Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
758
Views
0
Helpful
3
Replies

Pinging or TFTPing between two ASA's

Go to solution
rbill1967
Level 1
Level 1

‎07-21-2010 08:12 AM - last edited on ‎02-21-2020 11:21 PM by Community Manager

I have two ASA's, soon to have several more out in the field connecting little networks together.  My main ASA has a site to site built between itself and another ASA (Main ASA5520 / Other ASA5505).

I can SSH or telnet to the 5505, even to its internal IP, but my current problem is although within the network I cannot ping other devices from the 5505, which is contained within our network.  I try to update the ASA using TFTP but that fails as well.  I know it has something to do with icmp but I think I'm missing something.

When I attempt to do a traceroute to an internal ip it fails.

911PSAP-5505# traceroute 192.255.255.13

Type escape sequence to abort.
Tracing the route to 192.255.255.13

1  68.213.181.241 0 msec 0 msec 0 msec
2  68.216.208.95 20 msec 10 msec 10 msec
3  68.152.198.81 10 msec 10 msec 10 msec
4  12.81.24.108 10 msec 10 msec 10 msec
5   *  *  *
6   *  *  *
7   *  *  *
8   *  *  *
9   *  *  *
10  *  *  *
11  *  *  *
12  *  *  *
13  *  *  *
14  *  *  *
15  *  *  *
16  *  *  *
17  *  *  *
18  *  *  *
19  *  *  *
20  *  *  *
21  *  *  *
22  *  *  *
23  *  *  *
24  *  *  *
25  *  *  *
26  *  *  *
27  *  *  *
28  *  *  *
29  *  *  *
30  *  *  *

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to rbill1967

‎07-21-2010 09:15 AM

The tftp command is to specify the tftp server where the file will be retrieved from. ASA can't act as a TFTP server.

Are you trying to ping devices in the same subnet as your ASA interface? You might want to check the device firewall settings itself where sometimes it's not allowing inbound ping, so disabling firewall setting might resolve your ping test issue. If you try to ping a network device, like a switch or a router from the ASA, you might have better luck.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-21-2010 08:25 AM

You might want to check that you have "icmp permit any " configured for the relevant interfaces where you are trying to ping from.

To check if you have the configuration or not: sh run icmp

With regards to TFTP, by default TFTP on the lowest security level interface is not allowed, unless you configure a TFTP interface as follows for example:

tftp-server

Hope that helps.

0 Helpful

Go to solution
rbill1967
Level 1
Level 1
In response to Jennifer Halim

‎07-21-2010 09:10 AM

"icmp permit any "

Already in place

tftp-server

Does this refer to the server it will be retreiving the file from or just utilizing the ASA as the server?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to rbill1967

‎07-21-2010 09:15 AM

The tftp command is to specify the tftp server where the file will be retrieved from. ASA can't act as a TFTP server.

Are you trying to ping devices in the same subnet as your ASA interface? You might want to check the device firewall settings itself where sometimes it's not allowing inbound ping, so disabling firewall setting might resolve your ping test issue. If you try to ping a network device, like a switch or a router from the ASA, you might have better luck.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card