Pinging from ASA using Interface as Source - Packet-Tracer

GRANT3779 — Tue, 12 Mar 2019 04:10:33 GMT

Hi There,

I have the following Interfaces and routes.

interface GigabitEthernet0/0.127
vlan 127
nameif Vlan127
security-level 50
ip address 192.168.127.1 255.255.255.0
!
interface GigabitEthernet0/0.128
vlan 128
nameif Vlan128
security-level 50
ip address 192.168.128.1 255.255.255.0
!
interface GigabitEthernet0/0.129
vlan 129
nameif Vlan129
security-level 50
ip address 192.168.129.1 255.255.255.0
!
interface GigabitEthernet0/0.250
description Vid_Conf
vlan 250
nameif vlan250
security-level 100
ip address 10.44.250.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.27.100.160 255.255.252.0

route outside 0.0.0.0 0.0.0.0 217.x.x.x
route inside 10.0.0.0 255.0.0.0 172.27.100.10 1
route inside 172.16.0.0 255.240.0.0 172.27.100.10 1

I'm running a packet tracer to see if I can ping one of my inside networks using the vlan interface IP as the source.

packet-tracer input vlan250 icmp 10.44.250.1 8 0 172.27.4.1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.0 255.240.0.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: vlan250
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Should I be able to use the VLAN250 Interface IP as the source?

If I use another address within that network the packet tracer allows ICMP. See below

# packet-tracer input vlan250 icmp 10.44.250.10 8 0 172.27.4.1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.0 255.240.0.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:

and so forth...

I believe you can only source

Marvin Rhoads — Thu, 08 May 2014 15:49:04 GMT

I believe you can only source traffic from ASA the itself on the interface which is the correct egress to the target network (when that target is a connected network).

topic I believe you can only source in Network Security

Pinging from ASA using Interface as Source - Packet-Tracer

I believe you can only source