12-17-2012 08:09 AM - edited 03-11-2019 05:38 PM
Hi,
I've tried to read up on Google, etc., about this, but I haven't found a solution. Here's my basic setup:
Computer A:
IP- 192.168.0.3
Mask- 255.255.252.0
Gateway- 192.168.0.2
Computer B:
IP- 192.168.4.3
Mask- 255.255.252.0
Gateway- 192.168.4.1
ASA 5510 #1:
int e0/0:
IP- 192.168.0.2
Mask- 255.255.252.0
int e0/2:
IP- 10.0.0.6
Mask- 255.255.255.252
ASA 5510 #2:
int e0/1:
IP- 192.168.4.1
Mask- 255.255.252.0
int e0/2:
IP- 10.0.0.5
Mask- 255.255.255.252
Now here's my problem.
Computer A can ping Firewall 1 and Firewall 2, but not Computer B.
Computer B can ping Firewall 1 and Firewall 2, but not Computer A.
Firewall 1 can ping Firewall 2, Computer A, and Computer B.
Firewall 2 can ping Firewall 1, Computer A, and Computer B.
Why can't the computers ping each other, but their default gateways can? I've specifically allowed ICMP any any on all the affected interfaces.
Solved! Go to Solution.
12-17-2012 09:14 AM
Hi,
Any TCP service running on the hosts that you could test from each LAN?
Have you checked the "packet-tracer" command output on both firewalls for the attempted connection and seen anything special?
- Jouni
12-17-2012 08:18 AM
Can you please post the routes added on both firewall.
With Regards,
Safwan
12-17-2012 08:34 AM
ASA 5510 #1
C 10.0.0.4 255.255.255.252 is directly connected, int e0/2
D 192.168.4.0 255.255.252.0 [90/28416] via 10.0.0.5, int e0/2
C 192.168.0.0 255.255.252.0 is directly connected, int e0/0
ASA 5510 #2
C 10.0.0.4 255.255.255.252 is directly connected, int e0/2
C 192.168.4.0 255.255.252.0 is directly connected, int e0/1
D 192.168.0.0 255.255.252.0 [90/30720] via 10.0.0.6, int e0/2
12-17-2012 08:49 AM
routes are perfect, better if you can post the show run .
With Regards,
Safwan
12-17-2012 09:04 AM
The current loads on the ASAs do not permit me to load them at the moment. They were modeled around our company's current single firewall configuration (ACLs, VPNs, and Certificates), and I don't have time to mask all the private company info right now. For testing, of course, I'm building them in a lab environment and ensuring that services that need to work, well, work.
I should be able to do it by tonight, Central Time US.
12-17-2012 09:14 AM
Hi,
Any TCP service running on the hosts that you could test from each LAN?
Have you checked the "packet-tracer" command output on both firewalls for the attempted connection and seen anything special?
- Jouni
12-17-2012 10:44 PM
Thanks. This helped me identify missing NAT exemption rules on my interfaces between the firewalls.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide