Solved: Can't ping inside interface coming from a network across MPLS

wribeiro2305 · ‎02-13-2017

Hi all,

I've been facing this issue. I can't ping the ASA interface from a network across the MPLS connection. I can ping from local LAN.
I have a Cisco ASA 5510.

Cisco Adaptive Security Appliance Software Version 8.4(7)30
Device Manager Version 7.1(4)

Some of my configuration

icmp unreachable rate-limit 1 burst-size 1
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
inspect icmp
inspect icmp error

!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

!

management-access Inside

It's not route, because access to the internal LAN across the MPLS works fine.

Watching the logs on ASDM and it's being allowed.

I run out of options.

Thanks.

Rahul Govindan · ‎02-13-2017

Yeah this feature is a carry over from the PIX days. It has been documented here:

The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html

Also doc bug is here:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtd86651/?referring_site=bugquickviewclick

Since it mentions only ping, SSH and HTTPS may be still possible if you add the right access rules. I have not tested this so not sure of the behavior.

View solution in original post

rikshit4aggarwal · ‎02-13-2017

Is your network on the other end, also an Internal Network and have same or higher security level as management?

Regards,

Rikshit

wribeiro2305 · ‎02-13-2017

We have monitoring Server within 192.168.22.0/24 on HQ. However I can't ping my Inside interface on a ASA (192.168.100.0/24) in a remote site across our MPLS link. I can ping the MPLS interface and I can ping Servers within 192.168.100.0/24, but not the ASA interface.

Inside interface on the ASA 192.168.100.201 has the same security level as management (100).

rikshit4aggarwal · ‎02-13-2017

If you have an MPLS interface configured on ASA, then you cannot ping internal interface..What security level have you configured on the MPLS interface.??You can only ping the MPLS interface and then the traffic will be redirected through the Internal interface to the internal resources depending on the config. done in ASA

Regards,

Rikshit

Rahul Govindan · ‎02-13-2017

You cannot ping (or ssh/https for that matter) to an interface of an ASA when coming in through another interface. This is by design and cannot be changed AFAIK. The only exception to this is when you are coming in through a VPN tunnel interface on another interface - for which "management-access" is required.

wribeiro2305 · ‎02-13-2017

Hi Rahul,

I can't do either of them (ping, ssh or https).
I have the management-access enabled on Inside interface.

The ACL is allowing and when I watch the logs on ASDM I can see the connection building up.

Thanks.

Rahul Govindan · ‎02-13-2017

Yes, that is by design. If you are coming in via an MPLS interface, you wont be able to access the ASA inside interface. You can access everything else on the inside network, except the inside interface. It does not matter what ACL rules are in place. You can only ping the inside interface from the inside network, Mpls interface from MPLS network etc.

wribeiro2305 · ‎02-13-2017

Thanks for the info... I didn't know that.

Rahul Govindan · ‎02-13-2017

Yeah this feature is a carry over from the PIX days. It has been documented here:

The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html

Also doc bug is here:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtd86651/?referring_site=bugquickviewclick

Since it mentions only ping, SSH and HTTPS may be still possible if you add the right access rules. I have not tested this so not sure of the behavior.