05-21-2007 04:41 AM - edited 03-11-2019 03:17 AM
Hi all.
This is my first setup of a Cisco ASA box.
I'm having a lot of problems with use of static route
If I make a PING from the ASA box, I get a replay.
But if the ping comes from a computer, I keep getting: Deny inbound icmp src inside:XXX des inside:YYY (Type 8, code 0)
I have tried to make a NAT rule for this, but I cannot make a role src inside, drs inside
Can any one help me whit this?
Thanks?
Best regards.
Stig B.
05-21-2007 04:44 AM
No need for a nat rule or static route for this...just add the following
icmp permit any inside
05-21-2007 05:03 AM
hi,
Sorry, doesn?t work.
ERROR: entry for address/mask = 0.0.0.0/0.0.0.0 exists
Thanks..
05-21-2007 05:13 AM
I think I misunderstood, what are you trying to ping from the inside computer? Another computer on the inside on a different network, or the ASA itself? Looks like you are trying to ping from machine on inside to another machine inside. This traffic is being routed to inside of ASA and it is denying it as by default it will not allow traffic to go in and out of same interface. You will need to add the "same-security-traffic permit intra-interface" command to allow that to happen.
05-21-2007 05:34 AM
Thanks a lot.
Now I dont get the deny inbound error.
But I get a: Portmap translation creation failed for icmp src inside:xxx dst inside: xxx (type 8, code 0)
Do I need NAT for that?
05-21-2007 05:45 AM
try...
global (inside) 1 interface
05-21-2007 05:58 AM
Thank you so much for your time and Knowles
But, it didn?t do the trick.
Do you have another idea?
05-21-2007 06:06 AM
What error are you getting now? No translation group found...? Add the following...
static (inside,inside)
05-21-2007 06:41 AM
So to review you should have...
same-security-traffic permit intra-interface
global (inside) 1 interface
static (inside,inside)
You could also do this for the whole network instead of just
static (inside,inside)
05-21-2007 11:47 PM
Hi,
?same-security-traffic permit intra-interface? - Worked, but gave a new error.
(portmap translation creation faild for icmp src inside:XXX dst inside:YYY (type 8, code 0))
?global (inside) 1 interface? - Didn?t help on the new error
static (inside,inside)
static (inside,inside)
static (inside,inside)
static (inside,inside)
But none of this works, and I still have the portmap problem?.
05-22-2007 01:03 AM
Could you let us know about your scenario. I could possibly give you sample configuration which would work for your setup.
-Hoogen
05-22-2007 01:26 AM
Hi,
My Cisco ASA 5510 box is going to be a new HQ firewall/VPN ? (HQN)
On the old HQ box (Cisco VPN3000), all of the VPN lines for the EU network is connected. ? (HQO)
At HQN there is a old Cisco Router whit a connection to HQO.
I?m going to move all of the VPN lines one-by-one, but keep the hole network up at the same time.
Before a start moving client computers and servers to the new HQN box (ASA), I want to be able to route traffic from ASA to the VPN3000 at HQN
A copy of my conf, see the Attachment
At The new HQ:
ASA: 192.168.163.1
Router: 192.168.163.30
My problem is that fowling doesn?t work:
route LAN 192.126.60.0 255.255.255.0 192.168.163.30 1
route LAN 172.16.3.0 255.255.255.0 192.168.163.30 1
route LAN 10.3.26.0 255.255.255.0 192.168.163.30 1
route LAN 10.2.0.0 255.255.255.0 192.168.163.30 1
route LAN 10.0.5.0 255.255.255.0 192.168.163.30 1
route LAN 10.0.4.0 255.255.252.0 192.168.163.30 1
route LAN 192.168.168.0 255.255.255.0 192.168.163.30 1
I hope you understand me, because my English is not the best.
Thanks..
05-22-2007 04:40 AM
Sorry, should have checked, this should do it.
no global (LAN) 1 interface
global (LAN) 200 interface
05-22-2007 05:14 AM
Hi,
The error message is gone now, but I don?t get any replay back.
I know the server I?m pinging is there, because when I?m using the 192.168.163.30 as GW, there is no problem.
05-22-2007 05:45 AM
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: