Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3327
Views
5
Helpful
20
Replies

ASA 5585-x - Unreachable gateway between interfaces

geoff
Level 1
Level 1

‎04-12-2019 04:03 PM

Hi All,

 

All devices within both subnets are reachable across both subnets but each subnet can only reach it's own interface gateway, we require to have reachable gateways across subnets.

 

For example;

1) subnet-1 can reach subnet-1 gateway but is unable to reach subnet-2 gateway although can reach all devices on subnet-1

2) subnet-2 can reach subnet-2 gateway but is unable to reach subnet-1 gateway although can reach all devices on subnet-2

 

We have configured the following;

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

 

Many thanks in advance for your kind assistance.

 

Cheers

Geoff

Labels:
0 Helpful
20 Replies 20

geoff
Level 1
Level 1
In response to GRANT3779

‎04-13-2019 03:31 AM

Hi Grant,

 

That's interesting, because the functionality works perfectly at our other DC with the exact same ASA and firmware.

 

Another strange behaviour that may give a clue, is that if we Anyconnect SSL VPN into this particular ASA we can ping and connect to every device in all /24 subnet, except there respective interface IP's (gateway)....yet at our other DC's ASA it works perfectly with this functionality also.

 

Maybe I am not describing the issue correctly and most likely not using the Cisco lingo. Sorry i am not a network engineer.

 

Cheers

Geoff

 

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to geoff

‎04-13-2019 03:50 AM

Hi Geoff, 

That is odd. Are you able to share the config of the other ASA pair that you say works? Are you saying a device hanging off one of the ASA interfaces can ping through the ASA to another interface/GW IP and get a reply?

What code are the firewalls running ? i may be misunderstanding what you are asking. Do you have a diagram of what you are looking to achieve? 

0 Helpful

Georg Pauwen
VIP
VIP
In response to geoff

‎04-13-2019 04:04 AM

Hello,

 

officially it is not supposed to work by design, and there should be no way to work around that limitation. Since you say it works on the ASA at your other location, can you post the config of that ASA ?

0 Helpful

geoff
Level 1
Level 1
In response to Georg Pauwen

‎04-13-2019 04:13 AM

Hi George,

 

Maybe my Cisco language is incorrect.

 

At say DC-1, I can Anyconnect into ASA, I am able to ping 172.16.254.1 (inside interface) and then launch ASDM application to manage ASA configurations, I can also SSH into same IP address...surely this is normal behaviour and have been doing so for 3+ years?

 

How else does one manage ASA from outside, surely not using public outside interface?

 

Cheers

Geoff

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to geoff

‎04-13-2019 04:53 AM

This is the only time is is allowed I believe if used for management access and requires the management-access command for the desired interface. 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to GRANT3779

‎04-16-2019 07:07 AM

Discussion about management access (SSH, HTTPS) is one thing, and if properly configured works. Ping is different. The original discussion was about needing to ping a remote interface address. And as noted the ASA (in general) does not allow ping.

The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface.

 

The original poster has said that ping to a remote interface does work on another ASA. If that is the case then we need to see the complete configuration of that ASA.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card