Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4748
Views
0
Helpful
19
Replies

Unable to ping loopback IP of switch From PC connected to ASA Inside interface

Go to solution
mahesh18
Level 6
Level 6

‎05-25-2014 05:53 PM - edited ‎03-11-2019 09:14 PM

 

Hi Everyone,

Here is setup

Switch -------------------------ASA1----Active

                                         ASA1----Standby

 

ASA is config as Active/Standby

ASA has dhcp config that provides PC with IP 10.0.0.11

 

From Switch i can ping my PC

1#ping 10.0.0.11

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/9 ms

 

Switch info
1#sh ip int brief
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  10.0.0.4        YES NVRAM  up                    up
FastEthernet1/0/1      unassigned      YES unset  up                    up
FastEthernet1/0/2      unassigned      YES unset  up                    up
FastEthernet1/0/3      unassigned      YES unset  down                  down
FastEthernet1/0/4      unassigned      YES unset  down                  down
FastEthernet1/0/5      unassigned      YES unset  down                  down
FastEthernet1/0/6      unassigned      YES unset  down                  down
FastEthernet1/0/7      unassigned      YES unset  down                  down
FastEthernet1/0/8      unassigned      YES unset  down                  down
FastEthernet1/0/9      unassigned      YES unset  down                  down
FastEthernet1/0/10     unassigned      YES unset  down                  down
FastEthernet1/0/11     unassigned      YES unset  down                  down
FastEthernet1/0/12     unassigned      YES unset  down                  down
FastEthernet1/0/13     unassigned      YES unset  down                  down
FastEthernet1/0/14     unassigned      YES unset  down                  down
FastEthernet1/0/15     unassigned      YES unset  down                  down
FastEthernet1/0/16     unassigned      YES unset  down                  down
FastEthernet1/0/17     unassigned      YES unset  down                  down
FastEthernet1/0/18     unassigned      YES unset  down                  down
FastEthernet1/0/19     unassigned      YES unset  down                  down
FastEthernet1/0/20     unassigned      YES unset  down                  down
FastEthernet1/0/21     unassigned      YES unset  down                  down
FastEthernet1/0/22     unassigned      YES unset  down                  down
FastEthernet1/0/23     unassigned      YES unset  down                  down
FastEthernet1/0/24     unassigned      YES unset  down                  down
GigabitEthernet1/0/1   unassigned      YES unset  administratively down down
GigabitEthernet1/0/2   unassigned      YES unset  administratively down down
Loopback0              10.1.0.1        YES NVRAM  up                    up
Loopback1              10.1.1.1        YES NVRAM  up                    up
Loopback2              10.1.2.1        YES NVRAM  up                    up
Loopback3              10.1.3.1        YES NVRAM  up                    up
Loopback4              10.1.4.1        YES NVRAM  up                    up
Loopback5              10.1.5.1        YES NVRAM  up                    up
Loopback6              10.1.6.1        YES NVRAM  up                    up
Loopback7              192.168.50.1    YES NVRAM  up                    up
Loopback8              unassigned      YES NVRAM  up                    up
R1#

 

ASA has Vlan 1 as inside interface with IP 10.0.0.1 and has direct connection to switch on vlan 1.

From ASA i can ping the 10.1.0.1

ASA1#                             ping 10.1.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

 

From  PC i can not ping IP 10.1.0.1

Logs from ASA

May 25 2014 18:40:33: %ASA-6-302020: Built outbound ICMP connection for faddr 10.1.0.1/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1

May 25 2014 18:40:35: %ASA-6-302021: Teardown ICMP connection for faddr 10.1.0.1/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1

ASA  info

ASA1# sh int
ASA1# sh interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up
Ethernet0/1                unassigned      YES unset  up                    up
Ethernet0/2                unassigned      YES unset  up                    up
Ethernet0/3                unassigned      YES unset  down                  down
Ethernet0/4                unassigned      YES unset  up                    up
Ethernet0/5                unassigned      YES unset  up                    up
Ethernet0/6                unassigned      YES unset  administratively down down
Ethernet0/7                unassigned      YES unset  administratively down down
Internal-Data0/0           unassigned      YES unset  up                    up
Internal-Data0/1           unassigned      YES unset  up                    up
Vlan1                      10.0.0.1        YES CONFIG up                    up
Vlan2                      96.x.x.x.   YES manual up                    up
Vlan3                      10.12.12.1      YES CONFIG up                    up
Vlan30                     10.30.30.1      YES unset  up                    up
Virtual0                   127.1.0.1       YES unset  up                    up

 

Need to know why this ping is not working is this due to NAT also why ASA is looking for loopback IP of switch in outside direction?

 

Regards

MAhesh

Labels:
0 Helpful
19 Replies 19

Go to solution
Marius Gunnerud
VIP
VIP
In response to mahesh18

‎05-28-2014 07:40 AM

The reason patricks suggestion worked is because the switch is also doing routing. So in this case the ping never goes through the firewall but instead directly between the pc and switch. -- Please remember to select a correct answer and rate
--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marius Gunnerud

‎05-28-2014 08:03 AM

 

Hi Everyone,

 

Thanks to everyone for replying on this post.

Best Regards

MAhesh

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to mahesh18

‎05-28-2014 12:45 AM

OK, I just set this up in GNS3 and got it to work...however I was using a router instead of a PC to ping from.

But I assume that since you can ping your PC from the switch the PC's local firewall isn't blocking ICMP packets.

Have you done a debug on the ICMP packets on the switch to see if there might be something there that is blocking it?

Do you perhaps have an ACL on the ASA inside interface...or on the switch for that matter...that could be blocking the ICMP traffic?

but to answer your questions:

So ASA is sending packet in outside direction instead of inside right?

No, the packet goes from the PC to the ASA, from the ASA to the switch, then from the switch directly back to the PC.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marius Gunnerud

‎05-28-2014 07:00 AM

 

Hi MAricus,

I enabled debug ip icmp on switch and did the ping.

No output was seen on switch.

There is no ACL on switch.

 

Regards

Mahesh

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to mahesh18

‎05-28-2014 07:04 AM

Hi

Is there an ACL on the ASA inside interface that?

could you please provide the ASA and switch configs (sanitised)?

--

Please remember to select a correct answer and rate
 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card