Solved: ASA - Can't ping subinterface?

Eric Snijders · ‎08-28-2017

I'm not (yet) an expert with Firewalls, but is there a reason why i can't ping subinterfaces from 1 ASA to another (or even from 1 subinterface on the ASA to another subinterface on the same ASA)?

I can ping devices behind the subinterfaces, but i just get unreachables when i try to ping the subinterface itself.

- icmp inspects are on

- "permit icmp any" on all the subinterfaces

- no ACL's blocking the icmp's

What am i missing here?

Jon Marshall · ‎08-28-2017

I'm not following the diagram ie. gi0/0.1 appears to have the same IP.

Assuming a typo and assuming that is the shared vlan you refer to then yes your tests shows the right results.

It is is primarily done as a security feature as far as I know and it is not just ping if I remember correctly it is all traffic (although you may want to test that !)

Jon

View solution in original post

Jon Marshall · ‎08-28-2017

It's not clear exactly where the interfaces are in relation to your ping but as a general answer.

You can ping the inside interface from the inside and you can ping the outside interface from the outside (assuming you have allowed it).

But what you cannot do is ping the outside interface from the inside or the inside interface from the outside.

In other words the ICMP packets cannot enter in one interface destined for another interface on the same ASA and this applies to any interfaces on the ASA.

This is by design.

Jon

Eric Snijders · ‎08-28-2017

Hi Jon,

Thanks for the information. Let's make a simple topology:

This is just drawn very flat. Now let's say no ACL's are in place, ICMP inspects are enabled, and no security level problems or whatsoever. Just 2 simple ASA's with a trunk and some subinterfaces.

So both ASA's have 1 "shared" VLAN.

Here is the "problem" we're experiencing for example:

- I can't ping from G0/0.10 (ASA02) to G0/0.30 (ASA01)

- I can ping any device behind G0/0.30 from G0/0.10

It's perfectly fine if it's by design. Since both ASA's will talk to eachother in this case over the "shared" VLAN and have to reply over another Subinterface (which is the same physical interface). If that's the case: i'm fine with it. But could you please explain why it is like that?

The reason i'm asking: it's for my own satisfaction. Even though i know the routing and everything is fine, i just like the conformation of a ping :).

Cheers,

Eric

Jon Marshall · ‎08-28-2017

I'm not following the diagram ie. gi0/0.1 appears to have the same IP.

Assuming a typo and assuming that is the shared vlan you refer to then yes your tests shows the right results.

It is is primarily done as a security feature as far as I know and it is not just ping if I remember correctly it is all traffic (although you may want to test that !)

Jon

Marvin Rhoads · ‎08-28-2017

Jon is correct.

Traffic sourced from a given interface (or host behind that interface) destined for a remote ASA cannot interact with an interface on the "far side" of the remote ASA. The only exception would be if you designated the remote interface as a management interface.

The rationale behind this is to prevent network reconnaisance via the ASA.

Eric Snijders · ‎08-28-2017

Thanks Jon and Marvin,

So it doesn't necesarily means it can't pass over the trunk interface, but you just won't get a reply when you ping (for example) over a "shared" to a other interface on that same ASA?