cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6208
Views
4
Helpful
6
Replies

Not able to ping inside interface from outside

jjteow
Level 1
Level 1

Hi,

I'm trying to stimulate a new network as the topology diagram below:

Topology

However I encounter some problem:

From ASA:

I can ping back to :

192.168.200.1 ( Site_RTR  IP, int fa0/1)

192.168.200.2( ASA vlan interface IP, outside interface)

10.133.95.12 ( DC_RTR, int fa0/1)

10.133.200.1 ( ASA vlan interface IP, inside interface)

10.133.200.23 (machine)

From Site RTR, I'm able to ping back to:

10.133.95.12

192.168.200.1

192.168.200.2

10.133.200.23 (machine)

but not

10.133.200.1 ( ASA vlan interface IP, inside interface)

Question 1:

Is it any way to access/ ping back to that Inside Interface IP address from the outside?

Question 2:

As all the 10.0.0.0/8 subnets will going thru interface outside, however for the internet traffic, will going out thru interface outside 2.

I still haven't configure any nat yet, is it okay to nat everything out for outside2?

nat (inside,outside2) source dynamic any interface

configuration

Thank for the help.

JJ

1 Accepted Solution

Accepted Solutions

Hi JJ,

If you are planning to ping inside interface IP address, while traffic is entering from any interface other than inside, you will not be able to ping inside interface IP address.

It is by design and you can not change it by any ACL or any other settings.

Thanks,
Ishan
Please remember to select a correct answer and rate helpful posts

View solution in original post

6 Replies 6

vschmidt_2
Level 1
Level 1

I have not seen the full config, so this is only a guess:

try if this is missing:  management-access inside

This will set what IP to use as the "from" address for traffic originating from this ASA device.

Depending on ASA model you have a management interface, that might be unconfigured.

Nope, it is still the same after I put in the command.

here are the full config:

Full Config

Thank you.

If I am understanding you question correctly, your traffic is entering one of the interface on ASA and destined to IP address of another interface of the ASA.

On ASA you can only ping interface IP on which traffic is hitting first, you can not ping any other interface IP.

Exception: traffic coming over VPN and you have "management-access <interface name>" command configured.

Thanks,
Ishan
Please remember to select a correct answer and rate helpful posts

Hi Ishan, 

your traffic is entering one of the interface on ASA and destined to IP address of another interface of the ASA.

Yes, you are correct on this, as I try to ping from outside back to inside network.

It is able to ping to internal devices (to the ip 10.133.200.23), but not to the IP 10.133.200.1 ( int vlan 1).

Exception: traffic coming over VPN and you have "management-access <interface name>" command configured.

erm,I don't think vpn playing the trick here, as i don't building a vpn tunnel back ?

Correct me if I'm wrong.

Thank you.

I believe what Ishan meant was that you can only ping the inside if you are VPN'd in and have the managemnet-access command configured.

It's normal and expected to not be able to ping internal interface IP's when you are coming from the outside.

Hi JJ,

If you are planning to ping inside interface IP address, while traffic is entering from any interface other than inside, you will not be able to ping inside interface IP address.

It is by design and you can not change it by any ACL or any other settings.

Thanks,
Ishan
Please remember to select a correct answer and rate helpful posts

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: