Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
146
Views
1
Helpful
6
Replies

Do ASA's block ping from an interface to a network via another int?

Go to solution
Youreateapot418
Level 1
Level 1

‎02-19-2025 01:55 AM - edited ‎02-19-2025 01:56 AM

I have a s2s tunnel setup between 2x ASA's.

It works fine and I can ping fine between users A & B. (192.168.100.2 <-> 192.168.200.2)

However, if I try to ping from the Inside int, to the user on the other side, so same subnet, it gets blocked.

ASA A Inside (192.168.100.1) to ASA B (192.168.200.1) Inside or User B (192.168.200.2)

ASA B Inside (192.168.200.1) to ASA A (192.168.100.1) Inside or User A (192.168.100.2) 

Using packet tracer, it just defaults to the implicit deny rule for the above. Even though my firewall rules are all /24 (192.168.100.0/24, 192.168.200.0/24).

Am I missing some fundamental info on the ASA where they don't ping back on themselves or something?

tunnel.png

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP

‎02-19-2025 02:29 AM - edited ‎02-19-2025 02:30 AM

I don't think what you are trying to do will work because the ASA by design will not allow pinging/reaching one of its interfaces when the traffic comes from another interface. For instance you are trying to ping the 192.168.200.1 from 192.168.100.1, that traffic from the ASA 2 perspective is coming from the outside interface destined to its inside interface. So by design the ASA 2 will not allow this to happen. Same concept applies when you try to ping 192.168.100.1 from 192.168.200.1 or when you try to ping User A or User B from each firewall inside interface. Also, please keep in mind that applying the icmp inspection on the policy map will only affects the traffic passing through the firewall but not the traffic originated or sent to the firewall itself. Same for the transit access lists you apply on the firewalls interfaces.

One thing you can do if you want to test would be to configure the inside interfaces as management interfaces over the VPN tunnel. In that case yes you can hit those interfaces from the remote site. To do so, you would need to issue the command "management-access inside" on both firewalls, and then afterwards you should be able to reach ASA 1 inside interface from site B and ASA 2 inside interface from site A.

View solution in original post

6 Replies 6

Go to solution
MHM Cisco World
VIP
VIP

‎02-19-2025 01:58 AM

You need only icmp inspection.

And make sure inside interface have secuirty level higher than Outside.

MHM

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎02-19-2025 02:29 AM - edited ‎02-19-2025 02:30 AM

I don't think what you are trying to do will work because the ASA by design will not allow pinging/reaching one of its interfaces when the traffic comes from another interface. For instance you are trying to ping the 192.168.200.1 from 192.168.100.1, that traffic from the ASA 2 perspective is coming from the outside interface destined to its inside interface. So by design the ASA 2 will not allow this to happen. Same concept applies when you try to ping 192.168.100.1 from 192.168.200.1 or when you try to ping User A or User B from each firewall inside interface. Also, please keep in mind that applying the icmp inspection on the policy map will only affects the traffic passing through the firewall but not the traffic originated or sent to the firewall itself. Same for the transit access lists you apply on the firewalls interfaces.

One thing you can do if you want to test would be to configure the inside interfaces as management interfaces over the VPN tunnel. In that case yes you can hit those interfaces from the remote site. To do so, you would need to issue the command "management-access inside" on both firewalls, and then afterwards you should be able to reach ASA 1 inside interface from site B and ASA 2 inside interface from site A.

Go to solution
Youreateapot418
Level 1
Level 1
In response to Aref Alsouqi

‎02-19-2025 02:45 AM

I had a feeling it was something fundamental on the ASA's. 

I can do the management setup in the lab, but doubt I will be able to do so in production, but definitely good to know!

Thanks Aref!

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Youreateapot418

‎02-19-2025 02:58 AM

You confuse here 

Asa-a-inside to asa-b-inside can not by defualt and you cannot change that.

Asa-a-inside to asa-b-host can and ypu need icmp and level.

MHM

0 Helpful

Go to solution
Youreateapot418
Level 1
Level 1
In response to MHM Cisco World

‎02-19-2025 03:34 AM

so I've opened to rules up completely and my current rules on ASA1 are:

Inside

Incoming

any4 to any4 ip allow

Outgoing

any4 to any4 ip allow

Tunnel-VTI1

 

Incoming

any4 to any4 ip allow

Outgoing

any4 to any4 ip allow

User A <-> User B works fine

Inside-ASA1 <-> User B doesn't...

Running through packet tracer, it doesn't even look for an interface. Can you point to a doc on how to do as you describe?

 

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Youreateapot418

‎02-19-2025 04:02 AM

It advanced topic so let start

By defualt ASA use mgmt and it sure not allow between two ASA.

Use 

Ping tcp command in ASA which allow you to specify interface source of ping' 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card