Re: FirePower/ASA | Can't Ping Interfaces

zekebashi · ‎08-08-2018

Hello,

I am using an ASA on the Firepower 2110. I was trying to traffic flow between interfaces and configured one interface E1/5 with ip address 10.1.215.115/24; security-level 100 and another interface E1/6 with ip address 10.1.253.115/25; security-level 100). I allowed icmp from any to each interface. I created an ACL to allow icmp to each interface. I attahced two laptops to each interface( laptop215: 10.1.215.100/24- GW: 10.1.215.115 and laptop253: 10.1.253.100/24- GW: 10.1.253.115).

From laptop215, I can ping it's GW (10.1.215.115 just fine. From laptop253, I can also ping it's GW: 10.1.253.115 just fine.

On the ASA, I can ping each interface just fine, but the issue I am facing is that when I try to ping from laptop215 to interface E1/6 - 10.1.253.115, it fails. The same thing happens when I try to ping from laptop253 to interface E1/5 - 10.1.215.115.

I can't figure out why I can't ping from each host (laptop) to the other interface or laptop. Why can't I ping from one host 10.1.253.100 to interface 10.1.251.115 or host 10.1.215.100 to 10.1.253.115?

Any assistance would be greatly appreciated.

Best, ~zK

Rob Ingram · ‎08-08-2018

Hi, Do you have the command "same-security-traffic permit inter-interface" configured?

If the 2 interfaces have the same security level, the default security policy will not permit traffic to pass between the two interfaces.

If you do, can you please run packet-tracer and upload the output

HTH

zekebashi · ‎08-08-2018

Yes, the "same-security-traffic" command was enabled.

Attached is the output of packet tracer.

Thanks in advance.... ~zK s

Rob Ingram · ‎08-08-2018

Ok, packet-trace confirms it should be allowed.

If I understand you correctly you are attempting to ping an interface of the ASA that you are not connected to (as in the interface connected to the other laptop). Try configuring the management-access command, reference here.

If you cannot ping the laptops, do they have a local firewall enabled?

HTH

zekebashi · ‎08-08-2018

That's correct. I am trying to ping from one laptop that's directly connected to one interface (10.1.251.x) to another on the ASA (10.1.253.x) and vice versa. Win FW is disabled on both laptops. The issue is when I try to ping from laptop 10.1.253.100 to ASA interface 10.1.251.115, ping fails!

I attached the ASA intfs configs and test results.

Thanks..

Rob Ingram · ‎08-08-2018

Ok, but did you enable the management-access command like I previously suggested?

zekebashi · ‎08-08-2018

Yes. I did!

zekebashi · ‎08-10-2018

I ended up rebooting the ASA and it worked.

Thanks for your assistance.

Corey Davies · ‎08-10-2018

I have noticed a few areas lately when working with the Cisco ASA firewalls that a reboot or "clear conn" has fixed the odd issue(s). In the latest case I was running 9.9(2). Glad it worked out for you.