02-21-2013 04:26 AM - edited 03-11-2019 06:03 PM
Dear All,
Today I run into a problem with enabling ICMP traffice between two inside interfaces on ASA5510 (version 8.2).
I tried to ping from 192.168.1.2 to 192.168.2.2 Failed.
But I can visit outside websites or ping from any of the two addresses above to 8.8.8.8
So I checked the configuration shown as follow
<omitted>
interface ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
<omitted>
interface ethernet0/2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
<omitted>
same-security-traffic permit intra-interface
same-security-traffic permit inter-interface
I searched a bit and found on some docs saying ICMP inspection should be enabled, so I added inspect icmp to global_policy:
policy-map global_policy
class inspection_default
inspect icmp
Then I tried ping again Failed.
After that, I added the following commands:
icmp permit any inside
icmp permit any inside2
PING still failed
Then I created two access lists and applied them on the interfaces respectively:
access-list ACL_INSIDE extended permit icmp any any
access-list ACL_INSIDE extended permit ip any any
access-list ACL_INSIDE2 extended permit icmp any any
access-list ACL_INSIDE2 extended permit ip any any
PING still failed. Can anyone help me? Thanks in advance.
Solved! Go to Solution.
02-21-2013 05:27 AM
Hi,
When you have 2 interfaces on equal "security-level" configuration and you dont have any ACLs configured, you would be fine with the following
What exactly are the devices 192.168.1.2 and 192.168.2.2?
Are they desktop workstations, laptops or router interfaces?
If we are talking about 2 desktop/laptops then I would look into the possibility that they are blocking ICMP. Perhaps they allow ICMP from directly connected network but not from remote networks.
I have had situations where even ICMP has been allowed on the actual computer but it still wont reply to ICMP Echos
You could also configure a capture on the ASA
access-list ICMP-CAP permit icmp host 192.168.1.2 host 192.168.2.2
access-list ICMP-CAP permit icmp host 192.168.2.2 host 192.168.1.2
capture ICMP-CAP type raw-data access-list ICMP-CAP interface
Ping a few times and check "show capture ICMP-CAP"
And see if the ASA can see ICMP echo replys at all.
- Jouni
02-21-2013 05:27 AM
Hi,
When you have 2 interfaces on equal "security-level" configuration and you dont have any ACLs configured, you would be fine with the following
What exactly are the devices 192.168.1.2 and 192.168.2.2?
Are they desktop workstations, laptops or router interfaces?
If we are talking about 2 desktop/laptops then I would look into the possibility that they are blocking ICMP. Perhaps they allow ICMP from directly connected network but not from remote networks.
I have had situations where even ICMP has been allowed on the actual computer but it still wont reply to ICMP Echos
You could also configure a capture on the ASA
access-list ICMP-CAP permit icmp host 192.168.1.2 host 192.168.2.2
access-list ICMP-CAP permit icmp host 192.168.2.2 host 192.168.1.2
capture ICMP-CAP type raw-data access-list ICMP-CAP interface
Ping a few times and check "show capture ICMP-CAP"
And see if the ASA can see ICMP echo replys at all.
- Jouni
02-21-2013 05:51 AM
Hi Jouni,
Thanks for your prompt response.
My first thought is as same as yours. Ping should work between two interfaces with the equal security-level when same-security-traffic and inspect icmp are configured. But strangely, it failed.
Before I added my explicit access lists, I found there are two implicit access rules on the interfaces looks like the following when using ASDM:
permit ip any any-lower-security-level
deny ip any any
192.168.1.2 is a desktop PC, and 192.168.2.2 is a network printer which should reply to ICMP echos.
And I will try your method to capture ICMP messages and get back to you.
Cheers
02-22-2013 04:42 AM
Hi Jouni,
Today I did a experiment using GNS3. I managed to get PING working with just same-security-traffic and inspect icmp.
I went back to check my configuration on the real ASA5510, and I found the reason. It is caused by the NAT rules I configured.
After adding two NAT EXEMPT rules for 192.168.18.0/24 and 192.168.19.0/24 network, I finally got the PING working.
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide