ASA 5510, Access other interface problem

Answered Question
Feb 22nd, 2009

Hi,

I have just configured my brand new ASA 5510 with ASA Version 8.0(4). i am having a little problem that is: i cannot access(nor even ping) DMZ interface and other interface from Inside Host, mean while i can access the servers behind DMZ and other interfaces.

when i ping to DMZ interface i found the below msgs in logging.

Built inbound ICMP connection for faddr 192.168.10.33/512 gaddr 172.16.250.5/0 laddr 172.16.250.5/0

Details:

% ASA-6-302020: Built {in | out}bound ICMP connection for faddr {faddr | icmp_seq_num} gaddr {gaddr | cmp_type} laddr laddr

An ICMP session was established in the fast-path when stateful ICMP is enabled using the inspect icmp command.

Teardown ICMP connection for faddr 192.168.10.33/512 gaddr 172.16.250.5/0 laddr 172.16.250.5/0

details:

%ASA-6-302021: Teardown ICMP connection for faddr {faddr | icmp_seq_num}

gaddr {gaddr | cmp_type} laddr laddr

An ICMP session was removed in the fast-path when stateful ICMP is enabled using the inspect icmp command.

i tried alot but couldnt get success.

please help!

I have this problem too.
0 votes
Correct Answer by Syed Iftekhar Ahmed about 7 years 11 months ago

Its there since PIX days.

Its exists for all ASA codes.

Syed Iftekhar Ahmed

Correct Answer by Syed Iftekhar Ahmed about 7 years 11 months ago

A host residing on an interface can only ping its adjacnet ASA interface.It cannot ping the far end

interface of ASA. For example if you have a host on inside, this host can only ping the

inside interface of ASA and no other interface (eg: outside or dmz). Although the Hosts connected to "Far end interfaces" can be pinged, "Far end interface" cannot be pinged by a host . This is a security feature on ASA firewalls.

Syed Iftekhar Ahmed

Correct Answer by Syed Iftekhar Ahmed about 7 years 11 months ago

A host residing on an interface can only ping its adjacnet ASA interface.It cannot ping the far end

interface of ASA. For example if you have a host on inside, this host can only ping the

inside interface of ASA and no other interface (eg: outside or dmz). Although the Hosts connected to "Far end interfaces" can be pinged, "Far end interface" cannot be pinged by a host . This is a security feature on ASA firewalls.

Syed Iftekhar Ahmed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Syed Iftekhar Ahmed Mon, 02/23/2009 - 00:09

A host residing on an interface can only ping its adjacnet ASA interface.It cannot ping the far end

interface of ASA. For example if you have a host on inside, this host can only ping the

inside interface of ASA and no other interface (eg: outside or dmz). Although the Hosts connected to "Far end interfaces" can be pinged, "Far end interface" cannot be pinged by a host . This is a security feature on ASA firewalls.

Syed Iftekhar Ahmed

Correct Answer
Syed Iftekhar Ahmed Mon, 02/23/2009 - 00:11

A host residing on an interface can only ping its adjacnet ASA interface.It cannot ping the far end

interface of ASA. For example if you have a host on inside, this host can only ping the

inside interface of ASA and no other interface (eg: outside or dmz). Although the Hosts connected to "Far end interfaces" can be pinged, "Far end interface" cannot be pinged by a host . This is a security feature on ASA firewalls.

Syed Iftekhar Ahmed

zafar12233 Mon, 02/23/2009 - 01:34

Thank you So Much for your Reply Mr. Iftikhar,

I got your point, i sensed that too, but wasnt sure, once again thanks :)

i have a question that this security feature is only available in ASA ver. 8.0(4) or its ASA feature regardless of ASA Version?

Thank you,

Zafar-

Actions

This Discussion