Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
419
Views
0
Helpful
2
Replies

Pings stop at ASA, but not from ASA

rothchapin
Level 1
Level 1

‎04-04-2006 08:26 AM - edited ‎02-21-2020 12:49 AM

Topology:

LAN--Switch--ASA--PIX--Server

Situation:

I am trying to connect users on a LAN to a server. I can successfully ping the server from the ASA. When I try to ping the server from the switch it times out with ".....". The LAN, switch, and ASA are on one subnet, the PIX and server are on another.

The interesting thing is, when looking at the ASA log, it shows the ping from the switch being matched by the ACL (ICMP any/any) and a local host and ICMP connection being created. The switch and server are permitted in the ASA and PIX access-list.

Is there a special configuration command I should use on the ASA or one to look out for that may be stopping the ping?

0 Helpful
2 Replies 2

oabduo983
Level 1
Level 1

‎04-04-2006 09:09 AM

If I understand correctly, you have the ASA in transparent mode! and you are pinging from the management IP you have configured on the ASA... Do you have an IP on the switch? and do you have a route statment on the switch with gateway being the PIX (the ASA in this case will not do any routing)? does the ASA block any replies back to the switch? you can turn on the debug command for further troubleshoot. The command is (debug icmp trace)

Regards,

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to oabduo983

‎04-04-2006 09:12 AM

PIX 7.x commands:

inspect icmp

inspect icmp error

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_1/conf_gd/trouble.htm#wp1059758

Pinging Through the Security Appliance

After you successfully ping the security appliance interfaces, you should make sure traffic can pass successfully through the security appliance. For routed mode, this test shows that NAT is working correctly, if configured. For transparent mode, which does not use NAT, this test confirms that the security appliance is operating correctly; if the ping fails in transparent mode, contact Cisco TAC.

To ping between hosts on different interfaces, perform the following steps:

Step 1 To add an access list allowing ICMP from any source host, enter the following command:

hostname(config)# access-list ICMPACL extended permit icmp any any

By default, when hosts access a lower security interface, all traffic is allowed through. However, to access a higher security interface, you need the preceding access list.

Step 2 To assign the access list to each source interface, enter the following command:

hostname(config)# access-group ICMPACL in interface interface_name

Repeat this command for each source interface.

Step 3 To enable the ICMP inspection engine, so ICMP responses are allowed back to the source host, enter the following commands:

hostname(config)# class-map ICMP-CLASS

hostname(config-cmap)# match access-list ICMPACL

hostname(config-cmap)# policy-map ICMP-POLICY

hostname(config-pmap)# class ICMP-CLASS

hostname(config-pmap-c)# inspect icmp

hostname(config-pmap-c)# service-map ICMP-POLICY global

sincerely

Patrick

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card