I'm attempting to use an ASA to route two VLANs to an outside interface that uses NAT/Port Forwarding on the outside IP to access several servers within one of the aforementioned VLANs. The following diagram shows the topology.
The router is only here for testing purposes. On deployment, I'll simply have a gateway IP. I realise it adds some complexity, but the router is already configured for the test and works.
The ASA is where I'm stumped at. From the gi1/1 interface, I can ping the router on the gi0/0 interface. However, if I attempt to ping either of the sub-interfaces, or the server below the firewall, I can't access it. The ASA logs are showing that the ICMP packets are coming in, but it's as if they disappear afterward. I ultimately need other traffic other than ICMP to flow, but for now I can't manage to get this through.
It's unclear if the problem is with NAT, ACLs or I'm just doing something stupid that I shouldn't be doing. Here's a portion of the config on the ASA:
int gi1/1 nameif outside security-level 0 ip address 10.170.2.89 255.255.255.0 standby 10.170.2.90 int gi1/2.400 vlan 400 nameif goofy_400 security-level 100 ip address 172.16.101.3 255.255.255.0 standby 172.16.101.4 int gi1/2.401 vlan 401 nameif goofy_401 security-level 100 ip address 172.16.102.3 255.255.255.0 standby 172.16.102.4 object network servers_subnet subnet 172.16.102.0 255.255.255.0 nat (goofy_401,outside) dynamic interface object network netmgmt_subnet subnet 172.16.101.0 255.255.255.0 nat (goofy_400,outside) dynamic interface access-list to-server extended permit icmp any any access-list to-server extended deny ip any any access-group to-server in interface goofy_400 access-group to-server in interface goofy_401 nat (goofy_400,outside) after-auto source dynamic any interface nat (goofy_401,outside) after-auto source dynamic any interface
Any advice here would be greatly appreciated.
Let's take the issues one at a time.
When you have laptop hanging off R1, I'm assuming you can hit the R1 interface / GW and that the path up to the ASA outside interface is OK from perspective of the laptop.
On the firewall itself, to be able to ping through it you need to first ensure you are inspecting icmp. Do you have the following configured on the ASA? If not, add the inspect icmp command under global policy, like below.
policy-map global_policy class inspection_default inspect icmp
If you now send icmp traffic from laptop to server, the ASA will keep track of that traffic traffic. That should be the path from laptop to server sorted, however now focus on the return path from server. The return traffic will hit the ASA but looks like it is going to get NAT'd to the ASA Outside interface before being sent out. Is this what you want? For testing you may want to remove those NATs and then maybe look at adding a static NAT for the server once you prove connectivity.
As for not being able to ping the sub interfaces. If you were trying to do this whilst coming in from the Outside then this is not possible by design. You cannot ping another ASA interface IP whilst coming in via a different interface.