Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
598
Views
0
Helpful
4
Replies

Ping closest interface in Cisco ASA

hstf_techy
Level 1
Level 1

‎03-18-2014 07:55 PM - edited ‎03-11-2019 08:57 PM

I have a flat network with one VLAN in ASA 5500 and I am trying to divide it into multiple segerated VLANs. Later I found out it is not possibile to ping the closest interface as it is by design.

For instance, vlan2 is not able to ping 192.168.1.1 in vlan2 if they are in the same phyiscal interface. I have two servers that sits in different vlan now have to move back.

Is there any reason for this? Or possibile workaround with different design?

 

==============================

Symptom:

Unable to ping the IP address of a far-end interface of the firewall (i.e. pinging the IP of any interface aside from the one closest to the ping source).

Workaround:

None. This behavior is by design.

==============================

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎03-19-2014 01:53 AM

This behavior is only for pinging the ASA-interfaces and has nothing to do with the communication between the firewalled networks. So everything else should work as you need it. Why do you wan't to ping the far-end interface of the ASA?

But I don't really understand what you want to achieve, your example where both systems are in vlan2 dosn't make any sense to me.

Or are you having two different VLANs that want to communicate? If both of these have the same security-level, then you also need the following command configured:

same-security-traffic permit inter-interface

0 Helpful

hstf_techy
Level 1
Level 1
In response to Karsten Iwen

‎03-21-2014 09:37 PM

Same-security-traffic is already there on day one. There is a typo in my statement:

Old - 1 vlan in 192.168.1.0, ASA is 192.168.1.1, Same interface.

Current - 5 vlans, 192.168.1-5.0. No devices in other than 192.168.1.0 can ping the ASA interface.

I am trying to ping the ASA interface from other VLANs but no luck. Not sure why this is by design. You can reproduce it as it is faily stright forward.

I would be suprised if it works for you because it is confirmed as a bug with Cisco. This is the error I see from log -

"Failed to locate egress interface for ICMP from serv500:192.168.5.11/3 to 192.168.1.1"

0 Helpful

Karsten Iwen
VIP
VIP
In response to hstf_techy

‎03-22-2014 03:03 AM

I still do not understand what you want to achive. Do you want to ping to the ASA or through the ASA?

Please share your config and an *exact* description what you are trying. And the the Error-Message above is for an unreachable, not for a ping. 

0 Helpful

hstf_techy
Level 1
Level 1
In response to Karsten Iwen

‎03-23-2014 09:42 AM

Hi,

I am trying to ping the ASA interface from other vlans.

===================

# sh run int
!
interface Ethernet0/0
 description internet modem
 switchport access vlan 40
!
interface Ethernet0/1
 description swce1 ge0/2
 switchport access vlan 100
!
interface Ethernet0/2
 description swce2 fa0/23
 switchport trunk allowed vlan 50,80,100,500,800
 switchport mode trunk
!
interface Ethernet0/3
 description hsesx1-vmnic1
 switchport trunk allowed vlan 50,80,100,500,800
 switchport mode trunk
!
interface Ethernet0/4
 description hsesx-vmnic1
 switchport trunk allowed vlan 50,80,100,500,800
 switchport mode trunk
!
interface Ethernet0/5
RCE01# sh run int
!
interface Ethernet0/0
 description internet modem
 switchport access vlan 40
!
interface Ethernet0/1
 description swce1 ge0/2
 switchport access vlan 100
!
interface Ethernet0/2
 description swce2 fa0/23
 switchport trunk allowed vlan 50,80,100,500,800
 switchport mode trunk
!
interface Ethernet0/3
 description hsesx1-vmnic1
 switchport trunk allowed vlan 50,80,100,500,800
 switchport mode trunk
!
interface Ethernet0/4
 description hsesx-vmnic1
 switchport trunk allowed vlan 50,80,100,500,800
 switchport mode trunk
!interface Ethernet0/5
 shutdown     
!
interface Ethernet0/6
 description test-port
 switchport trunk allowed vlan 50,80,100,500,800
 switchport mode trunk
!
interface Ethernet0/7
 shutdown
!
interface Vlan40
 nameif outside
 security-level 0
 ip address 75.144.183.21 255.255.255.252
!
interface Vlan50
 nameif guest-wifi
 security-level 50
 ip address 172.16.0.1 255.255.254.0
!
interface Vlan80
 nameif prod80
 security-level 100
 ip address 192.168.80.1 255.255.255.0

!             
interface Vlan100
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
interface Vlan200
 nameif voice200
 security-level 100
 ip address 192.168.110.1 255.255.255.0
!
interface Vlan500
 nameif serv500
 security-level 100
 ip address 192.168.50.1 255.255.255.0
!
interface Vlan800
 nameif mgmt800
 security-level 100
 ip address 192.192.100.1 255.255.255.0

==================================

sh run nat
nat (inside,outside) source static obj-192.168.100.0 obj-192.168.100.0 destination static obj_172.16.16 obj_172.16.16 no-proxy-arp route-lookup
nat (serv500,outside) source static serv500-192.168.50.0 serv500-192.168.50.0 destination static obj_172.16.16 obj_172.16.16 no-proxy-arp route-lookup
nat (prod80,outside) source static prod80-192.168.80.0 prod80-192.168.80.0 destination static obj_172.16.16 obj_172.16.16 no-proxy-arp route-lookup
nat (mgmt800,outside) source static mgmt800-192.192.100.0 mgmt800-192.192.100.0 destination static obj_172.16.16 obj_172.16.16 no-proxy-arp route-lookup
nat (prod80,outside) source static prod80-192.168.80.0 prod80-192.168.80.0 destination static obj-192.168.200.0 obj-192.168.200.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-192.168.100.0 obj-192.168.100.0 destination static obj-192.168.200.0 obj-192.168.200.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-192.168.50.0 obj-192.168.50.0 destination static obj-192.168.200.0 obj-192.168.200.0 no-proxy-arp route-lookup
nat (serv500,outside) source static obj-192.168.50.0 obj-192.168.50.0 destination static obj-192.168.200.0 obj-192.168.200.0 no-proxy-arp route-lookup
nat (serv500,outside) source static obj-192.168.50.0 obj-192.168.50.0 destination static obj-192.192.200.0 obj-192.192.200.0 no-proxy-arp route-lookup
nat (prod80,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
nat (outside,outside) source static obj_172.16.16 obj_172.16.16 destination static obj-192.168.200.0 obj-192.168.200.0 no-proxy-arp route-lookup
!
object network obj-0.0.0.0
 nat (inside,outside) dynamic interface
object network obj-nat
 nat (guest-wifi,outside) dynamic interface
object network obj-192.168.50.0
 nat (serv500,outside) dynamic interface
object network obj-192.168.80.0
 nat (prod80,outside) dynamic interface

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card