Solved: Unable to ping ASA from vlan 2

sabedin77 · ‎04-10-2017

Hi,

I have a networked environment where i have an ASA that has an INSIDE ip address of 192.168.1.254.

This is connected to a Layer 3 switch with two vlans - vlan 1 and vlan 2. vlan 1 is in the same subnet as

the INSIDE ip address of the ASA, and vlan 2 is in 192.168.2.0/24 subnet. I am able to ping hosts on

vlan 1 from vlan 2 fine but for some reason I am unable to ping the inside address of the ASA.

Any ideas what may be happening here?

Dennis Mink · ‎04-10-2017

do you have an ip any any configured incoming into the INSIDE interface on the ASA?

If so you might want to run:

a. packet tracer to see if icmp is allowed from your host to the inside interface, through simulation

b. capture traffic on the inside interface and see if the icmp is hitting the inside interface at all

please rate if useful

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

dperezoquendo · ‎04-10-2017

I would recommend doing a packet tracer as Dennis suggested. Try the following and see what you get: (I've never done a packet-tracer to the inside interface before so I'm not sure how that will work. You can probably just substitute 192.168.1.254 with 8.8.8.8)

packet-tracer input INSIDE icmp 192.168.2.10 8 0 192.168.1.254

I would also suggest ensuring there is a route for the 192.168.2.0/24 subnet to the ASA. You can try a default static route on your router:

ip route 0.0.0.0 0.0.0.0 192.168.1.254

View solution in original post

Dennis Mink · ‎04-10-2017

do you have an ip any any configured incoming into the INSIDE interface on the ASA?

If so you might want to run:

a. packet tracer to see if icmp is allowed from your host to the inside interface, through simulation

b. capture traffic on the inside interface and see if the icmp is hitting the inside interface at all

please rate if useful

Please remember to rate useful posts, by clicking on the stars below.

sabedin77 · ‎04-10-2017

From any host on vlan 2, I am unable to ping the INSIDE interface of the ASA fine.

"ip routing" command has been run on the layer 3 switch to allow inter-vlan routing. I can ping from any host on vlan 1 to vlan 2 and vice-versa. The only thing i am unable to do is to ping the INSIDE interface of the ASA from a host on vlan 2.

dperezoquendo · ‎04-10-2017

I would recommend doing a packet tracer as Dennis suggested. Try the following and see what you get: (I've never done a packet-tracer to the inside interface before so I'm not sure how that will work. You can probably just substitute 192.168.1.254 with 8.8.8.8)

packet-tracer input INSIDE icmp 192.168.2.10 8 0 192.168.1.254

I would also suggest ensuring there is a route for the 192.168.2.0/24 subnet to the ASA. You can try a default static route on your router:

ip route 0.0.0.0 0.0.0.0 192.168.1.254

sabedin77 · ‎04-11-2017

I asked one of my colleagues at work and the correct answer was that the ASA had no way to route to vlan2 192.168.2.0/24. I added in a static route on ASA by using "route inside 192.168.2.0 255.255.255.0 192.168.1.2(vlan 1 network)" and all working fine now.

Thank you for all your replies. Hope that we all learnt something from this!

sabedin77 · ‎04-10-2017

Yes, when I run a packet capture I saw the ICMP packets from vlan 2 hitting the INSIDE interface of the ASA. I will try to configure an ACL to allow traffic from vlan 2 to pass through the INSIDE interface on the ASA.