Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2811
Views
0
Helpful
3
Replies

How to enable ICMP between two inside interfaces ASA5510

Go to solution
bill.wang.qut
Level 1
Level 1

‎02-21-2013 04:26 AM - edited ‎03-11-2019 06:03 PM

Dear All,

Today I run into a problem with enabling ICMP traffice between two inside interfaces on ASA5510 (version 8.2).

I tried to ping from 192.168.1.2 to 192.168.2.2  Failed.

But I can visit outside websites or ping from any of the two addresses above to 8.8.8.8

So I checked the configuration shown as follow

     <omitted>

      interface ethernet0/1

     nameif inside

     security-level 100

     ip address 192.168.1.1 255.255.255.0   

     <omitted>

     interface ethernet0/2

     nameif inside

     security-level 100

     ip address 192.168.2.1 255.255.255.0

     <omitted>

     same-security-traffic permit intra-interface

     same-security-traffic permit inter-interface

I searched a bit and found on some docs saying ICMP inspection should be enabled, so I added inspect icmp to global_policy:

     policy-map global_policy

          class inspection_default

              inspect icmp

Then I tried ping again Failed.

After that, I added the following commands:

     icmp permit any inside

     icmp permit any inside2

PING still failed

Then I created two access lists and applied them on the interfaces respectively:

     access-list ACL_INSIDE extended permit icmp any any

     access-list ACL_INSIDE extended permit ip any any

     access-list ACL_INSIDE2 extended permit icmp any any

     access-list ACL_INSIDE2 extended permit ip any any

PING still failed. Can anyone help me? Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-21-2013 05:27 AM

Hi,

When you have 2 interfaces on equal "security-level" configuration and you dont have any ACLs configured, you would be fine with the following

  • same-security-traffic commands
  • inspect icmp

What exactly are the devices 192.168.1.2 and 192.168.2.2?

Are they desktop workstations, laptops or router interfaces?

If we are talking about 2 desktop/laptops then I would look into the possibility that they are blocking ICMP. Perhaps they allow ICMP from directly connected network but not from remote networks.

I have had situations where even ICMP has been allowed on the actual computer but it still wont reply to ICMP Echos

You could also configure a capture on the ASA

access-list ICMP-CAP permit icmp host 192.168.1.2 host 192.168.2.2

access-list ICMP-CAP permit icmp host 192.168.2.2 host 192.168.1.2

capture ICMP-CAP type raw-data access-list ICMP-CAP interface buffer 1000000

Ping a few times and check "show capture ICMP-CAP"

And see if the ASA can see ICMP echo replys at all.

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-21-2013 05:27 AM

Hi,

When you have 2 interfaces on equal "security-level" configuration and you dont have any ACLs configured, you would be fine with the following

  • same-security-traffic commands
  • inspect icmp

What exactly are the devices 192.168.1.2 and 192.168.2.2?

Are they desktop workstations, laptops or router interfaces?

If we are talking about 2 desktop/laptops then I would look into the possibility that they are blocking ICMP. Perhaps they allow ICMP from directly connected network but not from remote networks.

I have had situations where even ICMP has been allowed on the actual computer but it still wont reply to ICMP Echos

You could also configure a capture on the ASA

access-list ICMP-CAP permit icmp host 192.168.1.2 host 192.168.2.2

access-list ICMP-CAP permit icmp host 192.168.2.2 host 192.168.1.2

capture ICMP-CAP type raw-data access-list ICMP-CAP interface buffer 1000000

Ping a few times and check "show capture ICMP-CAP"

And see if the ASA can see ICMP echo replys at all.

- Jouni

0 Helpful

Go to solution
bill.wang.qut
Level 1
Level 1
In response to Jouni Forss

‎02-21-2013 05:51 AM

Hi Jouni,

Thanks for your prompt response.

My first thought is as same as yours. Ping should work between two interfaces with the equal security-level when same-security-traffic and inspect icmp are configured. But strangely, it failed.

Before I added my explicit access lists, I found there are two implicit access rules on the interfaces looks like the following when using ASDM:

permit ip any any-lower-security-level

deny ip any any

192.168.1.2 is a desktop PC, and 192.168.2.2 is a network printer which should reply to ICMP echos.

And I will try your method to capture ICMP messages and get back to you.

Cheers

0 Helpful

Go to solution
bill.wang.qut
Level 1
Level 1
In response to Jouni Forss

‎02-22-2013 04:42 AM

Hi Jouni,

Today I did a experiment using GNS3. I managed to get PING working with just same-security-traffic and inspect icmp.

I went back to check my configuration on the real ASA5510, and I found the reason. It is caused by the NAT rules I configured.

After adding two NAT EXEMPT rules for 192.168.18.0/24 and 192.168.19.0/24 network, I finally got the PING working.

Cheers

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card