ASA lab enviroment question

Unanswered Question
Jan 15th, 2009


I've tested this setup on both live network and my lab and I still don't understand the reason for this not working. If anyone can provide the reason why, because I find this extremely frustrating. I'm more than happy to provide config that I'm using if any can help out.

Thanks, -Fred

There are 3 devices in an internal network.

-1 Router, 1 ASA, 1 PC


-Router (inside network) has 2 Loopback interfaces on differenet networks and an ethernet interface on same network as ASA and PC. Router is running EIGRP. Router is advertising networks belonging to all configured interfaces.

-ASA has default GW pointing to outside, PAT'ing inside network to outside interface. Running EIGRP and advertising its inside network only. ASA can successfully ping loopback interfaces on router.

-PC on same network as ASA (inside) and router. Gateway IP is set as the ASA's inside IP.


Now, from the PC cannot ping loopback interfaces on router, but can go to the internet. (GW IP is ASA)

If you create a nonat statement on ASA to reach the loopback networks the PC can ping the loopback IP address.

If you try to do anything other than send icmp packets to the loopback IP's from the PC they do not respond.

Why is this???

I know if I change the PC's GW ip address to the router, and make the router's default GW point to the ASA everything will work. I just don't understand why I can't make the ASA my PC's gw and have everything work.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cisco24x7 Thu, 01/15/2009 - 12:44

This is a hair-pinning issue. You will need to

add "permit intra security" or something on the

ASA to make it work.

Easy right?


This Discussion