cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1136
Views
0
Helpful
3
Replies

Cannot Ping ASA IP Addresses

Net_Stef
Level 1
Level 1

Hello all,

 

I have the following Network Setup:

ASA 5505(Security Plus License) -->Cisco Switch WS-C2960-8TC-L -->PC

 

ASA has 8 interface VLANs, each one with an IP assigned. Cisco Switch has also 8 VLANS each one with an IP assigned.

My PC belongs to 10.10.1.0/24 network, and PC interface on SW is mode access VLAN 1. Link of ASA to Switch is trunk on both sides, allowing all VLANs.

 

I can successfully ping 10.10.2.2 (SW IP VLAN 2), but i cannot ping 10.10.2.1 (ASA IP VLAN 2).

In fact, i cannot ping any other FW IP except the one from Interface VLAN 1 (10.10.1.10).

 

All FW interfaces have the same security level (100), i have enabled same-security-traffic permit inter-interface, same-security-traffic permit intra-interface, inspect icmp and icmp permit any USERS (VLAN 2).

 

Could you please assist in order to resolve the issue? I have also attached the configuration from ASA and Switch.

 

Thank you,

Stef

 

3 Replies 3

looking into your config. your switch interface FastEthernet 0/8 trunk connected to ASA Ethernet0/1. your config looks ok can you make sure the cables are connected properly.

can you share share the output of the command

 

show interface fastethernet 08

and

show interface ethernet0/1

please do not forget to rate.

Hello Sheraz,

 

SW-1#show interfaces fastEthernet 0/8
FastEthernet0/8 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 1c17.d308.9188 (bia 1c17.d308.9188)
Description: ASA5505
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:04, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 577000 bits/sec, 62 packets/sec
5 minute output rate 28000 bits/sec, 31 packets/sec
106245 packets input, 119098143 bytes, 0 no buffer
Received 142 broadcasts (108 multicasts)
1 runts, 0 giants, 0 throttles
1 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 108 multicast, 0 pause input
0 input packets with dribble condition detected
64025 packets output, 6785852 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out


FW# sh int eth0/1
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Description: SW-1
Available but not configured via nameif
MAC address 0081.c466.d58b, MTU not set
IP address unassigned
66961 packets input, 7268173 bytes, 0 no buffer
Received 1655 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
6782 switch ingress policy drops
110885 packets output, 123778937 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops

you said you can ping when your PC is VLAN 1 (10.10.1.10) to the default gateway of the ASA.
if that correct than you have to understand you can not ping from PC in VLAN1 and you want to
ping to VLAN-X on ASA interface X. this is by default.

if you try to ping the default gateway of ASA in its respective ip address range it will ping back/reply the pings

please do not forget to rate.
Review Cisco Networking for a $25 gift card