Re: Cannot Ping Through Outside Interface

NES IT · ‎02-04-2013

Hi All,

I cannot seem to ping from the outside of my 5520 firewall to an inside network. I have a single physical outside interface connected to a Layer 2 switch, with a laptop connected to it. This is on network 10.11.131.0/28. From there, I cannot ping to the inside interface (which is a sub interface on G0/0) with network 10.11.130.0/24/ For some reason, it doesnt work.

Now. I had access-lists in place, but have removed them for testing and it still doesnt work. I have set the security level of inside and outside to 100, and entered the same-security-traffic permit inter-interface command - still no joy. Could somebody tell me if I have missed something? Below is the relevant configuration.

Inside Interface

interface GigabitEthernet0/0.96

description L3 Interface - Informational Zone

vlan 96

nameif INFORMATIONAL-ZONE

security-level 100

ip address 10.11.130.97 255.255.255.240

Outside Interface

interface GigabitEthernet0/1

description L3 Interface - Untrusted Zone

nameif UNTRUSTED-ZONE

security-level 100

ip address 10.11.131.1 255.255.255.240

There is also no ACL on the inside interface (removed for troubleshooting).

From the inside interface on the FW, there is a trunk to a L3 switch which also has a L3 interface for the inside VLAN. I can ping from the inside PC (10.11.130.99) to the outside PC (10.11.131.10), but not the other way around. Therefore, I cannot FTP or do anything else between the two.

Can anyone tell me if I have missed something?

Thanks,

Dan

Jouni Forss · ‎02-04-2013

Hi,

Can you share some NAT and ACL configuration related to the ASA?

Also, referring to your problem with the ICMP from the "outside" host to the "inside" interface IP address of the ASA. This to my understanding is not possible in any case with the ASA. This should mean that the only interface you can access with a host behind the ASA is the interface behind which the host is. You cant access a remote interface.

The other problem with ICMP between the "inside" and "outside" host should be handled by looking at the configurations.

One usual problem with ICMP and ASAs is the missing of "inspect icmp" at the end of the ASA configurations. This configuration is NOT enabled by default. This configuration automatically allows the Echo-reply messages through the ASA and you wont have to configure ACL rules for ICMP return traffic.

- Jouni

NES IT · ‎02-04-2013

Hi Jouni,

There is no ACL or NAT configuration between these two interfaces, I have removed them to rule those out. Im trying to ping between an outside host and an inside host, not the interface of the ASA. I can ping from inside to outside, but not the other way. Therefore, FTP connections from inside to outside do not work (and thats what I need).

So, Im trying to FTP from the inside host 10.11.130.99 and the outside host 10.11.131.10 - but the connection doesnt work.

Thanks,

Dan

Jouni Forss · ‎02-04-2013

Hi,

Can you try the "packet-tracer" to simulate the FTP connection

The format would be

packet-tracer input INFORMATIONAL-ZONE tcp 10.11.130.99 1025 10.11.131.10 21

This should tell what the ASA does to the connection. Please copy/paste the output here.

Also regarding the "security-level" settings. Usually the INSIDE is set to 100 and the OUTSIDE to 0. I dont see a reason to use them as equal.

You could also check if the "inspect ftp" is enable on the firewall. You can also check the realtime logs through the ASDM to see what happens to the connection (although the above packet-tracer command should tell that also)

- Jouni

Andrew Phirsov · ‎02-04-2013

Maybe there's some another path between hosts? To me it looks like some kind of asymmetric routing, when one host sends traffic throug the asa, and other one - through some other gateway.