Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
472
Views
0
Helpful
5
Replies

2900 Gateway with ASA 5508

mohammad saeed
Level 5
Level 5

‎07-03-2015 06:40 AM - edited ‎03-05-2019 01:48 AM

Hi Experts,

------

in our project we have this senario  :  ISP--------GW ------- ASA ------ Core

 

I did all configuration and still cant ping from GW to the core, before that I tried to connect my Internet ISP line to ASA it works fine and I have internet connection, but after I added GW and I changed some configuration, I lost the connection between GW and Core

 

GW ( default route to ISP)

ASA (default route to GW, Static route to Core)

Core ( Default route to ASA)

 

Is that correct?

 

Thanks,

 

Mohammad Saeed

Labels:
0 Helpful
5 Replies 5

rizwanr74
Level 7
Level 7

‎07-03-2015 08:41 AM

Hi Mohammed,

 

"I did all configuration and still cant ping from GW to the core,"

On your ASA, you need to enable ping.

 

policy-map global_policy
 class inspection_default

   inspect icmp 

 

"after I added GW and I changed some configuration, I lost the connection between GW and Core"

You must have change something on the firewall that severed the connection between GW and Core.

Either you change layer2 definition on interface connecting to core swithc firewall.

 

Let me know if you need any help with.

Thanks

Rizwan Rafeek

 

0 Helpful

mohammad saeed
Level 5
Level 5
In response to rizwanr74

‎07-03-2015 08:41 AM

Hi Rizwan,

 

I already added ICMP inspection :

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect http 
  inspect icmp

What do you mean by change layer definition?

 

and do i need NAT in router gateway as well, and I did nat also in ASA!

 

thanks,

 

Mohammad

 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to mohammad saeed

‎07-04-2015 01:58 PM

Mohammad

 

In general if you have done NAT in ASA then you do not also need NAT in router. We do not know enough about your situation to be sure whether you have a special situation that might need NAT or not. But I doubt that NAT on the router is the issue.

 

Is it possible that NAT on the ASA is causing the issue with ping from the gateway? Is the gateway configured with Public address or with Private address?

 

When you ping from the gateway to the core does it appear on the ASA that an outside device is initiating traffic to an inside device? Do you have access policies configured on the ASA to permit this?

 

HTH

 

Rick

HTH

Rick
0 Helpful

rizwanr74
Level 7
Level 7
In response to mohammad saeed

‎08-18-2015 07:22 AM

"What do you mean by change layer definition?"

It is the vlan memebership of for a given vlan.  Layer2 defintion.

Also please make sure, you do not have on your ASA this line: "icmp deny any outside"

By default ASA would not allow ping from outside to insdie network in your case it is core switch, which is fine.

 

 

 

0 Helpful

Robert Hillcoat
Level 1
Level 1

‎08-17-2015 11:51 PM

Show the configuration please. 

 

When you try to ping from outside to inside via ASA, you need an explicit rule allowing that. The ASA has security levels assigned to the interface that prevent this happening. Not to mention where your using NAT! 

 

This may be your problem but not sure until you send configuration.   

0 Helpful
Customers Also Viewed These Support Documents