Pinging through ASA 5510

Answered Question
May 28th, 2010
User Badges:

Hi,



i'm configuring a ASA 5510, i've the following partial configuration


interface ethernet 0/1

nameif Outside_net2
security-level 0
ip address 10.0.2.2  255.255.255.0

!

interface Ethernet0/3
nameif Inside_vlans
security-level 100
ip  address 192.168.10.254 255.255.255.0
!

access-list nat_ADSL permit ip 192.168.10.0 255.255.255.0 any

!

access-list 100 permit icmp any any

!

access-list 110 permit icmp any any

!

global (Outside_net2) 1 10.0.2.3

nat (Inside_vlans) 1 access-list nat_ADSL

!

access-group 100 in interface Outside_net2

access-group  110 in interface Insidev_lans


At thie moment i don't have any other interfaces configured.


Behind interface Inside_vlans i've a switch with the IP 192.168.10.251 witha a default-gatewy 192.168.10.254

Next to the interface Outside_net2 i've an ADSL router with the IP 10.0.2.1 in the LAN interface.


When i ping from ASA to the ADSL Router or to the Switch everything it's ok, i can ping successfully from swith to ASA too, but when i try to ping from switch to the ADSL Router (10.0.2.1) it fails, for troubleshouting i've made a capture in both interfaces of ASA and i saw that the icm request pass in both interfaces, the icmp reply pass in the Outside_net2 interface but the packet doesn't appear in the interface Inside_vlans.

In the xlate table i've seen a PAT line to the switch IP.


Anyone can help me finding the solution for this problem?


Thank's in advance

Correct Answer by Federico Coto F... about 7 years 3 days ago

Hi,


In order to be able to PING through the ASA from the inside to the outside you need either one of two things:


1. An ACL allowing the echo-reply

2. Include inspection for ICMP


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Federico Coto F... Fri, 05/28/2010 - 11:33
User Badges:
  • Green, 3000 points or more

Hi,


In order to be able to PING through the ASA from the inside to the outside you need either one of two things:


1. An ACL allowing the echo-reply

2. Include inspection for ICMP


Federico.

Panos Kampanakis Fri, 05/28/2010 - 17:33
User Badges:
  • Cisco Employee,

You global is "global (Outside_net2) 1 10.0.2.3"

10.0.2.3 is a private ip. It will not be routable for the Internet.


Did you mean to translate to the outside interface ip "global (Outside_net2) 1 interface"?


Also as Federico mentioned make sure you have icmp inspection under the policy map "sh run policy-map".


PK

rpsribeiro Tue, 06/01/2010 - 08:33
User Badges:

Thank's for the response, i added de inspect icmp without any nchanges and the solution works.

Actions

This Discussion