04-04-2006 08:26 AM - edited 02-21-2020 12:49 AM
Topology:
LAN--Switch--ASA--PIX--Server
Situation:
I am trying to connect users on a LAN to a server. I can successfully ping the server from the ASA. When I try to ping the server from the switch it times out with ".....". The LAN, switch, and ASA are on one subnet, the PIX and server are on another.
The interesting thing is, when looking at the ASA log, it shows the ping from the switch being matched by the ACL (ICMP any/any) and a local host and ICMP connection being created. The switch and server are permitted in the ASA and PIX access-list.
Is there a special configuration command I should use on the ASA or one to look out for that may be stopping the ping?
04-04-2006 09:09 AM
If I understand correctly, you have the ASA in transparent mode! and you are pinging from the management IP you have configured on the ASA... Do you have an IP on the switch? and do you have a route statment on the switch with gateway being the PIX (the ASA in this case will not do any routing)? does the ASA block any replies back to the switch? you can turn on the debug command for further troubleshoot. The command is (debug icmp trace)
Regards,
04-04-2006 09:12 AM
PIX 7.x commands:
inspect icmp
inspect icmp error
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_1/conf_gd/trouble.htm#wp1059758
Pinging Through the Security Appliance
After you successfully ping the security appliance interfaces, you should make sure traffic can pass successfully through the security appliance. For routed mode, this test shows that NAT is working correctly, if configured. For transparent mode, which does not use NAT, this test confirms that the security appliance is operating correctly; if the ping fails in transparent mode, contact Cisco TAC.
To ping between hosts on different interfaces, perform the following steps:
Step 1 To add an access list allowing ICMP from any source host, enter the following command:
hostname(config)# access-list ICMPACL extended permit icmp any any
By default, when hosts access a lower security interface, all traffic is allowed through. However, to access a higher security interface, you need the preceding access list.
Step 2 To assign the access list to each source interface, enter the following command:
hostname(config)# access-group ICMPACL in interface interface_name
Repeat this command for each source interface.
Step 3 To enable the ICMP inspection engine, so ICMP responses are allowed back to the source host, enter the following commands:
hostname(config)# class-map ICMP-CLASS
hostname(config-cmap)# match access-list ICMPACL
hostname(config-cmap)# policy-map ICMP-POLICY
hostname(config-pmap)# class ICMP-CLASS
hostname(config-pmap-c)# inspect icmp
hostname(config-pmap-c)# service-map ICMP-POLICY global
sincerely
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide