Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
636
Views
5
Helpful
2
Replies

ASA cannot ping internal subinterfaces (DMZs)

Go to solution
Oscar Bonilla
Level 1
Level 1

‎01-09-2015 03:42 PM - edited ‎03-11-2019 10:19 PM

Hello everyone,

 

I have some questions regarding internal interfaces on the Cisco ASA.

 

I have a CISCO 5555-X running version 9.1(3) and a pretty simple configuration. I have an INSIDE and a DMZ, both of them are port-channels but DMZ is working as sub-interfaces.

 

Hosts on the DMZ are able to reach all the hosts on the INSIDE and vice versa, I haven´t restricted any traffic yet.But if a host from the INSIDE tries to ping a sub-interface on the ASA (DMZ default-gateway) it gets no response. Even if I ping from the INSIDE interface itself to a DMZ sub-interface I still get no response.

 

INSIDE: 192.168.254.26

DMZ sub: 13.1.1.1

 

ASA/pri/act# packet-trace input inside icmp 192.168.254.26 8 0 13.1.1.1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   13.1.1.1        255.255.255.255 identity

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   13.1.1.1        255.255.255.255 identity

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

 

Is this an expected behavior? 

 

Any help will be highly appreciated. 

 

THANKS!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-09-2015 04:07 PM

That's as expected.

You can only ping an ASA interface (assuming it's been allowed) from a host downstream of that interface. Also, you can not ping one ASA interface from another one.

In either case, when talking to an interface directly, the traffic needs to come from a network that's connected to or downstream from that interface.

View solution in original post

2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-09-2015 04:07 PM

That's as expected.

You can only ping an ASA interface (assuming it's been allowed) from a host downstream of that interface. Also, you can not ping one ASA interface from another one.

In either case, when talking to an interface directly, the traffic needs to come from a network that's connected to or downstream from that interface.

Go to solution
Oscar Bonilla
Level 1
Level 1
In response to Marvin Rhoads

‎01-12-2015 07:55 AM

Thank you Marvin,

 

That´s exactly what I needed to know.

 

Have a great week!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card