10-28-2014 06:02 AM - edited 03-11-2019 09:59 PM
Hello All,
iam not able to ping inside interface of ASA from my internal network,not sure where exactly is the problem.
the internal network comprises of an L2 switch,L3 switch.a router and then the ASA,all configured on inter-vlan routing.
iam able to reach the interface of the router whose other end is connected to the inside of ASA.
Hope iam clear.
Thanks
Solved! Go to Solution.
10-29-2014 02:31 AM
Hi,
Are the pings working from the Directly connected subnet devices as the ASA device ?
If yes , please apply debug icmp trace on the ASA device and give the outputs for the ping from the L3 connnected subnet behind the ASA Inside Subnet.
Also , remove these route statements:-
route inside 192.168.2.1 255.255.255.255 198.168.1.2 1
route inside 192.168.2.2 255.255.255.255 198.168.1.2 1
Thanks and Regards,
Vibhor Amrodia
10-29-2014 02:53 AM
Hi Mudasir,
If you are trying to ping the ASA inside interface sourcing from a host different than 192.168.2.1 or 192.168.2.2 then that would be normal, because ASA has a route back only to those two ip addresses. I would remove those two routes and add this "route inside 192.168.2.0 255.255.255.0 192.168.1.2" then try again.
Regards,
Aref
10-28-2014 07:17 AM
I would first look at the following points:
10-28-2014 11:51 PM
Hi,
ASA-FW# sh run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any management
=========
yes iam bale to reach asdm through the management port.
===
yes the ASA has the route back to the asa firewall...
ASA-FW# sh run route
route outside 0.0.0.0 0.0.0.0 94.77.204.133 1
route inside 192.168.2.1 255.255.255.255 198.168.1.2 1
route inside 192.168.2.2 255.255.255.255 198.168.1.2 1
route inside 192.168.3.0 255.255.255.0 192.168.1.2 1
route inside 192.168.4.0 255.255.255.0 192.168.1.2 1
route inside 192.168.5.0 255.255.255.0 192.168.1.2 1
route inside 192.168.6.0 255.255.255.0 192.168.1.2 1
plz let me know what else u need
10-28-2014 11:52 PM
Also find the access-list and access-group commands,
ASA-FW# sh run access-list
access-list IN_ACL extended permit ip any any
access-list OUT_ACL extended permit ip any object SW-MGMT-Public
access-list OUT_ACL extended permit ip any any
access-list MGMT_ACL extended permit ip any any
ASA-FW# sh run access-grou
ASA-FW# sh run access-group
access-group OUT_ACL in interface outside
access-group IN_ACL in interface inside
====
10-29-2014 02:31 AM
Hi,
Are the pings working from the Directly connected subnet devices as the ASA device ?
If yes , please apply debug icmp trace on the ASA device and give the outputs for the ping from the L3 connnected subnet behind the ASA Inside Subnet.
Also , remove these route statements:-
route inside 192.168.2.1 255.255.255.255 198.168.1.2 1
route inside 192.168.2.2 255.255.255.255 198.168.1.2 1
Thanks and Regards,
Vibhor Amrodia
10-29-2014 08:30 AM
Hi Vibhor,
after removing these statements i was able to ping my inside network vice versa.
Thanks
04-10-2020 07:41 AM
10-29-2014 02:53 AM
Hi Mudasir,
If you are trying to ping the ASA inside interface sourcing from a host different than 192.168.2.1 or 192.168.2.2 then that would be normal, because ASA has a route back only to those two ip addresses. I would remove those two routes and add this "route inside 192.168.2.0 255.255.255.0 192.168.1.2" then try again.
Regards,
Aref
10-29-2014 08:25 AM
Hi Aref,
I was not able to ping 192.168.2.1 and 192.168.2.2 ,
ASA-FW# ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA-FW# ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
======
However after adding "route inside 192.168.2.0 255.255.255.0 192.168.1.2" command i was able to ping....
ASA-FW# ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA-FW# ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
thanks a ton for ur help...
10-29-2014 09:01 AM
Glad we could fix it up.
Btw, the host route "route inside 192.168.2.1 255.255.255.255 198.168.1.2" and "route inside 192.168.2.2 255.255.255.255 198.168.1.2" should have been valid to route packets from ASA towards those two hosts only (192.168.2.1 and 192.168.2.2), so ASA should have been able to ping them and vice-versa, but if there was another host let's say with 192.168.2.3 ip address, then that would not have been possible because there was no route on ASA towards that third host or other hosts on network 192.168.2.0/24. By applying the network route "route inside 192.168.2.0 255.255.255.0 192.168.1.2" we told ASA to route every things destined towards that network to all hosts in that network via 192.168.1.2. That issue would have been dependent on some restrictions down the path, anyway, again glad we could fix it up.
Regards,
Aref
10-30-2014 12:02 AM
Hi,
But with those two commands,the ASA was still not able to ping 192.168.2.1 and 192.168.2.2,thats where iam confused....however when removed and added "route inside 192.168.2.0 255.255.255.0 192.168.1.2" it worked....though it should have pinged 192.168.2.1 before...
Thanks
10-30-2014 07:43 AM
Yes that would be a strange behavior. If you want to troubleshoot it again, please remove the last route you added, put back those two host routes and try again, if it does not work please post the output of "sh route".
Regards,
Aref
08-02-2018 11:18 AM
I saw the next hop address in the route commands are different which could be the reason why it did not work in the host route:
For the host route you have the next hop ip is 192.168.2.1
route inside 192.168.2.1 255.255.255.255 192.168.2.1
route inside 192.168.2.2 255.255.255.255 192.168.2.1
For the network route you have the next hop ip is 192.168.1.2
route inside 192.168.2.0 255.255.255.0 192.168.1.2
03-30-2021 04:30 PM
Running into a very similar issue without any luck, have a few vlans and inter-vlan routing is working with no problem, i can ping all the devices on other subnet, i can't ping the sub-interfaces on the ASA tho and i understand that this is the default behavior but i would like to know if it is possible at all with the help of an ACL or something else. Config is attached for reference.
Thank you all in advance..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide