Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
657
Views
4
Helpful
5
Replies

interface on asa.

prashantrecon
Level 1
Level 1

‎06-20-2013 06:28 AM - edited ‎03-11-2019 07:01 PM

Hi ,

I have connected a firewall inside interface to l3 switch.

on l3 switch

int gi0/1

no switchport

ip address 192.168.10.1 255.255.255.0

no shut    

on firewall

int gi0/1

nameif inside

security level 100

ip address 192.168.10.2 255.255.255.0

If i ping to 192.168.10.2 from firewall thus it ping.

As i know inside host can ping to inside interface.But not any opposite interface such as dmz etc.(need access-list)

Labels:
0 Helpful
5 Replies 5

kcnajaf
Level 7
Level 7

‎06-20-2013 06:35 AM

Hi Prashant,

That is right.

Firewall will allow traffic from a high security level (like inside interface which has security level of 100) to low security level interfaces (like outside interface or DMZ interface which has security level which have any value less that 100) by default with out access-list. If you need to allow traffic from low to high then you need to specifically allow it through access-list.

Hope that helps.

Regards

Najaf

Please rate when applicable or helpful !!!

0 Helpful

prashantrecon
Level 1
Level 1
In response to kcnajaf

‎06-20-2013 06:59 AM

Hi,

Since the L3 switch is connected to firewall (inside inetrface).

When i ping from switch to firewaal inside interface it is not pinging.

0 Helpful

Rudy Sanjoko
Level 4
Level 4
In response to prashantrecon

‎06-24-2013 02:22 AM

Normally that will work without adding any route or extra configuration. If it's not working then I would check the access list if it's dropping the packet or not and the other thing to check is if you have enabled the icmp inspection on the ASA or not.

0 Helpful

gcorrale
Level 1
Level 1

‎06-24-2013 06:21 AM

Hi Prashant,

Here are two things involved.

1. Ping to the far end interface.

The ASA will not allow to ping the far end interface, for example is you are a host connected on the Inside network and ping the Inside interface the ASA will reply, but if you try to ping the DMZ interface from a host on the inside this will not answer and is expected.

2. Permit traffic from lower to higer interfaces.

All the traffic from higher interface level to lower interface level is permitted by default but is deny the other way around, from lower to higher.

If you need to permit traffic from lower to higher you need to enter a access-list on the lower level interface to permit traffic to the higher security level (If you are on version 8.2 or earlier you might need to add a NAT rule)

For example:

Inside security level 100

Outside security level 0

Inside host 192.168.1.1

access-list outside_access_in permit ip any host 192.168.1.1

access-group outside_access_in in interface outside

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

I hope these helps.

Regards

Godfrey

prashantrecon
Level 1
Level 1
In response to gcorrale

‎06-29-2013 08:20 AM

Thanks for reply.

at last i have clear the config of firewall (reconfigure it) .also clear the config of switch (reconfigure it)

And guess: It working with out adding any Special access list.

i have some suspect at switch side becase by connecting a laptop to directly to firwall i can ping inside interface .

Thats why i clear the configure of switch and reconfigure it with latest IOS.

Thanks for your help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card