Solved: no route to host shown in packet tracer - unable to ping gateway

suthomas1 · ‎12-10-2013

Hi,

Following is the setup. We are unable to ping the gateway(192.168.100.1) for hosts which is configured on the ASA interface.

ASA Connects to a Core Switch

ASA configuration:-

---------------------------

int tengig0/9
security-level 50
nameif apps
ip addr 192.168.100.1 255.255.255.0

int Po40
desc Connection to Core
nameif local
security-level 100
ip addr 192.168.5.1 255.255.255.248

Core configuration:-

---------------------------

int Po40
desc Connection to ASA
no switchport
ip addr 192.168.5.2 255.255.255.248

interface gig0/23
des Connection to ASA for apps interface (ASA- tengig0/9 )
switchport access vlan 70

ip route 0.0.0.0 0.0.0.0 192.168.5.1 ( route on Core )

int gig0/15

desc apps user

switchpo access vlan 70

from the core , we can't ping 192.168.100.1 which is the gateway for all the users connected to this segment apps.

We tried one of the workstations connected on access vlan 70 on the core & with ip in the range of
192.168.100.x 255.255.255.0 , its gateway being 192.168.100.1 on the ASA.
But we were unable to reach the gateway on ASA from the workstation.

Please help with this.Thanks in advance.

Julio Carvajal · ‎12-11-2013

Hello,

Remember that you cannot access a far-end interface. This means that if you sit on the DMZ interface you will be able to ping the ASA DMZ interface IP address but no the Inside interface IP address.

This is by design and cannot be changed.

That being said if you are pinging from a host on the same subnet than the ASA and the packet is reaching the correct interface this should work.

Do

capture capin interface inside match icmp host x..x.x.x (192.168.100.x host) 192.168.100.1

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎12-11-2013