cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
484
Views
0
Helpful
1
Replies

ASA cannot ping the loopback address

robertouko77
Level 1
Level 1

Hi Team,

I have been having a problem with loading ASDM on to my ASA in GNS3 (v1.5.3). The connection is an ASA to the switch which is then connected to the Cloud (with loopback interface) as shown below. I cannot ping the Cloud from the ASA and vice versa, even after configuring ACLs to permit icmp traffic, with below configs. Kindly assist, as the aim is to load the ASDM to the ASA.

interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 192.168.110.1 255.255.255.0
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list 77 extended permit icmp any host 192.168.110.1 echo
access-list 77 extended permit icmp any host 192.168.110.1 echo-reply
access-list 77 extended permit icmp any host 192.168.110.1 time-exceeded
access-list 77 extended permit icmp any host 192.168.110.1
pager lines 23
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group 77 in interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
 auto-import

1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

You don't need the access-list since you are initiating traffic from the ASA.

You do need (and don't have) a default route if your destination address in anywhere other than on the connected 192.168.110.0/24 subnet.

The setup is a bit odd (even though it is a lab) in that you have inside interface connected towrads the cloud. That aside, it should work wit a default route added. 

Review Cisco Networking for a $25 gift card