12-28-2015 12:51 PM
Access to inside interface not working, it worked previously. Compared original configurations and not seeing any changes.
what am I missing?
Vlan 75 - Outside interface to an ISP DSL router
Vlan 55 - Inside interface to 3750 with IP of 55.2. Unable to ping this ip and all other devices hanging off the 3750.
Configuration attached..
12-28-2015 02:52 PM
Hi DON F,
It's not very clear what you are trying to do.
Are you trying to ping the internal resources while being outside of the "inside" network?
Are you able to ping the outside interface of the ASA?
12-28-2015 03:09 PM
I'm trying to access the network behind the Inside interface and the directly connected interface (10.14.55.2). I can ping the outside interfaces or google, etc...when in the ASA, but nothing in the Inside is reachable via pings.
12-28-2015 04:31 PM
Can you share the output of the following from the 3750 switch:
show run int vlan 55
show run int <interface the ASA is connected to>
show ip int br | i 10.14.55
show int <interface the ASA is connected to>
12-29-2015 08:01 AM
The equipment is in another country. The ASA was my means to access the network and into the 3750.
12-29-2015 08:05 AM
That's unfortunate.
From the ASA configuration you shared (and especially since it was working previously and was not changed) it should work.
You might check your ARP cache to see if you're even getting it populated with the MAC address from the switch when you try and fail to connect.
You might also do a packet capture on that inside interface and see if anything jumps out at you. I'd look for something like VLAN mismatch or untagged (802.1q-wise) frames in the incoming traffic.
Beyond that, you need someone on site to give you remote hands assistance.
01-08-2016 07:49 AM
Update -- When I ssh into the ASA 5505, I can ping all devices in the inside network. Someone at the far end had move the connection to another port.
The issue now is when I VPN, the VPN client is not able to ping the inside interface of the ASA or the inside network. Also in the ASA I am unable to ping the VPN clients assigned ip pool.
Regards,
01-08-2016 09:00 AM
In looking through the config I do not see a command like this
management-access inside
I suggest that you add this to the config. Also I do not see an inspect for icmp as part of your inspect policies. I suggest that you add it. Both of these may be helpful in resolving issues with ping access.
HTH
Rick
01-08-2016 09:10 AM
Added suggested lines. But, no dice.
01-08-2016 09:36 AM
If you can ping to inside devices from SSH session that is improvement. If VPN client can not ping inside my first question would be whether the inside has a route to the address pool for the VPN client.
HTH
Rick
01-08-2016 09:38 AM
Your configuration does not have any NAT or NAT exemption for your VPN client address pool. How does the overall system handle NATting?
We would normally expect a NAT setup including something like this:
01-08-2016 10:01 AM
01-08-2016 11:57 AM
Marvin - thanks for the hint. Issue resolved... I reversed the the lines in the nat section -- inside_network to VPN_network.
Old:
New:
01-08-2016 12:18 PM
You're welcome - glad we were able to resolve it together.
Please rate any useful replies.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide