Hello, yeah the (1) one was a mistake and never should've been approved since it was waiting for moderator approval in the first place. Anyways, can you please tell me in this thread what I've overlooked? Thanks.

Hello John,

Okay so you will need to close one discussion,

Now with the configuration u have u should be able to Ping,

My question would be,

Why are u using the same ACL on both interfaces in both directions?

So can you remove the access-groups from both interfaces (both directions)

and just add the following command:

fixup protocol icmp

Also provide the output of

packet-tracer input right icmp 192.168.1.10 8 0 192.168.0.10

Regards

Hm yeah I thought I'd be able to ping too. But I ruled out iptables because a machine on one subnet can't even ping the gateway of the other subnet. As for the ACL, I thought that had to be done to allow ICMP traffic to come in and out both sides? Or should it work without the ACLs and just the same-security-traffic clause? Thanks and sorry for the thread confusion.

Hello John,

It should work with the same-security traffic command,

Lets add the command

fixup protocol icmp ( to statefully inspect ICMP packets)

Can u provide the packet-tracer output?

Remember to rate all of the helpful posts

Oh ok, yeah I'll get back to you tomorrow morning with the results of your suggestions since I'm not at work at the moment. Thanks. I guess I was worried that perhaps the ASA unit defaulted to highly restrictive ACLs when none were otherwise present, good to know that's not the case.

Hello,

That would be the case if u are going from a lower to a higher security level interface.

In this case we are dealing with same-security level interfaces,

Remember to rate all of the helpful posts

Hi, thanks for your help. I'll be sure to rate your posts after the problem is identified of course. So this is the config I have now:

interface GigabitEthernet0

nameif left

security-level 0

ip address 192.168.0.1 255.255.255.0

!

interface GigabitEthernet1

nameif right

security-level 0

ip address 192.168.1.1 255.255.255.0

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

and the results of the tracer command:

ciscoasa(config)# packet-tracer input right icmp 192.168.1.10 8 0 192.168.0.10

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.0.0     255.255.255.0   left

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:      

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Phase: 5     

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:      

Additional Information:

Phase: 6     

Type: IP-OPTIONS

Subtype:     

Result: ALLOW

Config:      

Additional Information:

Phase: 7     

Type: FLOW-CREATION

Subtype:     

Result: ALLOW

Config:      

Additional Information:

New flow created with id 6, packet dispatched to next module

Result:      

input-interface: right

input-status: up

input-line-status: up

output-interface: left

output-status: up

output-line-status: up

Action: allow

Yet the machines on each side can still only ping their own gateways, any idea??

Hi,

Are you sure that there is nothing blocking the ICMP messages on the actual hosts?

Are you sure that the hosts dont have any additional network connection on which holds the default route and forwards traffic incorrectly?

Are you sure that the default gateway and network masks are configured correctly on the hosts sending ICMP Echo?

- Jouni

Hi thanks, turns out it was a misconfiguration of the virtualbox VMs in the virtual LAN. Once that was sorted it worked fine.

Great to see that John,

Regards,

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.