cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
969
Views
0
Helpful
3
Replies

Pinging through ASA 5510

rpsribeiro
Level 1
Level 1

Hi,

i'm configuring a ASA 5510, i've the following partial configuration

interface ethernet 0/1

nameif Outside_net2
security-level 0
ip address 10.0.2.2  255.255.255.0

!

interface Ethernet0/3
nameif Inside_vlans
security-level 100
ip  address 192.168.10.254 255.255.255.0
!

access-list nat_ADSL permit ip 192.168.10.0 255.255.255.0 any

!

access-list 100 permit icmp any any

!

access-list 110 permit icmp any any

!

global (Outside_net2) 1 10.0.2.3

nat (Inside_vlans) 1 access-list nat_ADSL

!

access-group 100 in interface Outside_net2

access-group  110 in interface Insidev_lans

At thie moment i don't have any other interfaces configured.


Behind interface Inside_vlans i've a switch with the IP 192.168.10.251 witha a default-gatewy 192.168.10.254

Next to the interface Outside_net2 i've an ADSL router with the IP 10.0.2.1 in the LAN interface.

When i ping from ASA to the ADSL Router or to the Switch everything it's ok, i can ping successfully from swith to ASA too, but when i try to ping from switch to the ADSL Router (10.0.2.1) it fails, for troubleshouting i've made a capture in both interfaces of ASA and i saw that the icm request pass in both interfaces, the icmp reply pass in the Outside_net2 interface but the packet doesn't appear in the interface Inside_vlans.

In the xlate table i've seen a PAT line to the switch IP.

Anyone can help me finding the solution for this problem?

Thank's in advance

1 Accepted Solution

Accepted Solutions

Hi,

In order to be able to PING through the ASA from the inside to the outside you need either one of two things:

1. An ACL allowing the echo-reply

2. Include inspection for ICMP

Federico.

View solution in original post

3 Replies 3

Hi,

In order to be able to PING through the ASA from the inside to the outside you need either one of two things:

1. An ACL allowing the echo-reply

2. Include inspection for ICMP

Federico.

You global is "global (Outside_net2) 1 10.0.2.3"

10.0.2.3 is a private ip. It will not be routable for the Internet.

Did you mean to translate to the outside interface ip "global (Outside_net2) 1 interface"?

Also as Federico mentioned make sure you have icmp inspection under the policy map "sh run policy-map".

PK

Thank's for the response, i added de inspect icmp without any nchanges and the solution works.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: