04-22-2019 01:16 AM - edited 04-22-2019 01:17 AM
Hello.i have some problem.I need to connect two ASA 5506 firewall with each other .i have created the schema at packet tracer and then recreated it in real world but the same result
i can not make connection (icmp) behind the other firewall (for example from PC0 to PC1) .I have configured all interfaces. i have configured default routes on routers toward the ASAs. I alsa have written default routes on ASA firewalls toward each other and static routes toward their internal routes.I had checked also NAT config I also added icmp to the default global service policy for inspection and other protocols which i needed.But i can ping only from PC0 To ASA2 4.2.2.2 interface.What i have been missing i can not find
04-22-2019 04:32 AM
You have mentioned NAT config. Can you provide more information on what is being NAT'd and where.
Configs would help also.
I assume you can Ping to each PC from the local FW and Router?
04-22-2019 11:29 AM
I can ping from PC0 to ASA-2 4.2.2.2 interface but can not go behind ASA-2
I also can ping from PC1 to ASA-1 4.2.2.1 interface but can not go behind it
my nat config are both on ASA1 and ASA2
ASA-1(config-network-object)# nat (inside,outside) dynamic interface
ASA-2 (config-network-object)# nat (inside,outside) dynamic interface
04-22-2019 02:22 PM
04-22-2019 02:31 PM
It doesn't work as expected because it is designed that way on ASA to deny ping through destined the ASA interface IP address. See link, https://community.cisco.com/t5/routing/asa-5585-x-unreachable-gateway-between-interfaces/m-p/3839525#M313418
There no way to override that security rule.
04-22-2019 03:02 PM
Hi,
@joseph.h.nguyen I think the original request was to ping through the ASAs from PC0 to PC1 - not pinging an ASA interface.
@shaig I assume you pinging the 172.16.10.x IP address of PC1? In which case @GRANT3779 is correct, the traffic would match your dynamic nat rule and be natted, so therefore not respond from the IP address you originally pinged.
Create a no-nat/nat exemption rule on both ASA's or alternatively create a static NAT for each PC.
HTH
04-24-2019 09:56 AM - edited 04-24-2019 10:05 AM
ASA-2#SH RUNning-config
: Saved
:
ASA Version 9.6(1)
!
hostname ASA-2
names
!
interface GigabitEthernet1/1
nameif OUTSIDE
security-level 100
ip address 4.2.2.2 255.255.255.252
!
interface GigabitEthernet1/2
nameif INSIDE
security-level 0
ip address 10.2.2.1 255.255.255.0
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
object network NAT
subnet 172.16.10.0 255.255.255.0
!
route INSIDE 172.16.10.0 255.255.255.0 10.2.2.2 1
route OUTSIDE 0.0.0.0 0.0.0.0 4.2.2.1 1
object network NAT
nat (INSIDE,OUTSIDE) dynamic interface
!
!
!
!
!
!
!
telnet timeout 5
ssh timeout 5
!
!
!
!
!
ASA-2#
ASA-1#SH RUNning-config
: Saved
:
ASA Version 9.6(1)
!
hostname ASA-1
names
!
interface GigabitEthernet1/1
nameif outside
security-level 100
ip address 4.2.2.1 255.255.255.252
!
interface GigabitEthernet1/2
nameif inside
security-level 0
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
object network NAT
subnet 192.168.10.0 255.255.255.0
!
route inside 192.168.10.0 255.255.255.0 10.1.1.2 1
route outside 0.0.0.0 0.0.0.0 4.2.2.2 1
!
!
!
object network NAT
nat (inside,outside) dynamic interface
!
!
!
!
!
!
!
telnet timeout 5
ssh timeout 5
!
!
!
!
!
ASA-1#
04-24-2019 12:09 PM
ASA-1#sh running-config
: Saved
:
ASA Version 9.6(1)
!
hostname ASA-1
names
!
interface GigabitEthernet1/1
nameif outside
security-level 100
ip address 4.2.2.1 255.255.255.252
!
interface GigabitEthernet1/2
nameif inside
security-level 0
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
object network NAT
subnet 192.168.10.0 255.255.255.0
!
route inside 192.168.10.0 255.255.255.0 10.1.1.2 1
route outside 0.0.0.0 0.0.0.0 4.2.2.2 1
!
!
!
object network NAT
nat (inside,outside) dynamic interface
!
!
!
!
!
!
!
telnet timeout 5
ssh timeout 5
!
!
!
!
!
ASA-1#
ASA-2#sh running-config
: Saved
:
ASA Version 9.6(1)
!
hostname ASA-2
names
!
interface GigabitEthernet1/1
nameif outside
security-level 100
ip address 4.2.2.2 255.255.255.252
!
interface GigabitEthernet1/2
nameif inside
security-level 0
ip address 10.2.2.1 255.255.255.0
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
object network NAT
subnet 172.16.10.0 255.255.255.0
!
route inside 172.16.10.0 255.255.255.0 10.2.2.2 1
route outside 0.0.0.0 0.0.0.0 4.2.2.1 1
!
!
!
object network NAT
nat (inside,outside) dynamic interface
!
!
!
!
!
!
!
telnet timeout 5
ssh timeout 5
!
!
!
!
!
ASA-2#
04-24-2019 12:12 PM
i have pasted the running-config of both ASAs
04-24-2019 01:12 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide