topic Did you enable ICMP in Network Security

can't ping asa sub interfaces

abhongi01 — Tue, 12 Mar 2019 06:52:07 GMT

I am not able ping ASA 5505 running 8.2.5 sub interface. The traffic is passing thru the interface but not able to ping asa interfaces.

interface GigabitEthernet0/1.13

vlan 13

nameif ESXHosts

security-level 100

ip address 10.10.13.254 255.255.255.0

interface GigabitEthernet0/1.14

vlan 14

nameif Ranger

security-level 100

ip address 10.10.14.254 255.255.255.0

interface GigabitEthernet0/1.18

vlan 18

nameif Clients1

security-level 100

ip address 10.10.18.254 255.255.255.0

interface GigabitEthernet0/1.19

vlan 19

nameif Clients2

security-level 100

ip address 10.10.19.254 255.255.255.0

interface GigabitEthernet0/1.29

vlan 29

nameif DCHosts

security-level 100

ip address 10.10.29.254 255.255.255.0

interface GigabitEthernet0/1.80

vlan 80

nameif AIXPublic

security-level 100

ip address 10.10.80.254 255.255.255.0

interface GigabitEthernet0/1.81

vlan 81

nameif AIXPrivate

security-level 100

ip address 10.10.81.254 255.255.255.0

interface GigabitEthernet0/1.82

vlan 82

nameif Temp1

security-level 100

ip address 10.10.82.254 255.255.255.0

interface GigabitEthernet0/1.83

vlan 83

nameif Temp2

security-level 100

ip address 10.10.83.254 255.255.255.0

**** I have setup the same-security-traffic

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

Did you enable ICMP

Andre Neethling — Wed, 11 Nov 2015 05:35:00 GMT

Did you enable ICMP inspection in your service policy rules under default inspection traffic?

Have you tried to ping hosts on the other side of the interface? And not the interface it's self?

Hi,

Akshay Rastogi — Wed, 11 Nov 2015 06:49:55 GMT

Hi,

Could you please check the output of 'show run icmp' from the ASA. Please provide the output here.

try adding 'icmp permit <source-ip> <255.255.255.255> <sub-interface-name>'

Please let me know if ping works after adding this.

Regards,

Akshay Rastogi

Akshay,

abhongi01 — Wed, 11 Nov 2015 15:05:46 GMT

Akshay,

Here is my icmp commands..

ciscoasa# show run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any AIXPrivate
icmp permit any ESXHosts
icmp permit 10.10.0.0 255.255.0.0 echo-reply Ranger

Andre..

Here is my inspect config

policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!

I am able to ping host on other network.. just not the gateway.. which is my ASA subinterfaces..

I don't think the asa will

Andre Neethling — Wed, 11 Nov 2015 15:14:00 GMT

I don't think the asa will allow icmp to the interface. If you can ping the hosts, why would you want to ping the interface? You already have traffic successfully traversing the subinterfaces.

Hi,

Akshay Rastogi — Wed, 11 Nov 2015 15:19:24 GMT

Hi,

As i had mentioned in my last comment, please add the below command. As you have already configured 'permit icmp' then you need to explicitly allow all the source ips from which you need to allo pings to your interface ip or rest of the ip for interface pings would be implicitely dropped. Therefore :

icmp permit <source-ip(from whrere you are pinging sub-interface)> 255.255.255.255 <sub-interface-name>

You have only configured :

cmp permit any AIXPrivate
icmp permit any ESXHosts
icmp permit 10.10.0.0 255.255.0.0 echo-reply Ranger

- any body is allowed to ping from AIXPrivate

- any body is allowed to ping from ESXHosts

- Only echo-reply is allowed when ping is initiated from ASA with Ranger as source interface.

Regards,

Akshay Rastogi