Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2783
Views
0
Helpful
7
Replies

My PCs can't ping firewall's inside interface

tinhnho123
Level 2
Level 2

‎03-21-2019 09:07 AM - edited ‎03-21-2019 09:09 AM

Hi Everyone. 

 

I've been trying to setup a simple network which has 1 firewall, 1 switch and 2 PCs. Please see the attachment for the topology. 

My goal is that I want my PCs can ping 8.8.8.8 of the 'internet' switch (from my attachment). But  for now, they can't even ping 10.10.10.1 (firewall's inside interface) while these PCs can ping VLAN 10 ( 172.16.1.1) and vlan 20 ( 192.168.10.1) as well as 10.10.10.2. Any thoughts why these PCs can't ping the inside interface of firewall? Thanks alot.

 

Capture.PNG

Labels:
Preview file
2 KB
Preview file
8 KB
0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎03-21-2019 09:26 AM

Add below config in ASA 

 

#icmp permit any inside

 

From SW3 are you able to ping to 10.10.10.1 ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

tinhnho123
Level 2
Level 2
In response to balaji.bandi

‎03-21-2019 11:54 AM

Hi Balagi,

 

Before add this command #icmp permit any inside, Yes, i could ping 10.10.10.1

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to tinhnho123

‎03-21-2019 01:16 PM - edited ‎03-21-2019 01:17 PM

Just now i tested your config in my lab (eve-ng) all works as expected, here is the results.

 

Basic Confg : ASA 

 

interface Ethernet0
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.252
!
route inside 172.16.1.0 255.255.255.0 10.10.10.2 1

Switch Config :

===========

!
interface Ethernet0/0
no switchport
ip address 10.10.10.2 255.255.255.252
!
interface Ethernet0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast edge
!
interface Ethernet0/2
switchport access vlan 20
switchport mode access
spanning-tree portfast edge
!
interface Ethernet0/3
!
interface Vlan10
ip address 172.16.1.1 255.255.255.0
!
interface Vlan20
ip address 192.168.10.1 255.255.255.0
!
ip forward-protocol nd
!
no ip http server
!
ip route 0.0.0.0 0.0.0.0 10.10.10.1

 

VPC

===

 

 

VPCS> ip 172.16.1.10/24 172.16.1.1
Checking for duplicate address...
PC1 : 172.16.1.10 255.255.255.0 gateway 172.16.1.1

VPCS> ping 10.10.10.2

10.10.10.2 icmp_seq=1 timeout
84 bytes from 10.10.10.2 icmp_seq=2 ttl=255 time=0.659 ms
84 bytes from 10.10.10.2 icmp_seq=3 ttl=255 time=0.566 ms
84 bytes from 10.10.10.2 icmp_seq=4 ttl=255 time=0.678 ms
84 bytes from 10.10.10.2 icmp_seq=5 ttl=255 time=0.604 ms

VPCS> ping 10.10.10.1

84 bytes from 10.10.10.1 icmp_seq=1 ttl=254 time=5.260 ms
84 bytes from 10.10.10.1 icmp_seq=2 ttl=254 time=1.493 ms
84 bytes from 10.10.10.1 icmp_seq=3 ttl=254 time=1.569 ms
84 bytes from 10.10.10.1 icmp_seq=4 ttl=254 time=1.709 ms
84 bytes from 10.10.10.1 icmp_seq=5 ttl=254 time=1.590 ms

VPCS> ping 172.16.1.1

84 bytes from 172.16.1.1 icmp_seq=1 ttl=255 time=0.384 ms
84 bytes from 172.16.1.1 icmp_seq=2 ttl=255 time=1.521 ms
84 bytes from 172.16.1.1 icmp_seq=3 ttl=255 time=0.657 ms
84 bytes from 172.16.1.1 icmp_seq=4 ttl=255 time=0.562 ms
84 bytes from 172.16.1.1 icmp_seq=5 ttl=255 time=0.704 ms

 

Suggest to save all config, restart the node and test it.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

tinhnho123
Level 2
Level 2
In response to balaji.bandi

‎03-22-2019 03:40 PM

It was the sw issue, saved the config and rebooted fix the problem. Thanks.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to tinhnho123

‎03-22-2019 04:16 PM

Glad it working, if this is resolved, kindly make it as resolved. so it will be usefull for other community members.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni

‎03-21-2019 09:31 AM

Hi there,

Try this config on the ASA:

!
object VLAN10
  subnet 172.16.1.0 255.255.255.0
  nat (inside,outside) dynamic interface
!
object VLAN10
  subnet 192.168.10.0 255.255.255.0
  nat (inside,outside) dynamic interface
!
icmp permit any inside
!
policy-map global_policy
 class inspection_default
   inspect icmp
!

 

cheers,

Seb.

 

0 Helpful

tinhnho123
Level 2
Level 2
In response to Seb Rupik

‎03-21-2019 12:00 PM

Hi Seb,

I've just tried your config and the PCs still can't ping firewall's inside interface. I still can ping the 10.10.10.2 just fine.

PC1> ping 10.10.10.1

10.10.10.1 icmp_seq=1 timeout
10.10.10.1 icmp_seq=2 timeout
10.10.10.1 icmp_seq=3 timeout
10.10.10.1 icmp_seq=4 timeout
10.10.10.1 icmp_seq=5 timeout

PC1> ping 10.10.10.2

84 bytes from 10.10.10.2 icmp_seq=1 ttl=255 time=0.388 ms
84 bytes from 10.10.10.2 icmp_seq=2 ttl=255 time=0.336 ms
84 bytes from 10.10.10.2 icmp_seq=3 ttl=255 time=0.366 ms
84 bytes from 10.10.10.2 icmp_seq=4 ttl=255 time=0.326 ms
84 bytes from 10.10.10.2 icmp_seq=5 ttl=255 time=0.351 ms

VPCS>
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card