02-17-2016 05:57 PM - edited 03-12-2019 12:19 AM
Hi,
I'm trying to stimulate a new network as the topology diagram below:
However I encounter some problem:
From ASA:
I can ping back to :
192.168.200.1 ( Site_RTR IP, int fa0/1)
192.168.200.2( ASA vlan interface IP, outside interface)
10.133.95.12 ( DC_RTR, int fa0/1)
10.133.200.1 ( ASA vlan interface IP, inside interface)
10.133.200.23 (machine)
From Site RTR, I'm able to ping back to:
10.133.95.12
192.168.200.1
192.168.200.2
10.133.200.23 (machine)
but not
10.133.200.1 ( ASA vlan interface IP, inside interface)
Question 1:
Is it any way to access/ ping back to that Inside Interface IP address from the outside?
Question 2:
As all the 10.0.0.0/8 subnets will going thru interface outside, however for the internet traffic, will going out thru interface outside 2.
I still haven't configure any nat yet, is it okay to nat everything out for outside2?
nat (inside,outside2) source dynamic any interface
Thank for the help.
JJ
Solved! Go to Solution.
02-20-2016 05:59 AM
Hi JJ,
If you are planning to ping inside interface IP address, while traffic is entering from any interface other than inside, you will not be able to ping inside interface IP address.
It is by design and you can not change it by any ACL or any other settings.
Thanks,
Ishan
Please remember to select a correct answer and rate helpful posts
02-18-2016 06:01 AM
I have not seen the full config, so this is only a guess:
try if this is missing: management-access inside
This will set what IP to use as the "from" address for traffic originating from this ASA device.
Depending on ASA model you have a management interface, that might be unconfigured.
02-18-2016 07:00 AM
Nope, it is still the same after I put in the command.
here are the full config:
Thank you.
02-18-2016 08:37 AM
If I am understanding you question correctly, your traffic is entering one of the interface on ASA and destined to IP address of another interface of the ASA.
On ASA you can only ping interface IP on which traffic is hitting first, you can not ping any other interface IP.
Exception: traffic coming over VPN and you have "management-access <interface name>" command configured.
Thanks,
Ishan
Please remember to select a correct answer and rate helpful posts
02-18-2016 12:38 PM
Hi Ishan,
your traffic is entering one of the interface on ASA and destined to IP address of another interface of the ASA.
Yes, you are correct on this, as I try to ping from outside back to inside network.
It is able to ping to internal devices (to the ip 10.133.200.23), but not to the IP 10.133.200.1 ( int vlan 1).
Exception: traffic coming over VPN and you have "management-access <interface name>" command configured.
erm,I don't think vpn playing the trick here, as i don't building a vpn tunnel back ?
Correct me if I'm wrong.
Thank you.
02-20-2016 05:54 AM
I believe what Ishan meant was that you can only ping the inside if you are VPN'd in and have the managemnet-access command configured.
It's normal and expected to not be able to ping internal interface IP's when you are coming from the outside.
02-20-2016 05:59 AM
Hi JJ,
If you are planning to ping inside interface IP address, while traffic is entering from any interface other than inside, you will not be able to ping inside interface IP address.
It is by design and you can not change it by any ACL or any other settings.
Thanks,
Ishan
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide