Pinging through ASA 5510

Answered Question
May 28th, 2010

Hi,

i'm configuring a ASA 5510, i've the following partial configuration

interface ethernet 0/1

nameif Outside_net2
security-level 0
ip address 10.0.2.2  255.255.255.0

!

interface Ethernet0/3
nameif Inside_vlans
security-level 100
ip  address 192.168.10.254 255.255.255.0
!

access-list nat_ADSL permit ip 192.168.10.0 255.255.255.0 any

!

access-list 100 permit icmp any any

!

access-list 110 permit icmp any any

!

global (Outside_net2) 1 10.0.2.3

nat (Inside_vlans) 1 access-list nat_ADSL

!

access-group 100 in interface Outside_net2

access-group  110 in interface Insidev_lans

At thie moment i don't have any other interfaces configured.


Behind interface Inside_vlans i've a switch with the IP 192.168.10.251 witha a default-gatewy 192.168.10.254

Next to the interface Outside_net2 i've an ADSL router with the IP 10.0.2.1 in the LAN interface.

When i ping from ASA to the ADSL Router or to the Switch everything it's ok, i can ping successfully from swith to ASA too, but when i try to ping from switch to the ADSL Router (10.0.2.1) it fails, for troubleshouting i've made a capture in both interfaces of ASA and i saw that the icm request pass in both interfaces, the icmp reply pass in the Outside_net2 interface but the packet doesn't appear in the interface Inside_vlans.

In the xlate table i've seen a PAT line to the switch IP.

Anyone can help me finding the solution for this problem?

Thank's in advance

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 8 months ago

Hi,

In order to be able to PING through the ASA from the inside to the outside you need either one of two things:

1. An ACL allowing the echo-reply

2. Include inspection for ICMP

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Federico Coto F... Fri, 05/28/2010 - 11:33

Hi,

In order to be able to PING through the ASA from the inside to the outside you need either one of two things:

1. An ACL allowing the echo-reply

2. Include inspection for ICMP

Federico.

Panos Kampanakis Fri, 05/28/2010 - 17:33

You global is "global (Outside_net2) 1 10.0.2.3"

10.0.2.3 is a private ip. It will not be routable for the Internet.

Did you mean to translate to the outside interface ip "global (Outside_net2) 1 interface"?

Also as Federico mentioned make sure you have icmp inspection under the policy map "sh run policy-map".

PK

rpsribeiro Tue, 06/01/2010 - 08:33

Thank's for the response, i added de inspect icmp without any nchanges and the solution works.

Actions

This Discussion