https://community.cisco.com/t5/network-security/asa-cannot-ping-internal-subinterfaces-dmzs/m-p/2576115#M198078 <P>Hello everyone,</P><P>&nbsp;</P><P>I have some&nbsp;questions regarding internal interfaces on the Cisco ASA.</P><P>&nbsp;</P><P>I have a CISCO 5555-X running version 9.1(3) and a pretty simple configuration. I have an INSIDE and a DMZ, both of them are port-channels but DMZ is working as sub-interfaces.</P><P>&nbsp;</P><P>Hosts on the DMZ are able to reach all the hosts on the INSIDE and vice versa, I haven´t restricted any traffic yet.But if a host from the INSIDE tries to ping a sub-interface on the ASA (DMZ default-gateway) it gets no response. Even if I ping from the INSIDE interface itself to a DMZ sub-interface I still get no response.</P><P>&nbsp;</P><P>INSIDE: 192.168.254.26</P><P>DMZ sub: 13.1.1.1</P><P>&nbsp;</P><P>ASA/pri/act# packet-trace input inside icmp 192.168.254.26 8 0 13.1.1.1</P><P>Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in &nbsp; 13.1.1.1 &nbsp; &nbsp; &nbsp; &nbsp;255.255.255.255 identity</P><P>Phase: 2<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in &nbsp; 13.1.1.1 &nbsp; &nbsp; &nbsp; &nbsp;255.255.255.255 identity</P><P>Result:<BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: NP Identity Ifc<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (no-route) No route to host</P><P>&nbsp;</P><P>Is this an expected behavior?&nbsp;</P><P>&nbsp;</P><P>Any help will be highly appreciated.&nbsp;</P><P>&nbsp;</P><P>THANKS!</P> Tue, 12 Mar 2019 05:19:18 GMT Oscar Bonilla 2019-03-12T05:19:18Z https://community.cisco.com/t5/network-security/asa-cannot-ping-internal-subinterfaces-dmzs/m-p/2576115#M198078 <P>Hello everyone,</P><P>&nbsp;</P><P>I have some&nbsp;questions regarding internal interfaces on the Cisco ASA.</P><P>&nbsp;</P><P>I have a CISCO 5555-X running version 9.1(3) and a pretty simple configuration. I have an INSIDE and a DMZ, both of them are port-channels but DMZ is working as sub-interfaces.</P><P>&nbsp;</P><P>Hosts on the DMZ are able to reach all the hosts on the INSIDE and vice versa, I haven´t restricted any traffic yet.But if a host from the INSIDE tries to ping a sub-interface on the ASA (DMZ default-gateway) it gets no response. Even if I ping from the INSIDE interface itself to a DMZ sub-interface I still get no response.</P><P>&nbsp;</P><P>INSIDE: 192.168.254.26</P><P>DMZ sub: 13.1.1.1</P><P>&nbsp;</P><P>ASA/pri/act# packet-trace input inside icmp 192.168.254.26 8 0 13.1.1.1</P><P>Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in &nbsp; 13.1.1.1 &nbsp; &nbsp; &nbsp; &nbsp;255.255.255.255 identity</P><P>Phase: 2<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in &nbsp; 13.1.1.1 &nbsp; &nbsp; &nbsp; &nbsp;255.255.255.255 identity</P><P>Result:<BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: NP Identity Ifc<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (no-route) No route to host</P><P>&nbsp;</P><P>Is this an expected behavior?&nbsp;</P><P>&nbsp;</P><P>Any help will be highly appreciated.&nbsp;</P><P>&nbsp;</P><P>THANKS!</P> Tue, 12 Mar 2019 05:19:18 GMT https://community.cisco.com/t5/network-security/asa-cannot-ping-internal-subinterfaces-dmzs/m-p/2576115#M198078 Oscar Bonilla 2019-03-12T05:19:18Z https://community.cisco.com/t5/network-security/asa-cannot-ping-internal-subinterfaces-dmzs/m-p/2576116#M198079 <P>That's as expected.</P><P>You can only ping an ASA interface (assuming it's been allowed) from a host downstream of that interface. Also, you can not ping one ASA interface from another one.</P><P>In either case, when talking to an interface directly, the traffic needs to come from a network that's connected to or downstream from that interface.</P> Sat, 10 Jan 2015 00:07:59 GMT https://community.cisco.com/t5/network-security/asa-cannot-ping-internal-subinterfaces-dmzs/m-p/2576116#M198079 Marvin Rhoads 2015-01-10T00:07:59Z https://community.cisco.com/t5/network-security/asa-cannot-ping-internal-subinterfaces-dmzs/m-p/2576117#M198081 <P>Thank you Marvin,</P><P>&nbsp;</P><P>That´s exactly what I needed to know.</P><P>&nbsp;</P><P>Have a great week!</P> Mon, 12 Jan 2015 15:55:39 GMT https://community.cisco.com/t5/network-security/asa-cannot-ping-internal-subinterfaces-dmzs/m-p/2576117#M198081 Oscar Bonilla 2015-01-12T15:55:39Z