Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
309
Views
0
Helpful
3
Replies

Not able to ping a sepcific network from inside interface

ftitsecurity
Level 1
Level 1

‎02-03-2016 07:26 AM - edited ‎03-12-2019 12:14 AM

Hi

I am not able to ping a specific subnet via the inside interface.

GigabitEthernet0/0         62.211.xxx.xxx/27    ----> WAN1
GigabitEthernet0/1         62.211.xxx.xxx/27 -----> DMZ1
GigabitEthernet0/2         10.250.250.254/24 -----> Inside
GigabitEthernet0/3         10.10.10.254/24 -----> Remote-Office-1
GigabitEthernet0/4         10.151.2.6/24 ------> Remote-Office-2 --------------------------> 172.16.25.0/24

Behind the Remote Office 2,  I have another network 172.16.25.0/24

I am not able to ping 172.16.25.0/24 network from any interface except  GigabitEthernet0/4

ASA001# ping Remote-Office-2 172.16.25.11 repeat 100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.25.11, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/1/1 ms
ASA001#

ASA001#

ASA001# ping Remote-Office-1 172.16.25.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.25.11, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA001#

ASA001# sh route | i 172.16.25.0
S    172.16.25.0 255.255.255.0 [1/0] via 10.151.2.5, Remote-Office-2
ASA001#

Please help

Thanks

Abdul

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎02-03-2016 08:07 AM

Abdul

You have not provided information about how the remote offices are connected and that might shed some light on the situation. But the issue seems pretty clear. You have configured the ASA with information that says that 172.16.25.0 is reached via Remote-Office-2. So why would you attempt to reach an address in that subnet by going through Remote-Office-1? If your ping packet did reach Remote-Office-1 how would it forward that packet to Remote-Office-2?

HTH

Rick

HTH

Rick
0 Helpful

ftitsecurity
Level 1
Level 1
In response to Richard Burts

‎02-03-2016 08:39 AM

Because Remote-Office-1 needs to connect a server 172.16.25.11 which is behind remote-office-2

Remote-Office-1 Security Level is 100

Remote-Office-2 Security Level is 100

Inside Security level is 100

And i have also checked the option that "Enable traffic between two or more interfaces with same security level"

Thanks

Abdul

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to ftitsecurity

‎02-03-2016 08:51 AM

Abdul

Thank you for the explanation. Checking the option for Enable traffic between interfaces is an essential first step in enabling Office 1 to access the server which is at Office 2. There are possibly other steps that might be needed, but without knowing more about your environment it is not possible to know exactly what is needed. Some of the possible issues include: specify the network in VPN configurations, address translations/NAT exemptions for the traffic, access policies on the interfaces, routing logic at the remote sites.

And none of that relates to the issue in your first post about pinging the server address by going to Office 1. If the server is at Office 2 then why would you want to send a ping packet for the server to Office 1?

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card