Cannot Ping local Subnet from ASA

Unanswered Question
Oct 12th, 2008
User Badges:


Can someone please check this config,

We have this asa5510 as our default gateway (

We also have a 2821 router running cme with two sub interfaces ( &

I have added a route on the asa to but cannot ping to from clients on the network although I can from the asa itself.

Can you see what is causing this?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Sun, 10/12/2008 - 04:46
User Badges:
  • Green, 3000 points or more

asa config seems fine

IN 2821 router do you have a route back to reach subnet or a default route pointing to asa inside interface


ip route


ip route

if you do have above example already in 2821, can you gather asa logs while trying to ping hosts from network and post the logs.



shaw.chris Sun, 10/12/2008 - 11:45
User Badges:


I tried adding ip route but still wouldn't work. Would it still need this route even though the 2821 has one of it's interfaces in the network?

When I try and ping from the client to this shows up in the asa log

portmap translation creation failed for icmp src INSIDE: dst INSIDE: (type 8, code 0)

does anyone have an idea what could be causing this



shaw.chris Sun, 10/12/2008 - 13:54
User Badges:

I thought it may be to do with the ASA natting traffic to so I added

access-list NONAT extended permit ip

It still doesn't ping but I get a different error on the ASA:

No translation group found for icmp src INSIDE: dst INSIDE: (type 8, code 0)

JORGE RODRIGUEZ Sun, 10/12/2008 - 17:39
User Badges:
  • Green, 3000 points or more

Sorry for late reply..

invert the acl


no access-list NONAT extended permit ip

rewrite statement with

access-list NONAT extended permit ip

then try from pinging to any host on the net

amady3381 Sun, 10/12/2008 - 21:00
User Badges:

Hi Chris

add these commands and it will work fine with you

same-security-traffic permit intra-interface

static (inside,inside) netmask norandomseq nailed

static (inside,inside) netmask norandomseq nailed

sysopt noproxyarp inside

failover timeout -1

When you put these commands it will work fine.


shaw.chris Tue, 10/14/2008 - 00:47
User Badges:

Thanks for your help, would it be possible to explain what these commands are doing as well.

amady3381 Tue, 10/14/2008 - 01:03
User Badges:

Dear Chris

refer to the below link and you can find the answer:

also you can have another solution if you put the default gateway for the users as the CME router ( and point a default route on the router to the (ip route


shaw.chris Wed, 11/05/2008 - 14:44
User Badges:

Thanks for your help.

Would this affect performance if all packets had to go through the router first rather than straight out of the ASA?

Also I have Site to Site VPN's set up that I wish to connect to the CME system e.g. is a remote site. What steps would I need to take for this network to see the internal network?




This Discussion