06-20-2015 03:46 AM - edited 03-08-2019 12:38 AM
Dear Team,
Currently i cannot ping from source 172.16.5.10 to destination 10.1.0.100. After i check the logs, i found the traffic can pass to the destination 10.1.0.100, but after reply back it wrong outgoing port (the incoming interface is Outside, but reply back using interface management 0/0). And the ICMP traffic drop on outgoing direction (from Interface-Inside to interface-Management). I want income and outcome of ASA using the one interface (Outside). Please advise me the solution. I have attache network follow diagram in attached picture. Appreciate for your advise!!!!
Solved! Go to Solution.
06-21-2015 10:43 PM
Please try to apply the following:
policy-map global_policy
class inspection_default
inspect icmp
By doing so you enabled the inspection for icmp traffic.
Regards,
Aref
06-20-2015 10:36 AM
Hi,
I am not sure how you have configured but, I think you can create a static route on the ASA to use the interface you want the traffic to take..
Thanks
06-21-2015 10:20 PM
Hi Rakeshvelagala,
The default route has configured to Outside interface, but only icmp traffic that reply from Inside interface to management interface, and it block icmp traffic out by management interface.
Noted. this issue happen only on icmp protocol. For tcp/udp is reply to the corrected interface (outside).
Please advise more idea
06-21-2015 03:20 AM
You need to enable ICMP inspection on the ASA to make that work.
Sooner or later however your setup will fail due to routing issues. Having the same subnet on the inside and on OOB-MGMT-port is going to create problems.
06-21-2015 10:28 PM
Hi Pille,
which interface should i apply ICMP inspection, due all interface i already applied ACL echo-reply.
But what the problem is ASA Management interface have the same subnet with source ip address, so the echo-reply message will looking for the connected interface that have the same subnet with source ip address.
So how to add route or ICMP inspection on current network diagram that i was provided?
06-21-2015 10:33 PM
Hi,
As already mentioned, by enabling the icmp inspection the ASA should create a connection entry in its state table where it would know the source and the destination interfaces, so when the traffic comes back it would be sent out the originating interfaces based on the connection state entry.
Regards,
Aref
06-21-2015 10:33 PM
Hi Aref Alsouqi,
So how to fix this issue to make my MGMT PC can ping to hosts that located in Inside interface of ASA.
Noted. this issue happen only on icmp protocol. For tcp/udp is reply to the corrected interface (outside). Please advise more idea sir!!
06-21-2015 10:43 PM
Please try to apply the following:
policy-map global_policy
class inspection_default
inspect icmp
By doing so you enabled the inspection for icmp traffic.
Regards,
Aref
06-21-2015 11:31 PM
Hi Aref Alsouqi,
Thanks so much. It works now!
Regard,
Sophorn
06-21-2015 11:46 PM
You are most welcome.
Regards,
Aref
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide