Solved: Hello showipospf,Would you be

eigrpy · ‎08-24-2015

Hi It is strange that the PC cannot ping the ASA. The topology is like this ASA(inside)---DeviceA----PC. the ASA can ping PC and DeviceA, but PC cannot ping ASA. When PC ping ASA, we can see message of debug icmp(debug icmp track 255 in the ASA) from the PC. The DeviceA can also ping both ASA and PC. I check the ASA config, which does not any limit to icmp. Anyone can give some suggestion ? Thank you

joseoroz · ‎08-25-2015

Since you didn't see the packet going out from the firewall there are a couple of scenarios that I can think:

1-As Andre said the firewall doesn't have a route to the network and the traffic is been sent to the default gateway.

2.-The firewall has a route to the destination network but is not able to communicate to the next hop. When the firewall doesn't have an entry for the next hop the packet is not sent out of the interface.

Once you have confirmed t hat the packet is sent out to the client if its still not getting to it then you will need to check the SW.

Regards,

Jose Orozco.

View solution in original post

joseoroz · ‎08-24-2015

Hello Showipospf,

The command that controls the ICMP traffic to the box is the ICMP command. That command works in the same fashion as an ACL if you have an allow on the interface that will add an explicit deny at the end. With the show run ICMP you can confirm if the traffic is allowed or at least not denied.

You can also create a capture and confirm if the firewall is sending the reply. The command will be something like this. Capture test interface inside match ICMP host (ASA IP) host (client IP).

You can see the result with the show capture test and remove with the command no cap test.

If you see the reply been sent out then you can get the ASA of the equation.

Kind regards,

Jose Orozco.

eigrpy · ‎08-24-2015

Thank you so much for your reply. I did that based on what you said. The ASA did not send reply to PC, but the ASA can send reply to the DeviceA if the DeviceA ping ASA. Why ASA did not send reply to the PC ?

joseoroz · ‎08-24-2015

Hello showipospf,

Would you be so kind to post the output from the show run ICMP command and the result of the packet tracer. Please also confirm that when you ping the ASA you are pining the local interface because if you ping a remote one the firewall is not going to reply.

Regards,

Jose Orozco.

eigrpy · ‎08-24-2015

Hi Jose

Thanks for your reply. I can do some test and post it tomorrow. The DeviceA is Layer 3 switch(maybe it include other device in ping path, that is why I call it DeviceA). Before I left office, I did a test where i plug PC into another port of the DeviceA. The port has the same vlan with the port which is physically connected with ASA inside interface. then PC can ping ASA inside interface. Now we say the issue is in the DeviceA instead of ASA, do you think so ？

Andre Neethling · ‎08-24-2015

Are they all in the same subnet?

EDIT: they are obviously not since they are in different VLANS........ apologies

Does the ASA have a route to the PC subnet??

eigrpy · ‎08-25-2015

Thank you all for your reply. The DeviceA contains several devices, one of them is layer2 Pola. After we re-configured it, ping is Ok, Thank you again

joseoroz · ‎08-25-2015

Since you didn't see the packet going out from the firewall there are a couple of scenarios that I can think:

1-As Andre said the firewall doesn't have a route to the network and the traffic is been sent to the default gateway.

2.-The firewall has a route to the destination network but is not able to communicate to the next hop. When the firewall doesn't have an entry for the next hop the packet is not sent out of the interface.

Once you have confirmed t hat the packet is sent out to the client if its still not getting to it then you will need to check the SW.

Regards,

Jose Orozco.

Why cannot ping ASA ?