?referring_site=bugquickviewclick

Since it mentions only ping, SSH and HTTPS may be still possible if you add the right access rules. I have not tested this so not sure of the behavior.

If you have an MPLS interface

rikshit4aggarwal — Mon, 13 Feb 2017 12:53:42 GMT

If you have an MPLS interface configured on ASA, then you cannot ping internal interface..What security level have you configured on the MPLS interface.??You can only ping the MPLS interface and then the traffic will be redirected through the Internal interface to the internal resources depending on the config. done in ASA

Regards,

Rikshit