02-22-2009 09:14 PM - edited 03-11-2019 07:54 AM
Hi,
I have just configured my brand new ASA 5510 with ASA Version 8.0(4). i am having a little problem that is: i cannot access(nor even ping) DMZ interface and other interface from Inside Host, mean while i can access the servers behind DMZ and other interfaces.
when i ping to DMZ interface i found the below msgs in logging.
Built inbound ICMP connection for faddr 192.168.10.33/512 gaddr 172.16.250.5/0 laddr 172.16.250.5/0
Details:
% ASA-6-302020: Built {in | out}bound ICMP connection for faddr {faddr | icmp_seq_num} gaddr {gaddr | cmp_type} laddr laddr
An ICMP session was established in the fast-path when stateful ICMP is enabled using the inspect icmp command.
Teardown ICMP connection for faddr 192.168.10.33/512 gaddr 172.16.250.5/0 laddr 172.16.250.5/0
details:
%ASA-6-302021: Teardown ICMP connection for faddr {faddr | icmp_seq_num}
gaddr {gaddr | cmp_type} laddr laddr
An ICMP session was removed in the fast-path when stateful ICMP is enabled using the inspect icmp command.
i tried alot but couldnt get success.
please help!
Solved! Go to Solution.
02-23-2009 12:09 AM
A host residing on an interface can only ping its adjacnet ASA interface.It cannot ping the far end
interface of ASA. For example if you have a host on inside, this host can only ping the
inside interface of ASA and no other interface (eg: outside or dmz). Although the Hosts connected to "Far end interfaces" can be pinged, "Far end interface" cannot be pinged by a host . This is a security feature on ASA firewalls.
Syed Iftekhar Ahmed
02-23-2009 12:11 AM
A host residing on an interface can only ping its adjacnet ASA interface.It cannot ping the far end
interface of ASA. For example if you have a host on inside, this host can only ping the
inside interface of ASA and no other interface (eg: outside or dmz). Although the Hosts connected to "Far end interfaces" can be pinged, "Far end interface" cannot be pinged by a host . This is a security feature on ASA firewalls.
Syed Iftekhar Ahmed
02-23-2009 01:50 AM
Its there since PIX days.
Its exists for all ASA codes.
Syed Iftekhar Ahmed
02-23-2009 12:09 AM
A host residing on an interface can only ping its adjacnet ASA interface.It cannot ping the far end
interface of ASA. For example if you have a host on inside, this host can only ping the
inside interface of ASA and no other interface (eg: outside or dmz). Although the Hosts connected to "Far end interfaces" can be pinged, "Far end interface" cannot be pinged by a host . This is a security feature on ASA firewalls.
Syed Iftekhar Ahmed
02-23-2009 12:11 AM
A host residing on an interface can only ping its adjacnet ASA interface.It cannot ping the far end
interface of ASA. For example if you have a host on inside, this host can only ping the
inside interface of ASA and no other interface (eg: outside or dmz). Although the Hosts connected to "Far end interfaces" can be pinged, "Far end interface" cannot be pinged by a host . This is a security feature on ASA firewalls.
Syed Iftekhar Ahmed
02-23-2009 01:34 AM
Thank you So Much for your Reply Mr. Iftikhar,
I got your point, i sensed that too, but wasnt sure, once again thanks :)
i have a question that this security feature is only available in ASA ver. 8.0(4) or its ASA feature regardless of ASA Version?
Thank you,
Zafar-
02-23-2009 01:50 AM
Its there since PIX days.
Its exists for all ASA codes.
Syed Iftekhar Ahmed
02-23-2009 02:19 AM
Thanks once again :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide