06-27-2019 11:29 PM
Hi Guys
I was wondering if you can help me, I have a cisco asa 5515-X and I have created three internal networks in the range of 192.168.0.1 security level 60, 192.168.2.0 security level 100 and 192.168.4.0 security level 50 and management is 192.168.1.1 security level 90.
All ports are internal to the asa, and when I connect directly to the management port I can access ASDM and also SSH to the asa.
I have created Nat for all three internal networks and can access the internet from them, I just have the below two issues.
1. From my 192.168.2.0 network which is security level 100, I cannot access the management network, I cannot ping it either.
I have enabled inspect icmp and I can ping address on the internet but not locally. not sure why this is as I am going from a higher security level to a lower one.
2. I cannot ping other internal networks from my 192.168.2.0 network which has security level 100.
I have a default route 0.0.0.0 0.0.0.0 x.x.x.x ->gateway address.
Thanks
Solved! Go to Solution.
06-29-2019 07:49 PM
If both interfaces on the ASA are up, then it will know the route to both subnets on the basis of them being connected (administrative distance = 0). That will supersede even static routes.
Do both the PC and the camera nvr have the respective ASA interface address as their default gateway?
Is there any access-list on either interface? (Once you apply an ACL anything not explicitly permitted will be denied.)
06-28-2019 02:33 AM
The Management-port is completely separated from all other interfaces. It's not meant to be used as a firewall interface. You can only use it to access the ASA itself or reach your management-servers from the ASA. You can't use that port to communicate to other ports.
06-28-2019 03:59 AM
Hi Karsten
Thanks for the information, is there any other way to access the asdm or ssh to the management network from inside interface.
Also any ideas why I cannot ping lower security interfaces.
Thanks
06-28-2019 07:00 AM
To reach the management interface from another interface on the ASA you must transit an external L3 switch (or router). You also need a route (something more specific than the connected /24 or whatever you are using for your management subnet).
Traffic cannot flow through the ASA to get directly to the management port.
Also you cannot ping from a non-connected ASA interface into one of the other subnets directly connected to the ASA. That is by design.
06-28-2019 04:34 PM
Hi Marvin
Thanks for the information, question 1 has been answered, but I still need some help with question 2 details below.
So I have a PC directly connected to asa port inside interface with security level 100 network 192.168.2.0/24, I have my security camera nvr connected to another port on the asa with security level 50 network 192.168.4.0/24. But I cannot ping or connect to the security camera network from my PC, am I missing some access rules or static routes.
Thanks
06-29-2019 07:49 PM
If both interfaces on the ASA are up, then it will know the route to both subnets on the basis of them being connected (administrative distance = 0). That will supersede even static routes.
Do both the PC and the camera nvr have the respective ASA interface address as their default gateway?
Is there any access-list on either interface? (Once you apply an ACL anything not explicitly permitted will be denied.)
06-29-2019 08:42 PM
Hi Marvin
After some troubleshooting, I found out Windows Firewall was blocking the connections, after I disabled it I was able to ping the other devices connected to the asa inside interface, I was able to ping from high security level to lower security level and not vise versa which is the expected behaviour.
Thanks everyone for you help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide