We have installed an ASA5510 with the CSC module. CSC Module IP is set to 192.168.10.254. The inside IP of the ASA5510 is 192.168.10.1.
Our LAN is on 192.168.1.0 subnet. Given that all the routes are setup properly, we are not able to ping the CSC interface 192.168.10.254. We can access 192.168.10.1 without any issue. The following is from the log of the ASA when we try to ping it.
3|Jun 29 2007 17:40:06|305006: regular translation creation failed for icmp src inside:192.168.10.254 dst inside:192.168.1.181 (type 0, code 0)
and this is the log when we try to access it within ASDM.
3|Jun 29 2007 17:41:13|305006: portmap translation creation failed for tcp src inside:192.168.10.254/8443 dst inside:192.168.1.181/1677
6|Jun 29 2007 17:41:10|106015: Deny TCP (no connection) from 192.168.10.254/8443 to 192.168.1.181/1677 flags SYN ACK on interface inside
However, I can connect to the ASA via VPN from home and everything works fine.
1. add "same-security-traffic permit intra-interface" to allow traffic out same interface
2. create translation for host
static (inside,inside) 192.168.1.181 192.168.1.181 netmask 255.255.255.255
"Just want to make sure that it will work as the way it should.?"
Is that a question to me? I would check to make sure you can still access it via vpn, then you know it is still routing properly.
Can you add specific routes to the CSC module? If so another option would be to leave the default gateway as the inside ASA and add specific routes towards 10.2.
Ok, so the ping is making it to the CSC, but the CSC gateway is the inside of the pix. Therefore the reply is hitting the inside of the pix and the pix won't route that back out the inside interface.
1. Set the default gateway for the CSC to your inside router(192.168.10.2), not the inside of the ASA. This will allow the ping reply from the CSC to be routed towards 192.168.1.181 via the inside router.
2. Enable hairpinning.
I would choose option 1 as it is less complicated and less involved.
2. The other issue is more confusing. I guess 1.181 above is the client that is attempting to ping the csc module? Does the csc module have a physical interface and is it plugged onto the same network as the inside interface of the ASA?
It looks like the ping for 10.254 is hitting the inside of the ASA. The ASA is attempting to hairpin the traffic back out it's same interface(inside). The ASA will not do this by default. You need to allow hairpinning. Pay close attention to where is says souce:inside destination:inside.
But if everything else was set up properly, the request for 10.254 would not be hitting the inside interface of the ASA anyhow.
1. To solve the issue of not being able to ping any websites you must allow the ping reply in your outside access-list
access-list outside extended permit icmp any any echo-reply