topic Cannot Ping local Subnet from ASA in Network Security

Cannot Ping local Subnet from ASA

shaw.chris — Mon, 11 Mar 2019 13:56:28 GMT

Can someone please check this config,

We have this asa5510 as our default gateway (10.0.0.1)

We also have a 2821 router running cme with two sub interfaces (10.0.0.3 & 192.168.100.1)

I have added a route on the asa to 192.168.100.0 but cannot ping to 192.168.100.1 from clients on the 10.0.0.0 network although I can from the asa itself.

Can you see what is causing this?

Thanks,

Chris

Re: Cannot Ping local Subnet from ASA

JORGE RODRIGUEZ — Sun, 12 Oct 2008 11:46:48 GMT

asa config seems fine

IN 2821 router do you have a route back to reach 10.0.0.0/24 subnet or a default route pointing to asa inside interface

i.e

ip route 10.0.0.0 255.255.255.0 10.0.0.1

ip route 0.0.0.0 0.0.0.0 10.0.0.1

if you do have above example already in 2821, can you gather asa logs while trying to ping 192.168.100.0/24 hosts from 10.0.0.0/24 network and post the logs.

Rgds

Jorge

Re: Cannot Ping local Subnet from ASA

shaw.chris — Sun, 12 Oct 2008 18:45:00 GMT

Hi,

I tried adding ip route 0.0.0.0 0.0.0.0 10.0.0.1 but still wouldn't work. Would it still need this route even though the 2821 has one of it's interfaces in the 10.0.0.0/24 network?

When I try and ping from the client 10.0.0.78 to 192.168.100.1 this shows up in the asa log

portmap translation creation failed for icmp src INSIDE:10.0.0.78 dst INSIDE:192.168.100.1 (type 8, code 0)

does anyone have an idea what could be causing this

Thanks,

Chris

Re: Cannot Ping local Subnet from ASA

shaw.chris — Sun, 12 Oct 2008 20:54:40 GMT

I thought it may be to do with the ASA natting traffic to 192.168.100.0 so I added

access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0

It still doesn't ping but I get a different error on the ASA:

No translation group found for icmp src INSIDE:10.0.0.78 dst INSIDE:192.168.100.1 (type 8, code 0)

Re: Cannot Ping local Subnet from ASA

JORGE RODRIGUEZ — Mon, 13 Oct 2008 00:39:36 GMT

Sorry for late reply..

invert the acl

remove

no access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0

rewrite statement with

access-list NONAT extended permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0

then try from 10.10.10.78 pinging to any host on the 192.168.100.0/24 net

Re: Cannot Ping local Subnet from ASA

amady3381 — Mon, 13 Oct 2008 04:00:28 GMT

Hi Chris

add these commands and it will work fine with you

same-security-traffic permit intra-interface

static (inside,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 norandomseq nailed

static (inside,inside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 norandomseq nailed

sysopt noproxyarp inside

failover timeout -1

When you put these commands it will work fine.

Thanks,

Re: Cannot Ping local Subnet from ASA

shaw.chris — Tue, 14 Oct 2008 07:47:23 GMT

Thanks for your help, would it be possible to explain what these commands are doing as well.

Re: Cannot Ping local Subnet from ASA

amady3381 — Tue, 14 Oct 2008 08:03:55 GMT

Dear Chris

refer to the below link and you can find the answer:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc1d776

also you can have another solution if you put the default gateway for the users as the CME router (10.0.0.3) and point a default route on the router to the 10.0.0.1 (ip route 0.0.0.0 0.0.0.0 10.0.0.1).

thanks,

Re: Cannot Ping local Subnet from ASA

shaw.chris — Wed, 05 Nov 2008 22:44:04 GMT

Thanks for your help.

Would this affect performance if all packets had to go through the router first rather than straight out of the ASA?

Also I have Site to Site VPN's set up that I wish to connect to the CME system e.g. 192.168.3.0 is a remote site. What steps would I need to take for this network to see the internal 192.168.100.0 network?

Regards,

Chris