05-28-2010 11:17 AM - edited 03-11-2019 10:52 AM
Hi,
i'm configuring a ASA 5510, i've the following partial configuration
interface ethernet 0/1
nameif Outside_net2
security-level 0
ip address 10.0.2.2 255.255.255.0
!
interface Ethernet0/3
nameif Inside_vlans
security-level 100
ip address 192.168.10.254 255.255.255.0
!
access-list nat_ADSL permit ip 192.168.10.0 255.255.255.0 any
!
access-list 100 permit icmp any any
!
access-list 110 permit icmp any any
!
global (Outside_net2) 1 10.0.2.3
nat (Inside_vlans) 1 access-list nat_ADSL
!
access-group 100 in interface Outside_net2
access-group 110 in interface Insidev_lans
At thie moment i don't have any other interfaces configured.
Behind interface Inside_vlans i've a switch with the IP 192.168.10.251 witha a default-gatewy 192.168.10.254
Next to the interface Outside_net2 i've an ADSL router with the IP 10.0.2.1 in the LAN interface.
When i ping from ASA to the ADSL Router or to the Switch everything it's ok, i can ping successfully from swith to ASA too, but when i try to ping from switch to the ADSL Router (10.0.2.1) it fails, for troubleshouting i've made a capture in both interfaces of ASA and i saw that the icm request pass in both interfaces, the icmp reply pass in the Outside_net2 interface but the packet doesn't appear in the interface Inside_vlans.
In the xlate table i've seen a PAT line to the switch IP.
Anyone can help me finding the solution for this problem?
Thank's in advance
Solved! Go to Solution.
05-28-2010 11:33 AM
Hi,
In order to be able to PING through the ASA from the inside to the outside you need either one of two things:
1. An ACL allowing the echo-reply
2. Include inspection for ICMP
Federico.
05-28-2010 11:33 AM
Hi,
In order to be able to PING through the ASA from the inside to the outside you need either one of two things:
1. An ACL allowing the echo-reply
2. Include inspection for ICMP
Federico.
05-28-2010 05:33 PM
You global is "global (Outside_net2) 1 10.0.2.3"
10.0.2.3 is a private ip. It will not be routable for the Internet.
Did you mean to translate to the outside interface ip "global (Outside_net2) 1 interface"?
Also as Federico mentioned make sure you have icmp inspection under the policy map "sh run policy-map".
PK
06-01-2010 08:33 AM
Thank's for the response, i added de inspect icmp without any nchanges and the solution works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide