Ping from interface issue

h.dam · ‎03-28-2018

Hi everyone,

On my ASA, I've met a strange issue about PING. Let me show you the config:

Zone ADM: security-level 100, VM-net-device=192.168.1.1
Zone MGT: security-level 100, VM-NMS=172.16.1.104

ICMP echo, echo-reply, unreachable are allowed in both zones
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

From ASA, I can run ping to these two VMs.
e.g. ping 172.16.1.104 => OK
But the VMs cannot ping each other.
I tried to run ping <zonename> x.x.x.x, it failed.
e.g. ping ADM 172.16.1.104 => failed
ping MGT 192.168.1.1 => failed

Is it an issue or perhaps it is the firewall protection by default?

Thanks for your reply.

Regards.

Dennis Mink · ‎03-28-2018

use the packet tracer tools to see why the icmp request gets blocked.

also put a permit from 172.16.1.104 to 192.168.1.1. any any for testing on your Zone MGT in.

also the MGT isnt by any chance on the physical Management interface of the ASA is it?

Please remember to rate useful posts, by clicking on the stars below.

h.dam · ‎03-29-2018

Hi,

I have ICMP any any configured already so I don't need to add the hosts.

Your question about MGT: none of these zones used the physical mgmt interface.

I doubt about the routing between these zones with same security-level.

because I got this error:

"ASA-6-110002: Failed to locate egress interface for protocol from src"

Should I put NAT static on interfaces? if yes, may you give some examples?

Thanks.

Regards.

h.dam · ‎04-09-2018

Hello,

I added the NAT static command on ASA like this:

object network ADM-network

subnet 192.168.1.0 255.255.255.0

nat (ADM, MGT) static 192.168.1.0

object network MGT-network

subnet 172.16.1.0 255.255.255.0

nat (MGT, ADM) static 172.16.1.0

But it didn't work. I still have the issue.

I think I cannot run a ping <zonename> on a FW as I do on router ping <src interface>. It is the FW ip spoofing feature.