04-12-2019 04:03 PM
Hi All,
All devices within both subnets are reachable across both subnets but each subnet can only reach it's own interface gateway, we require to have reachable gateways across subnets.
For example;
1) subnet-1 can reach subnet-1 gateway but is unable to reach subnet-2 gateway although can reach all devices on subnet-1
2) subnet-2 can reach subnet-2 gateway but is unable to reach subnet-1 gateway although can reach all devices on subnet-2
We have configured the following;
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Many thanks in advance for your kind assistance.
Cheers
Geoff
04-13-2019 03:31 AM
Hi Grant,
That's interesting, because the functionality works perfectly at our other DC with the exact same ASA and firmware.
Another strange behaviour that may give a clue, is that if we Anyconnect SSL VPN into this particular ASA we can ping and connect to every device in all /24 subnet, except there respective interface IP's (gateway)....yet at our other DC's ASA it works perfectly with this functionality also.
Maybe I am not describing the issue correctly and most likely not using the Cisco lingo. Sorry i am not a network engineer.
Cheers
Geoff
04-13-2019 03:50 AM
Hi Geoff,
That is odd. Are you able to share the config of the other ASA pair that you say works? Are you saying a device hanging off one of the ASA interfaces can ping through the ASA to another interface/GW IP and get a reply?
What code are the firewalls running ? i may be misunderstanding what you are asking. Do you have a diagram of what you are looking to achieve?
04-13-2019 04:04 AM
Hello,
officially it is not supposed to work by design, and there should be no way to work around that limitation. Since you say it works on the ASA at your other location, can you post the config of that ASA ?
04-13-2019 04:13 AM
Hi George,
Maybe my Cisco language is incorrect.
At say DC-1, I can Anyconnect into ASA, I am able to ping 172.16.254.1 (inside interface) and then launch ASDM application to manage ASA configurations, I can also SSH into same IP address...surely this is normal behaviour and have been doing so for 3+ years?
How else does one manage ASA from outside, surely not using public outside interface?
Cheers
Geoff
04-13-2019 04:53 AM
This is the only time is is allowed I believe if used for management access and requires the management-access command for the desired interface.
04-16-2019 07:07 AM
Discussion about management access (SSH, HTTPS) is one thing, and if properly configured works. Ping is different. The original discussion was about needing to ping a remote interface address. And as noted the ASA (in general) does not allow ping.
The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface.
The original poster has said that ping to a remote interface does work on another ASA. If that is the case then we need to see the complete configuration of that ASA.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide