hi guys

thanks for your responses.

the problem isn't with icmp not being allowed or traffic being blocked on an ACL, because if I address the switch with the default gateway on the interface connecting to the ASA, i can ping it fine. So there's no problem with ICMP being blocked, ie this:

switch:

int gi0/1

ip add 10.10.10.2 255.255.255.255.252

asa:

int eth0/1

ip add 10.10.10.1 255.255.255.252

nameif outside

!

route outside 0.0.0.0 0.0.0.0 10.10.10.2 1

!

asa5100# ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

I just can't figure why the switch isn't passing the traffic though (if that is indeed the problem), as that is its most basic function - a dumb switchport in the same vlan. right?

Pinging to the ASA has nothing to do with pinging through the ASA. The ASA behaves differently then a router when it comes to interface ACLs. On the ASA, the interface ACLs only control through traffic by default. For pinging through the ASA you should inspect icmp (as shown above) or test with other protocols.

i have inspect icmp and an acl permitting icmp both in and out on the outside interface.

still no good.

The ACL on the outside interface is not needed any more if icmp is inspected.

1. Please show your config
2. Double-check the ip settings of the internal PC that you use for your tests.
3. Has your external router a route back to the ASAs internal network?

i am pinging from the ASA itself, not the inside network.

interface Ethernet0/1
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 10.10.10.1 255.255.255.252
!
access-list 101 extended permit icmp any any
access-list 101 extended permit tcp any any
access-list 101 extended permit ip any any
!
access-group 101 in interface outside
access-group 101 out interface outside
!
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
!

asa5510# ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

You originally stated that you try to ping through the ASA. Now you are pinging from the ASA. But ok ...

After pinging do a "show arp | i 10.10.10.2". You should see an entry there which means that you can reach that device. Most likely, icmp is blocked on the 10.10.10.2 device. Continue troubleshooting there.

Argh, my bad - sorry!

Doesn't show up in the ARP table

asa5510# sh arp
        mgmt 172.17.240.65 000b.45e2.484a 44

ICMP isn't blocked on the gateway (10.10.10.2) as when I address my switch as 10.10.10.1, I can ping the gateway/anything on the internet. It's only when I address the ASA that I can't ping/reach the internet.

The switchports are access ports in the same vlan without any other config - towards the internet and towards the ASA. They should be passing traffic without any restrictions.

When you don't see an arp entry, then the gateway doesn't talk to your ASA.

Please try to unplug the outside interface and the gateway from the switch before testing. It could be that old arp-entries prohibit the communication.

Since you have the switch as the default route for the ASA, are you able to ping the internet from the switch?  Have you defined a default route on the switch?

--

Please remember to select a correct answer and rate helpful posts