https://community.cisco.com/t5/network-security/unable-to-ping-asa-interfaces-asa-intra-interface/m-p/1890225#M457064 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I required a desperate help on this.</P><P>Please help me some one</P></BODY></HTML> Mon, 16 Apr 2012 12:53:58 GMT awadheshkumar 2012-04-16T12:53:58Z https://community.cisco.com/t5/network-security/unable-to-ping-asa-interfaces-asa-intra-interface/m-p/1890224#M457063 <P>Hi,</P><P></P><P>I can not ping the DMZ hosts from my Inside or from other interface Network and vice-versa</P><P></P><P></P><P>mention below is my ASA Config:</P><P></P><P>: Saved</P><P>:</P><P>ASA Version 8.0(5) </P><P>!</P><P>hostname Test</P><P>domain-name default.domain.invalid</P><P>dns-guard</P><P>!</P><P>interface Ethernet0/0</P><P> description + + + + Connection to Internet (Outside) + + + +</P><P> nameif outside</P><P> security-level 0</P><P> ip address 202.X.X.X 255.255.255.224 </P><P>!</P><P>interface Ethernet0/1</P><P> description + + + + Connection to LAN (Inside) + + + +</P><P> nameif inside</P><P> security-level 100</P><P> ip address 192.168.0.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/2</P><P> nameif DMZ</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/3</P><P> description VV</P><P> nameif VV</P><P> security-level 100</P><P> ip address 192.168.2.1 255.255.255.0 </P><P>!</P><P>interface Management0/0</P><P> nameif management</P><P> security-level 100</P><P> ip address 172.16.1.1 255.255.255.0 </P><P> management-only</P><P>!</P><P>boot system disk0:/asa805-k8.bin</P><P>no ftp mode passive</P><P>clock timezone IST 5 30</P><P>dns domain-lookup outside</P><P>dns domain-lookup inside</P><P>dns server-group DefaultDNS</P><P> name-server 203.122.X.X</P><P> name-server 203.122.X.X</P><P> domain-name default.domain.invalid</P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P>access-list 110 remark + + + +&nbsp; OUTSIDE + + + +</P><P>access-list 110 extended permit icmp any any </P><P>access-list 110 extended permit icmp any any echo </P><P>access-list 110 extended permit icmp any any echo-reply </P><P>access-list 110 extended permit icmp any any source-quench </P><P>access-list 110 extended permit icmp any any unreachable </P><P>access-list 110 extended permit icmp any any time-exceeded </P><P>access-list 120 remark + + + + INSIDE + + + +</P><P>access-list 120 extended permit icmp any any </P><P>access-list PropRem_splitTunnelAcl remark VPN_Client_local_Lan_access</P><P>access-list PropRem_splitTunnelAcl standard permit host 0.0.0.0 </P><P>pager lines 24</P><P>logging enable</P><P>logging asdm informational</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>mtu DMZ 1500</P><P>mtu VV 1500</P><P>mtu management 1500</P><P>ip local pool R_IP_vpn 192.168.0.240-192.168.0.250 mask 255.255.255.0</P><P>ip local pool R_IP_VPN2 192.168.1.240-192.168.1.250 mask 255.255.255.0</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>icmp permit any DMZ</P><P>arp timeout 14400</P><P>nat-control</P><P>global (outside) 1 interface</P><P>global (outside) 2 202.63.X.X netmask 255.255.255.224</P><P>global (outside) 3 202.63.X.X netmask 255.255.255.224</P><P>global (outside) 4 202.63.X.X netmask 255.255.255.224</P><P>global (outside) 5 202.63.X.X netmask 255.255.255.224</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>nat (DMZ) 1 0.0.0.0 0.0.0.0</P><P>static (DMZ,outside) 202.63.x.x 192.168.1.18 netmask 255.255.255.255 </P><P>static (DMZ,outside) 202.63.X.X 192.168.1.11 netmask 255.255.255.255 </P><P>static (inside,outside) 202.63.X.X 192.168.0.2 netmask 255.255.255.255 </P><P>static (DMZ,outside) 202.63.X.X 192.168.1.20 netmask 255.255.255.255 </P><P>static (DMZ,outside) 202.63.X.X 192.168.1.19 netmask 255.255.255.255 </P><P>static (DMZ,outside) 202.63.x.x 192.168.1.10 netmask 255.255.255.255 </P><P>static (DMZ,outside) 202.63.x.x 192.168.1.12 netmask 255.255.255.255 </P><P>static (DMZ,outside) 202.63.x.x 192.168.1.6 netmask 255.255.255.255 </P><P>static (DMZ,outside) 202.63.x.x 192.168.1.13 netmask 255.255.255.255 </P><P>static (DMZ,outside) 202.63.x.x 192.168.1.7 netmask 255.255.255.255 </P><P>static (DMZ,outside) 202.63.x.x 192.168.1.14 netmask 255.255.255.255 </P><P>static (DMZ,outside) 202.63.x.x 192.168.1.2 netmask 255.255.255.255 </P><P>static (DMZ,outside) 202.63.x.x 192.168.1.201 netmask 255.255.255.255 </P><P>static (DMZ,outside) 202.63.x.x 192.168.1.202 netmask 255.255.255.255 </P><P>static (DMZ,outside) 202.63.x.x 192.168.1.9 netmask 255.255.255.255 </P><P>access-group 110 in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 202.63.X.X 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>aaa authentication ssh console LOCAL </P><P>aaa authentication telnet console LOCAL </P><P>http server enable</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac </P><P>crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac </P><P>crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac </P><P>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac </P><P>crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac </P><P>crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac </P><P>crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac </P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800</P><P>crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</P><P>crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map</P><P>crypto map outside_map interface outside</P><P>crypto map DMZ_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP</P><P>crypto map DMZ_map interface DMZ</P><P>crypto isakmp identity hostname </P><P>crypto isakmp enable outside</P><P>crypto isakmp enable DMZ</P><P>crypto isakmp policy 10</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>no crypto isakmp nat-traversal</P><P>!</P><P>threat-detection basic-threat</P><P>threat-detection statistics</P><P>threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200</P><P>group-policy PropRem internal</P><P>group-policy PropRem attributes</P><P> dns-server value 4.2.2.2 203.X.X.x</P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value PropRem_splitTunnelAcl</P><P>tunnel-group PropRem type remote-access</P><P>tunnel-group PropRem general-attributes</P><P> address-pool R_IP_VPN2</P><P> default-group-policy PropRem</P><P>tunnel-group PropRem ipsec-attributes</P><P></P><P></P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns migrated_dns_map_1</P><P> parameters</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns migrated_dns_map_1 </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect xdmcp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect icmp </P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>: end</P> Mon, 11 Mar 2019 22:53:37 GMT https://community.cisco.com/t5/network-security/unable-to-ping-asa-interfaces-asa-intra-interface/m-p/1890224#M457063 awadheshkumar 2019-03-11T22:53:37Z https://community.cisco.com/t5/network-security/unable-to-ping-asa-interfaces-asa-intra-interface/m-p/1890225#M457064 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I required a desperate help on this.</P><P>Please help me some one</P></BODY></HTML> Mon, 16 Apr 2012 12:53:58 GMT https://community.cisco.com/t5/network-security/unable-to-ping-asa-interfaces-asa-intra-interface/m-p/1890225#M457064 awadheshkumar 2012-04-16T12:53:58Z https://community.cisco.com/t5/network-security/unable-to-ping-asa-interfaces-asa-intra-interface/m-p/1890226#M457065 <HTML><HEAD></HEAD><BODY><P>You need to bound an access-list with icmp echo-reply statement on your dmz interface. </P></BODY></HTML> Tue, 17 Apr 2012 13:51:43 GMT https://community.cisco.com/t5/network-security/unable-to-ping-asa-interfaces-asa-intra-interface/m-p/1890226#M457065 maik.behley 2012-04-17T13:51:43Z