09-14-2012 04:26 AM - edited 03-11-2019 04:54 PM
Hi,
I am trying to access and ping the inside interface of a ASA5505 from a remote network. From the remote network, I am able to access anything on the local network, but the ASA5505 inside interface.
The 2 networks linked by a fiber link which have a transport network on another interface. From the remote network, I am able to ping the transport network interface IP, but I would like to be able to ping the inside interface IP. When I do a packet tracer, I get a deny from an implicit rule.
How can I achieve that?
Here are the subnets involved and the ASA5505 config.
Remote network : 10.10.2.0/24
Local network : 10.10.1.0/24
Transport network : 10.10.99.0/24
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password tLXdEf2PPKvbKVfy encrypted
passwd tLXdEf2PPKvbKVfy encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
shutdown
!
interface Ethernet0/1
switchport access vlan 99
speed 10
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.1.245 255.255.255.0
!
interface Vlan99
nameif fibre_noir_privee
security-level 100
ip address 10.10.99.1 255.255.255.0
!
boot system disk0:/asa842-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Mazda
subnet 10.10.2.0 255.255.255.0
object network Volks
subnet 10.10.3.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination fibre_noir_privee 10.10.2.241 2055
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Mazda
subnet 10.10.2.0 255.255.255.0
object network Volks
subnet 10.10.3.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination fibre_noir_privee 10.10.2.241 2055
snmp-server host fibre_noir_privee 10.10.2.241 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
telnet 10.10.1.0 255.255.255.0 inside
telnet 10.10.9.0 255.255.255.0 fibre_noir_privee
telnet 10.10.2.0 255.255.255.0 fibre_noir_privee
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map flow_export_class
match any
!
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map flow_export_class
match any
!
!
policy-map global_policy
class flow_export_class
flow-export event-type all destination 10.10.2.241
policy-map flow_export_policy
class flow_export_class
flow-export event-type all destination 10.10.2.241
!
service-policy flow_export_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7131c3d0ce236833818249c0f99b2545
: end
09-14-2012 04:50 AM
Hi Stephane,
If you are trying to ping teh inside interface from a remote network behind another interface, it would not work, due to the security feature of the ASA by default. You cannot do any configuration to ping the inside interface, if you just want to test the reachability, then you can try pinging any host in the inside network rather than the interface itself.
Hope that helps.
Thanks,
Varun Rao
Security Team,
Cisco TAC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide