Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
574
Views
0
Helpful
3
Replies

ASA 5020 Interface issue

Dave Kozlowski
Level 2
Level 2

‎09-11-2014 03:39 AM - edited ‎03-11-2019 09:44 PM

I have 2 interfaces on a ASA 5020. One external and one internal.
External is on a C mask and internal is on a \23 mask.  

I am inside another firewall so I have NAT setup and I have any to any between the interfaces.

Each interface talks to its side of the network but it seems that the 2 interfaces are not talking to each other. I can ping to each side with no problem with the correct interface but if I use the interface interface to ping out it doesn't work and the same with using the prod interface with pinging internally.

Not sure what I am missing.  

Dave

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎09-11-2014 04:31 AM

Hi,

 

If your problem is that you can not PING a remote interface then that is by design and can not be made to work with any configuration.

 

What I specifically mean is that you can only PING the interface behind which you are located. If your host is behind "inside" interface it can PING the "inside" interface IP address but not the "outside" interface IP address. To be able to PING the "outside" interface IP address the host must be in a subnet that is located/found behind the "outside" interface.

 

Hope this helps 🙂

 

- Jouni

0 Helpful

Dave Kozlowski
Level 2
Level 2
In response to Jouni Forss

‎09-11-2014 05:03 AM

Jouni,

Here is my issue then.  From a windows server within the inside interface. I am not getting out to the internet.  How can I figure our where my issue is.

Like I said there is a production ASA in the front of all of this and those engineers says the problem is not them.

Thanks

Dave

0 Helpful

Marius Gunnerud
VIP Alumni
VIP Alumni
In response to Dave Kozlowski

‎09-12-2014 02:09 PM

You could run a packet tracer and see what that shows.  Enter the following command by adding the relavent interface name for the ingress interface where the server is connected to, and the server's private IP.

packet-tracer input <interface name> tcp <windows server IP> 12345 4.2.2.2 80 detail

The output should give you an idea if there is a drop for the traffic passing through your ASA...or not.  And it should give us an idea where to start looking if there is a drop.  If you want help looking at the output, please post the full output here (remove any public IPs).

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card