cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

21130
Views
5
Helpful
13
Replies
mudasir05
Beginner

not able to ping inside interface of ASA from my inside Network

Hello All,

 

iam not able to ping inside interface of ASA from my internal network,not sure where exactly is the problem.

the internal network comprises of an L2 switch,L3 switch.a router and then the ASA,all configured on inter-vlan routing.

iam able to reach the interface of the router whose other end is connected to the inside of ASA.

Hope iam clear.

 

Thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions

Hi,

Are the pings working from the Directly connected subnet devices as the ASA device ?

If yes ,  please apply debug icmp trace on the ASA device and give the outputs for the ping from the L3 connnected subnet behind the ASA Inside Subnet.

Also , remove these route statements:-

route inside 192.168.2.1 255.255.255.255 198.168.1.2 1
route inside 192.168.2.2 255.255.255.255 198.168.1.2 1

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Hi Mudasir,

 

If you are trying to ping the ASA inside interface sourcing from a host different than 192.168.2.1 or 192.168.2.2 then that would be normal, because ASA has a route back only to those two ip addresses. I would remove those two routes and add this "route inside 192.168.2.0 255.255.255.0 192.168.1.2" then try again.

 

Regards,

Aref

View solution in original post

13 REPLIES 13
Karsten Iwen
VIP Mentor

I would first look at the following points:

  1. Is the ASA blocking ICMP? Show the output of "sh run icmp". And can you reach the ASA with ASDM or SSH?
  2. Does the ASA have a route back to the internal clients-network?

Hi,

ASA-FW# sh run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any management

=========

yes iam bale to reach asdm through the management port.

===

yes the ASA has the route back to the asa firewall...

ASA-FW# sh run route
route outside 0.0.0.0 0.0.0.0 94.77.204.133 1
route inside 192.168.2.1 255.255.255.255 198.168.1.2 1
route inside 192.168.2.2 255.255.255.255 198.168.1.2 1
route inside 192.168.3.0 255.255.255.0 192.168.1.2 1
route inside 192.168.4.0 255.255.255.0 192.168.1.2 1
route inside 192.168.5.0 255.255.255.0 192.168.1.2 1
route inside 192.168.6.0 255.255.255.0 192.168.1.2 1

plz let me know what else u need

 

 

Also find the access-list and access-group commands,

ASA-FW# sh run access-list
access-list IN_ACL extended permit ip any any
access-list OUT_ACL extended permit ip any object SW-MGMT-Public
access-list OUT_ACL extended permit ip any any
access-list MGMT_ACL extended permit ip any any
ASA-FW# sh run access-grou
ASA-FW# sh run access-group
access-group OUT_ACL in interface outside
access-group IN_ACL in interface inside

====

 

Hi,

Are the pings working from the Directly connected subnet devices as the ASA device ?

If yes ,  please apply debug icmp trace on the ASA device and give the outputs for the ping from the L3 connnected subnet behind the ASA Inside Subnet.

Also , remove these route statements:-

route inside 192.168.2.1 255.255.255.255 198.168.1.2 1
route inside 192.168.2.2 255.255.255.255 198.168.1.2 1

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Hi Vibhor,

after removing these statements i was able to ping my inside network vice versa.

Thanks

This will fix two issues the failed Xlate issue when trying to test your packets to the outside I have learned you need some type of ICMP to be able to leave your inside network. This will help clear up your xlate failed NAT you can coup and past this as this is the default statements for any any so this will work on almost any ASA that is running over 8.4 ! access-list inside_access_in extended permit icmp any any access-list inside_access_in extended permit ip any any access-list outside_access_in extended permit icmp any any ! !now your NAT again default nat (inside,outside) source dynamic any interface ! !YOUR outside needs to allow ICMP back into your network so you will ensure your ICMP is before your deny statement access-group outside_access_in in interface outside access-group inside_access_in in interface inside Look at the ASDM for help on ensuring your statements are in the right locations. I used the ASDM to configure the firewall then check the CLI to ensure I understood how to write it via CLI. Review the Image attached.

Hi Mudasir,

 

If you are trying to ping the ASA inside interface sourcing from a host different than 192.168.2.1 or 192.168.2.2 then that would be normal, because ASA has a route back only to those two ip addresses. I would remove those two routes and add this "route inside 192.168.2.0 255.255.255.0 192.168.1.2" then try again.

 

Regards,

Aref

View solution in original post

Hi Aref,

I was not able to ping 192.168.2.1 and 192.168.2.2 ,

ASA-FW# ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA-FW# ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

======

However after adding "route inside 192.168.2.0 255.255.255.0 192.168.1.2" command i was able to ping....

ASA-FW# ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA-FW# ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

thanks a ton for ur help...

 

 

Glad we could fix it up.

 

Btw, the host route "route inside 192.168.2.1 255.255.255.255 198.168.1.2" and "route inside 192.168.2.2 255.255.255.255 198.168.1.2" should have been valid to route packets from ASA towards those two hosts only (192.168.2.1 and 192.168.2.2), so ASA should have been able to ping them and vice-versa, but if there was another host let's say with 192.168.2.3 ip address, then that would not have been possible because there was no route on ASA towards that third host or other hosts on network 192.168.2.0/24. By applying the network route "route inside 192.168.2.0 255.255.255.0 192.168.1.2" we told ASA to route every things destined towards that network to all hosts in that network via 192.168.1.2. That issue would have been dependent on some restrictions down the path, anyway, again glad we could fix it up.

 

Regards,

Aref

Hi,

But with those two commands,the ASA was still not able to ping 192.168.2.1 and 192.168.2.2,thats where iam confused....however when removed and added  "route inside 192.168.2.0 255.255.255.0 192.168.1.2" it worked....though it should have pinged 192.168.2.1 before...

 

Thanks

Yes that would be a strange behavior. If you want to troubleshoot it again, please remove the last route you added, put back those two host routes and try again, if it does not work please post the output of "sh route".

 

Regards,

Aref

I saw the next hop address in the route commands are different which could be the reason why it did not work in the host route:

For the host route you have the next hop ip is 192.168.2.1

route inside 192.168.2.1 255.255.255.255 192.168.2.1

route inside 192.168.2.2 255.255.255.255 192.168.2.1

For the network route you have the next hop ip is 192.168.1.2

route inside 192.168.2.0 255.255.255.0 192.168.1.2

gillirfan
Beginner

Running into a very similar issue without any luck, have a few vlans and inter-vlan routing is working with no problem, i can ping all the devices on other subnet, i can't ping the sub-interfaces on the ASA tho and i understand that this is the default behavior but i would like to know if it is possible at all with the help of an ACL or something else. Config is attached for reference.

 

Thank you all in advance..

Content for Community-Ad