02-03-2016 07:26 AM - edited 03-12-2019 12:14 AM
Hi
I am not able to ping a specific subnet via the inside interface.
GigabitEthernet0/0 62.211.xxx.xxx/27 ----> WAN1
GigabitEthernet0/1 62.211.xxx.xxx/27 -----> DMZ1
GigabitEthernet0/2 10.250.250.254/24 -----> Inside
GigabitEthernet0/3 10.10.10.254/24 -----> Remote-Office-1
GigabitEthernet0/4 10.151.2.6/24 ------> Remote-Office-2 --------------------------> 172.16.25.0/24
Behind the Remote Office 2, I have another network 172.16.25.0/24
I am not able to ping 172.16.25.0/24 network from any interface except GigabitEthernet0/4
ASA001# ping Remote-Office-2 172.16.25.11 repeat 100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.25.11, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/1/1 ms
ASA001#
ASA001#
ASA001# ping Remote-Office-1 172.16.25.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.25.11, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA001#
ASA001# sh route | i 172.16.25.0
S 172.16.25.0 255.255.255.0 [1/0] via 10.151.2.5, Remote-Office-2
ASA001#
Please help
Thanks
Abdul
02-03-2016 08:07 AM
Abdul
You have not provided information about how the remote offices are connected and that might shed some light on the situation. But the issue seems pretty clear. You have configured the ASA with information that says that 172.16.25.0 is reached via Remote-Office-2. So why would you attempt to reach an address in that subnet by going through Remote-Office-1? If your ping packet did reach Remote-Office-1 how would it forward that packet to Remote-Office-2?
HTH
Rick
02-03-2016 08:39 AM
Because Remote-Office-1 needs to connect a server 172.16.25.11 which is behind remote-office-2
Remote-Office-1 Security Level is 100
Remote-Office-2 Security Level is 100
Inside Security level is 100
And i have also checked the option that "Enable traffic between two or more interfaces with same security level"
Thanks
Abdul
02-03-2016 08:51 AM
Abdul
Thank you for the explanation. Checking the option for Enable traffic between interfaces is an essential first step in enabling Office 1 to access the server which is at Office 2. There are possibly other steps that might be needed, but without knowing more about your environment it is not possible to know exactly what is needed. Some of the possible issues include: specify the network in VPN configurations, address translations/NAT exemptions for the traffic, access policies on the interfaces, routing logic at the remote sites.
And none of that relates to the issue in your first post about pinging the server address by going to Office 1. If the server is at Office 2 then why would you want to send a ping packet for the server to Office 1?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide