Re: can not ping IP configured on ASA outside Interface from switch

kkp1 · ‎10-05-2017

Hi Experts,

I have ons ASA 5520 & Two 3750 switch,i can not ping ASA outside interfcae IP from internal Switch.

PFA Topology & Config.

kkp1 · ‎10-05-2017

Internal sw config

interface GigabitEthernet1/0/3
description connect to ASA gi 0/1
no switchport
ip address 192.168.1.2 255.255.255.0

ip default-gateway 192.168.1.1
ip classless
ip route 10.78.171.0 255.255.255.0 192.168.1.1
ip route 192.168.3.0 255.255.255.0 192.168.1.1

kkp1 · ‎10-05-2017

ASA Config-

route outside 0.0.0.0 0.0.0.0 192.168.3.2 1
route inside 60.60.60.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 60.60.60.20 255.255.255.255 inside

Karsten Iwen · ‎10-05-2017

This is normal behavior on the ASA. You can only ping (or directly access with SSH, ASDM) the interface that is nearest to the client. In your case, that is the inside interface.

kkp1 · ‎10-05-2017

Thanks Karsten for your reply,

But i can ping ASA inside interface ip from switch which is directly connected to swithc but can not ping outside intercae IP from swithc.

AS i checked with capture commnad request is going to ASAP but there is no reply from ASA.

I am using 8.0.4 Version.

Thanks

Karsten Iwen · ‎10-06-2017

Yes, that is expected behavior. From the inside switch, the inside interface is the next ASA interface. That one is reachable. The outside interface is not the interface direct to you. And that is not reachable.

kkp1 · ‎10-06-2017

ok,

I tried to ping external switch IP 192.168.3.2 from internal switch 192.168.1.2 this is also not reacable.

I captured some packets from ASA there is no reply -

95: 14:16:01.490636 1833.9da7.f6c3 0024.14d3.8fef 0x0800 114: 192.168.1.2 > 192.168.3.2: icmp: echo request (ttl 255, id 840)
96: 14:16:03.494679 1833.9da7.f6c3 0024.14d3.8fef 0x0800 114: 192.168.1.2 > 192.168.3.2: icmp: echo request (ttl 255, id 841)
97: 14:16:05.505207 1833.9da7.f6c3 0024.14d3.8fef 0x0800 114: 192.168.1.2 > 192.168.3.2: icmp: echo request (ttl 255, id 842)
98: 14:16:07.511371 1833.9da7.f6c3 0024.14d3.8fef 0x0800 114: 192.168.1.2 > 192.168.3.2: icmp: echo request (ttl 255, id 843)
99: 14:16:09.509388 1833.9da7.f6c3 0024.14d3.8fef 0x0800 114: 192.168.1.2 > 192.168.3.2: icmp: echo request (ttl 255, id 844)
100: 14:16:19.924711 1833.9da7.f6c3 0024.14d3.8fef 0x0800 114: 192.168.1.2 > 10.78.171.1: icmp: echo request (ttl 255, id 845)
101: 14:16:21.924680 1833.9da7.f6c3 0024.14d3.8fef 0x0800 114: 192.168.1.2 > 10.78.171.1: icmp: echo request (ttl 255, id 846)
102: 14:16:23.930219 1833.9da7.f6c3 0024.14d3.8fef 0x0800 114: 192.168.1.2 > 10.78.171.1: icmp: echo request (ttl 255, id 847)
103: 14:16:25.934476 1833.9da7.f6c3 0024.14d3.8fef 0x0800 114: 192.168.1.2 > 10.78.171.1: icmp: echo request (ttl 255, id 848)
104: 14:16:27.939862 1833.9da7.f6c3 0024.14d3.8fef 0x0800 114: 192.168.1.2 > 10.78.171.1: icmp: echo request (ttl 255, id 849)

Karsten Iwen · ‎10-06-2017

ok, that's a different problem:

Does the outside switch have a route back to the inside network?
Have you enabled icmp-inspection ("fixup protocol icmp")?

kkp1 · ‎10-06-2017

Thanks Karsten,

yes external swithc has routre to internal switch -

ip route 60.60.60.0 255.255.255.0 192.168.3.1
ip route 192.168.1.0 255.255.255.0 192.168.3.1

from internal swithc i can ping only ASA directed Connected IP only.

How to check icmp-inspection ("fixup protocol icmp")?

Karsten Iwen · ‎10-06-2017

With „fixup protocol icmp“ you can enable the icmp-inspection if not yet enabled.

kkp1 · ‎10-07-2017

yes fix-up fix it.

One more help,how to enable NAT in my topology.