Excellent I did the same and it works,thanks for ur help.

R1#ping 10.10.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/64 ms

========

Now plz let me know if i want R5 to reach R1(192.168.2.10) what I need to do on ASA....

Thanks

Hi,

Well there is not much you have to do

You already have an ACL configured on the ASA that you can use to allow traffic from R5 to R1.

access-list 101 extended permit icmp any host 10.10.10.10 echo

The existing rule that you have for the destination IP address 10.10.10.2 is not needed.

Since you now should have this Static NAT configured

static (inside,outside) 10.10.10.10 192.168.2.10 netmask 255.255.255.255

It should mean that you can now reach R1 from R5 by pinging the IP address 10.10.10.10. (Unless something on the R1 blocks the traffic for some reason)

Hope this helps :)

- Jouni

Hi,

Did u mean that i should remove access-list 101 extended permit icmp any host 10.10.10.10 echo  from ASA.

I did that but didn't worked,

since now iam able to ping 10.10.10.2 from R1,however i want to reach 192.168.2.10 from R5

Thanks

Hi,

No, you could not have removed it since it was not configured. I meant you should add the ACL line mentioned. I simply meant that the ACL rule that you have there already is not needed as it has the wrong IP address in the rule.

I also mentioned that since you are NATing 192.168.2.10 to 10.10.10.10 towards ISP R5 that means you will have to ping the IP address 10.10.10.10 from ISP R5  if you want to ping R1 (as its visible to the R5 with that NAT IP address)

- Jouni

Alright i understood what u meant.

I added back the acl command as :

access-list 101 extended permit icmp any host 10.10.10.10 echo

Now when i try to ping 10.10.10.10 from R5 iam being denied:

R5#ping 10.10.10.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

=============

thanks

Hi,

Just to make sure can you share with us the output of the following commands from the ASA

show run access-list

show run static

show run access-group

- Jouni

Hi,

my apologies i forgot to apply the access list when i removed it previously.

so when i applied the access-list the ping worked from R5 to 10.10.10.10

==

R5#ping 10.10.10.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/33/48 ms

=========================

Thanks for ur help....appreciate

Hello Jouni need ur help again,

as per this topology u said no device behind e0 will ping the outside interface of ASA.

I just want to know since the device behind interface e0 have security level of 100 and as per the concept they can reach from higher to lower security level.

Also we have acl allowing them,then why iam not able to ping.

Thanks

Hi,

Its a limitation from the manufacturer of the device and its software (Cisco). The limitation is that you can not ping or connect to an interface from behind another interface. Users behind "inside" can connect to "inside" interface but not "outside" interface. Users behind "outside" interface can connect to "outside" interface but not "inside" interface and so on. There is no configuration to go around this limitation (except in case of VPN connections)

The "security-level" and "access-list" configurations you mention only affect the traffic/connections through the device to some other remote network. These will not have any effect on being able to ping the "outside" interface from behind "inside" interface.

Hope this helps :)

- Jouni

Thanks for the reply....

I configured eigrp on the inside network and i was able to ping outside interface of ASA from L2 switch and vice versa.

However iam not able to ping from the L3 switch which is in the middle of the network.

Thanks

Hi,

If the L2 switch has a management IP address from some subnet located behind the ASA "inside" interface then this ping should not be possible.

This leads me to believe that the L2 switch might be connected to the network segment on the "outside" interface but I really cant be sure.

You could check some configurations on the L2 switch, for example

show ip interface brief

show run | inc default-gateway

- Jouni

Hi,

iam sorry...iam trying to ping inside interface of ASA not outside..

however iam not able to ping.

I got ur point why we cannot ping outside interface of ASA.

Thanks

Hi,

Since its a L2 switch we still should know that it has an IP address configured in the proper subnet under the proper Vlan interface and also that it has the "ip default-gateway" configured to point to the gateway address of subnet used in the Vlan interface. Without this configuration it will not be able to reach anything outside its own subnet.

I guess in your case you should have a "interface Vlan2" configured on the L2 switch and it should have some IP address from the subnet 192.168.2.0/24 on it. Then it should have the "ip default-gateway" configuration pointing to the gateway IP address of the subnet 192.168.2.0/24

- Jouni

Hi,

COMSC29C02#sh ip int br
Interface              IP-Address      OK? Method Status                Protocol
Vlan2                  192.168.2.3     YES NVRAM  up                    up

ip default-gateway 192.168.2.1 this is alo configured.

192.168.2.1 is the ip address of the router.

Moreover the L2 switch is able to reach the other interface of the router which is connected to the ASA but not the inside interface (192.168.1.1)

COMSC29C02#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
COMSC29C02#
COMSC29C02#
COMSC29C02#
COMSC29C02#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Thanks