05-28-2010 11:17 AM - edited 03-11-2019 10:52 AM
Hi,
i'm configuring a ASA 5510, i've the following partial configuration
interface ethernet 0/1
nameif Outside_net2
security-level 0
ip address 10.0.2.2 255.255.255.0
!
interface Ethernet0/3
nameif Inside_vlans
security-level 100
ip address 192.168.10.254 255.255.255.0
!
access-list nat_ADSL permit ip 192.168.10.0 255.255.255.0 any
!
access-list 100 permit icmp any any
!
access-list 110 permit icmp any any
!
global (Outside_net2) 1 10.0.2.3
nat (Inside_vlans) 1 access-list nat_ADSL
!
access-group 100 in interface Outside_net2
access-group 110 in interface Insidev_lans
At thie moment i don't have any other interfaces configured.
Behind interface Inside_vlans i've a switch with the IP 192.168.10.251 witha a default-gatewy 192.168.10.254
Next to the interface Outside_net2 i've an ADSL router with the IP 10.0.2.1 in the LAN interface.
When i ping from ASA to the ADSL Router or to the Switch everything it's ok, i can ping successfully from swith to ASA too, but when i try to ping from switch to the ADSL Router (10.0.2.1) it fails, for troubleshouting i've made a capture in both interfaces of ASA and i saw that the icm request pass in both interfaces, the icmp reply pass in the Outside_net2 interface but the packet doesn't appear in the interface Inside_vlans.
In the xlate table i've seen a PAT line to the switch IP.
Anyone can help me finding the solution for this problem?
Thank's in advance
Solved! Go to Solution.
05-28-2010 11:33 AM
Hi,
In order to be able to PING through the ASA from the inside to the outside you need either one of two things:
1. An ACL allowing the echo-reply
2. Include inspection for ICMP
Federico.
05-28-2010 11:33 AM
Hi,
In order to be able to PING through the ASA from the inside to the outside you need either one of two things:
1. An ACL allowing the echo-reply
2. Include inspection for ICMP
Federico.
05-28-2010 05:33 PM
You global is "global (Outside_net2) 1 10.0.2.3"
10.0.2.3 is a private ip. It will not be routable for the Internet.
Did you mean to translate to the outside interface ip "global (Outside_net2) 1 interface"?
Also as Federico mentioned make sure you have icmp inspection under the policy map "sh run policy-map".
PK
06-01-2010 08:33 AM
Thank's for the response, i added de inspect icmp without any nchanges and the solution works.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: