Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
974
Views
1
Helpful
5
Replies

Cisco ASA Gateway ICMP?

Go to solution
smorrissey88
Level 1
Level 1

‎12-27-2016 08:52 AM - edited ‎03-08-2019 08:43 AM

Hi all,

Say I have 2 networks created on an ASA (where ASA is the gateway for each one):

  • NetA: 10.7.5.0/24
  • NetB: 10.7.7.0/24

Computers on NetA (10.7.5.200) can ping computers on NetB (10.7.7.2, etc) just fine

Computers on NetA (10.7.5.200) can ping Gateway for NetA (10.7.5.1) just fine

Computers on NetA (10.7.5.200) CANNOT ping Gateway for NetB (10.7.7.1) however

What am I missing here? In my logs I see:

Built inbound ICMP connection for faddr 10.7.5.200/19606 gaddr 10.7.7.1/0 laddr 10.7.7.1/0
Teardown ICMP connection for faddr 10.7.5.200/19606 gaddr 10.7.7.1/0 ladd

I'm guessing there is a setting in ASDM somewhere to allow ICMP replies across networks, but I cannot seem to find it. 

Any assistance is GREATLY appreciated!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎12-27-2016 10:38 AM

You are not missing anything here. That is normal behavior for the ASA. You can only ping the ASA-interface that is nearest to you, but not any other interface of the ASA.

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to smorrissey88

‎12-27-2016 11:58 AM

I can't tell you a reason for this, but for VPNs, there is a special handling. A remote interface can be reached through a tunnel if that interface is defined as management-interface:

asa(config)# management-access inside

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎12-27-2016 10:38 AM

You are not missing anything here. That is normal behavior for the ASA. You can only ping the ASA-interface that is nearest to you, but not any other interface of the ASA.

0 Helpful

Go to solution
smorrissey88
Level 1
Level 1
In response to Karsten Iwen

‎12-27-2016 11:47 AM

Interesting, is there a reason why by chance?

I'm mainly wondering because I'm trying to monitor my ASA over an site-to-site VPN tunnel, and the monitoring platform tries to ping the IP I give it, and I don't know what IP to give it because I have no idea which interface is "nearest" in the scenario of a remote network -- I'm assuming none of them.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to smorrissey88

‎12-27-2016 11:58 AM

I can't tell you a reason for this, but for VPNs, there is a special handling. A remote interface can be reached through a tunnel if that interface is defined as management-interface:

asa(config)# management-access inside
0 Helpful

Go to solution
smorrissey88
Level 1
Level 1
In response to Karsten Iwen

‎12-28-2016 04:34 AM

Thank you, that's what I was missing. I have numerous "inside" interfaces, so I just set the management-access on the interface I was trying to hit with SNMP and everything started working over IPSEC.

0 Helpful

Go to solution
B.kablawi90
Level 1
Level 1

‎12-27-2016 12:33 PM

have you configured ICMP Inspect to allow ping to reach the ASA ?

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card