12-11-2008 09:11 AM - edited 03-11-2019 07:24 AM
Hi,
what is necessary to ping an interface of the ASA?
It is an interface (security-level 1) with a public ip address (a.b.c.d). We can't ping it from the internet and we also can't ping it from another inside network (other physical interface).
We tried "icmp permit host a.b.c.d interfacename".
We tried to create access rules for this interface: source and destination ANY, Servicee ICMP/ECHO/ECHO-REPLY.
We have no idea what the problem is.
Maybe someone can help us.
greetings
12-11-2008 09:44 AM
AN ACL should suffice, here is a copy of mine.
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit icmp any any source-quench
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
When you have this applied and you ping, what does the logs say?
12-11-2008 10:04 AM
Hello Lydia,
Best practise is adding inspection
policy-map global_policy
class inspection_default
inspect icmp
Regards
12-11-2008 10:17 AM
You cannot reach the remote interface if the traffic is sourced from a local segment.
12-12-2008 12:10 AM
Hey,
it is what we have:
policy-map DEFAULT_POLICYMAP
class DEFAULT_CLASSMAP
â¦
â¦
Inspect icmp
Inspect icmp error
Ok, I configured:
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit icmp any any source-quench
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
but the ping says âtimeoutâ. In the logging of the ASA I can see:
built inbound icmp connection; source my computer, destination the gateway of my computers subnet
then teardown icmp connection; source my computer, destination the gateway of my computers subnet
then teardown icmp connection; source my computer, destination the ip of the interface we want to ping
But there is no deny.
It is not the outside interface we want to ping. It is another one we want to use for vpn. Outside-Interface, VPN-Interface and Inside-Interface are 3 physical interfaces.
greetings Lydia
12-12-2008 03:15 AM
Lydia,
You can remove all access-lists, if you already have inspection in place. Make sure that this default_policymap is assigned global, not to an interface.
Second, as previously mentioned, pinging an interface from a subnet bound to another interface is not possible. The only excpetion to this is IPSec VPN Tunnels that remote end terminated at the outside interface can ping the inside interface IP IF! this interface is assigned Management interface role with the command "management-access inside"
Please describe us from which subnet connected to which interface you are trying to ping which interface. Posting the sanitized config would help, it may be a routing issue
Regards
12-12-2008 04:49 AM
Hey,
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.76.221.249 255.255.255.248 standby 10.76.221.250
ospf cost 10
!
interface GigabitEthernet0/1.101 (-->it is Gateway)
vlan 101
nameif service
security-level 100
ip address 134.76.221.126 255.255.255.128 standby 134.76.221.125
ospf cost 10
!
interface GigabitEthernet0/2.106 (--> no Gateway, only one IP of the subnet)
vlan 106
nameif vpn
security-level 1
ip address 134.76.221.195 255.255.255.224
router ospf 1
router-id 12.12.12.12
network 10.76.221.248 255.255.255.248 area 10.76.216.0
network 134.76.221.0 255.255.255.128 area 10.76.216.0
area 10.76.216.0
log-adj-changes
class-map DEFAULT_CLASSMAP
description classmap fuer alles
match default-inspection-traffic
!
policy-map DEFAULT_POLICYMAP
class DEFAULT_CLASSMAP
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect icmp
inspect icmp error
inspect netbios
inspect snmp
inspect sqlnet
inspect xdmcp
policy-map default_policymap
!
service-policy DEFAULT_POLICYMAP global
The private IP of our outside interface is an IP of a routing network. There is another router before our ASA making the connection to the internet. This router is also having the Gateway of the IP on interface 0/2.106.
My computer is in the subnet of interface 0/1.101. We want to ping the IP of the interface 0/2.106 and from the Internet because of VPN.
12-12-2008 05:31 AM
Lydia,
You can not ping the interface IP 134.76.221.195 from any host within 134.76.221.0/25 network and vice-versa. This is the default an non-changeable behaviour of ASA. Yet, being able to ping or being able to "connect" other interface's IP from a host connected to another interface is NOT! a necessity for any VPN operation. If you explain "We want to ping the IP of the interface 0/2.106 and from the Internet !because of VPN!" in details, then I will advise accordingly.
12-12-2008 05:52 AM
Yes I know that it is not neccessary.
We wanted to test if the vpn-interface is reachable from the internet etc.
To test VPN we configured it for the outside interface. It worked! But like you see, it's a private IP.
So we configured another interface for VPN with 134.76.221.195.
And VPN is not working. The Cisco VPN Client says "it's not responding".
In both cases we tested the vpn connection from another network part (not saved via our ASA).
12-12-2008 06:15 AM
Now its much more clear, thanks for explaination.
When ASA is involved, this design is not applicable when ASA has to terminate the VPN itself.
The Applicable design would be creating a sub-interface in next-hop router for ASA, (that is the router facing ASA g0/0 in 10.76.221.248/29), assign that sub-interface an IP in 134.76.221.0/128 (or it can be the physical interface itself facing ASA), and assign ASA's g0/0 another IP in that same subnet, then configure OSPF accordingly.
Regards
12-12-2008 06:52 AM
Hey,
thank you a lot for your time and your answers!
Well I think it is not the right solution for us. Our network is a little bit complicated :-)
I think we have to read first some manuals again and think about it.
We have a new idea at the moment and I think we will test it next week.
Maybe we will write again here next week :-) then with a picture of the network.
Thank you very much.
Lydia
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide