Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1161
Views
5
Helpful
5
Replies

Routing in ASA

Asfandyar70754
Level 1
Level 1

‎08-29-2022 06:16 AM

Hey guys,

So I am a bit new on ASA and was doing a basic lab, topology attached. I have vlan 10 & 20 in my inside network. 

Following are the routes that I have configured on ASA, CoreSW & ISP-RTR

Core SW route:  ip route 0.0.0.0 0.0.0.0 30.0.0.2

ASA routes: 

route outside 0.0.0.0 0.0.0.0 40.0.0.2 1

route inside 10.0.0.0 255.0.0.0 30.0.0.1 1

route inside 20.0.0.0 255.0.0.0 30.0.0.1 1

 

ISP-RTR route: 

ip route 0.0.0.0 0.0.0.0 40.0.0.1

Now I am not able to ping from my internal network to ISP-RTR's IP or it Loopback IP.

What am I missing in m config?

 

 

Labels:
Preview file
22 KB
0 Helpful
5 Replies 5

MHM Cisco World
VIP
VIP

‎08-29-2022 06:26 AM - edited ‎08-29-2022 06:26 AM

You need ICMP inspection 

https://www.speaknetworks.com/enable-icmp-inspection-to-allow-ping-traffic-passing-asa/

 

Asfandyar70754
Level 1
Level 1
In response to MHM Cisco World

‎08-29-2022 11:04 PM

Thank you for your response.

I also need to know incase there are 2 ISPs then can I use default routes for both ISPs.

route outside 0.0.0.0 0.0.0.0 50.0.0.2 2(Making it a backup route using administrative distance 2)

0 Helpful

Rob Ingram
VIP
VIP
In response to Asfandyar70754

‎08-30-2022 12:18 AM

@Asfandyar70754 if you want to use both ISP circuits, then you can use IP SLA to track the primary ISP and failover to the secondary if required - example here. Or use Policy Based Routing (PBR) - example here.

0 Helpful

paul driver
VIP
VIP

‎08-30-2022 12:19 AM - edited ‎08-30-2022 12:20 AM

Hello
By default traffic from an asa outside interface (lower security level) isn’t allowed into the fw ( as such icmp reply’s will denied)
You could allow this two ways: 

Access-list
access-list x extended permit icmp any any echo-reply 
access-group x in interface outside

Service-policy inspection
policy-map global-policy
class insection_default
inspect icmp
inspect icmp-error < hides internal addresing via traceroute
exit

Lastly:
allow traffic between interfaces--- intervlan routing
same-security-traffic permit inter-interface 

Allow traffic in/out same interface
same-security-traffic permit intra-interface 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Khaled Douma
Level 1
Level 1

‎08-30-2022 01:29 AM

Use "fixup protocol icmp" to start to inspect ICMP protocol

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card