Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
850
Views
0
Helpful
3
Replies

ICMP via ASA

c.fuller
Level 1
Level 1

‎09-08-2011 08:41 AM - edited ‎03-11-2019 02:22 PM

Hello -

I am trying to open up ping through my ASA.   The ASA is connected via  L3 link on the inside interface to a L3 switch.  Same thing on the outside

interface.  I am trying to ping switch to switch via the ASA.  

I created the ACLs as follows

access-list outside-in permit extended icmp any any echo

access-list outside-in permit extended icmp any any echo-reply

access-list inside-out permit extended icmp any any echo

access-list inside-out permit extedned icmp any any echo-reply

I applied this ACL to the interfaces

access-group outside-in in interface outside

access-group inside-out in interface inside

I also enabled icmp inspection under the global service policy. 

inspect icmp

inspect icmp error

In addition I opened up icmp to the ASA interfaces

icmp permit any outside

icmp permit any inside

Pinging to/from the ASA inside/outside interfaces works fine.

However, when I try to go switch to switch via the ASA it fails.   Outbound, I see the echo-request come in on the inside interface and be forwarded to the outside interface in the icmp debug trace output.  But no echo-request from the inside L3 switch interface.

Now when I ping from the inside L3 switch to the outside L3 switch I do not see any echo-request come in on inside interface.   The "icmp debug trace" output has nothing.  So what other things can I look at that would prevent echo-request from coming into the ASA when the destination is on the inside?   I can ping the ASA's inside interface from the inside L3 switch.  I see those echo-request/replies no problem.

Thanks

Chuck

Labels:
0 Helpful
3 Replies 3

c.fuller
Level 1
Level 1

‎09-08-2011 09:09 AM

Update:  I looked at the routing configuration on the inside L3 switch.   There was a problem with the config.   All is working now.  ICMP through the ASA in both directions.  

Chuck

0 Helpful

cadet alain
VIP Alumni
VIP Alumni

‎09-09-2011 12:33 AM

Hi,

what does a debug ip icmp on switches tells you?

Maybe you have a routing problem on the switch you're pinging or an ACL blocking echo-requests/replies.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

c.fuller
Level 1
Level 1
In response to cadet alain

‎09-09-2011 04:20 AM

Alain, yes thanks for the reply.  Bascially, the L3 switch did not have routing enabled.  Just a couple static routes tracking the upstream router using an IP SLA.   Once I enabled routing the IP SLA began to operate which uses

icmp echo.  I also was able to finally ping manually via the ASA from switch to switch.

So this was not an ASA problem.   The steps above work for allowing icmp through the ASA.

Regards

Chuck

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card