Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6498
Views
0
Helpful
16
Replies

Should an inside host be able to ping the ASA DMZ interface IP?

Go to solution
Joseph Da Rosa
Level 1
Level 1

‎01-15-2013 05:33 PM - edited ‎03-11-2019 05:47 PM

Simple question (I hope): I've got an ASA with an IP address of 10.1.1.1 on its inside interface and an IP address of 10.6.6.6 on its DMZ interface.  I have an inside host, 10.1.1.2, which is able to ping the ASA's inside IP of 10.1.1.1.  Should this host also be able to ping the ASA's DMZ IP of 10.6.6.6?

What I'm seeing is that it can't.  When I ping the ASA DMZ IP of 10.6.6.6 from the host at 10.1.1.2, I get an error like the following on the ASA:

   %ASA-6-110002: Failed to locate egress interface for ICMP from inside:10.1.1.2/63320 to 10.6.6.6/0

So the ASA says it can't find the egress interface for 10.6.6.6--even though 10.6.6.6 is its own interface IP address.  And this happens when I try to ping *any* of the ASA's other interface IPs from 10.1.1.2.  The only interface IP I can ping from an inside host is the inside IP address (10.1.1.1).  By the way, the host at 10.1.1.2 *can* ping any other hosts on the DMZ network (e.g. 10.6.6.7, 10.6.6.8, and so on)...it's just the ASA interface IP of 10.6.6.6 that it can't ping.

I'm guessing this is just a limitation of the ASA (I seem to remember the same limitation on the PIX as well); pinging the "other side" of interfaces works on routers, but doesn't seem to work on ASAs.  If anyone can verify that one way or another I'd appreciate it.

Labels:
0 Helpful
16 Replies 16

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to david.tran

‎01-16-2013 04:41 PM

CSC:

Cisco Support Community

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Joseph Da Rosa
Level 1
Level 1
In response to david.tran

‎01-16-2013 06:21 PM 

Here is something that Cisco ASA can do but Checkpoint can not:
in  the static NAT, or PAT, you can specify embryonic connection for each  NAT in ASA but you can not do that with Checkpoint (I've not used  Checkpoint Gaia yet so I don't know.  It may be there but not in NGx  R71.30).

It's not that simple any more, unfortunately.  You used to be able to apply a different embryonic limit easily to each static, but now you've got to do it all via MPF--so you have to come up with some way to ensure that the MPF policy maps the desired embryonic limits correctly to each of the different static mappings for which you'd have previously wanted to control embryonic connections, that it doesn't over-apply to any others, that the policy works in combination with the global policy rather than overriding it, etc.  In fact I'm currently migrating an old PIX to a brand new ASA and that's exactly the hassle I'm dealing with right now.

But it is at least true that you *can* still specify the embryonic connection limit on an ASA, even though it's so much more complex than it used to be.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card