can't ping switch internal interface from asa

craig.huggins · ‎08-16-2017

See attached for a diagram of the layout of the network. My problem is i require remote access to all of the equipment which i have managed to achieve apart from the L2-SW1 device. Below is what i have found out from troubleshooting;

The gateways of both L2 switches is the same

You can ping the firewall, L3 and L2-SW2 from L2-SW1

You can ping the L2-SW1 from the L3 switches

You can’t ping the L2-SW1 from the firewall;

The config on both L2 switches is the same apart from the below which is in the config for the switch i cant connect to via its public ip address;

'Extended IP access list 122 10 permit ip 192.168.122.0 0.0.0.255 any'

'class-map match-all class122 match access-group 122 ! ! policy-map RATE-LIMIT class class122 police 20000000 800000 exceed-action drop'

I have an access rule to allow my public ip address to connect and i can connect to the other L2 switch and the L3 switch via SSH and ping both public address, just not this last one.

Georg Pauwen · ‎08-21-2017

Hello,

if the configs of SW_1 and SW_2 are identical except for the access list, just in case the traffic load is really high, you could add:

access-list 122 permit 20 icmp any any

That said, does your policy map have a default class defined ?

policy-map RATE-LIMIT

class class122

police 20000000 800000 exceed-action drop

class class-default

paul driver · ‎11-05-2017

Hello

You can ping the firewall, L3 and L2-SW2 from L2-SW1

You can’t ping the L2-SW1 from the firewall;

Got to be a ACL re-strict negating this, Can you post the acls for the fw and L2-Sw1

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul