i am not trying to ping an outside address. i noticed that from inside network i can ping the inside interface.

from the link you gave, it stated:

"Put more generally, you cannot ping the firewall's ip addresses, unless you are on the interface you are pinging."

from this i understand that pinging another inside subinterface is not possible from a different vlan. i guess i asked for too much.

Hi Majed,

To troubleshoot you can check following:

>> ARP on the ASA for the host from where you are doing the ping test.

show arp

>> Check if ASA is receiving traffic:

cap capi interface inside match icmp any any

show cap capi

>> In case the traffic is reaching asa and it is getting dropped there then:

cap asp type asp-drop all

show cap asp.

Please attach above mentioned data and also attach the show run interface output.

Thanks,

R.Seth

It was just an example...

You can ping an inside interface from a different vlan as long as the packet is not traversing the ASA.

something like

vlan1 \

             \ ---   Router  --- ASA

Vlan2 /

You can enable icmp from either vlan 1 or vlan 2

 icmp permit any inside

If you have a different scenario than the above plese let me know...

Another usefull command "packet-tracer" - it will tell you wether the packet i allowed or not and the reason for that:

 packet-tracer input inside icmp "source_ip" 0 8 "destination_ip"

Hope this clarifies,

Traian

thanks for the arp tip,

about the

icmp permit any inside

i have 9 inside subinterfaces on different vlans. i did icmp permit any (all inside interfaces)

but still from nexus i can only ping the management vlan in the vrf management because it's on the same vlan and subnet.

where is the mistake?

Hi Majed,

From ASA's perspective, you have 9 different interfaces with different names(nameif).

So if you try to ping the IP address configured on one sub-interface from a device whose traffic hits the firewall on a different sub-interface, will be dropped by the firewall.

For better understanding of the issue please attach the output of show run interface , so that we can understand the configuration. Also let us know if you were able to capture traffic on the ASA (steps mentioned in my previous reply).

Thanks,

R.Seth 

i did a capture for the drop and for the interface, neither showed expected results. i then opened sdm and went to monitoring and put the nexus as source ip filter and sure enough it showed packets passed and dropped when ping was launched.

i can't traceroute from nexus perhaps because there is only a management vrf. even the management interface that i can ping can't be tracerouted.

Hi Majed,

Now from your update I understand that you tried capturing traffic on ASA and you did not receive any packets. If this is the case then you should check if the routing is correct.

Also if possible share the interface config, packet tracer output and capture output.

Thanks,
R.Seth

here is the config of the interfaces in question:

the management interface:

interface GigabitEthernet0/1.11
 vlan 11
 nameif Management_LAN
 security-level 99
 ip address 10.0.11.1 255.255.255.0

the new interface:

interface GigabitEthernet0/1.17
 vlan 17
 nameif skko_test
 security-level 71
 ip address 10.0.180.1 255.255.255.0

from nexus i ping:

ping 10.0.181.1 vrf management
PING 10.0.181.1 (10.0.181.1): 56 data bytes
Request 0 timed out
Request 1 timed out
Request 2 timed out
Request 3 timed out
Request 4 timed out

ping 10.0.11.1 vrf management
PING 10.0.11.1 (10.0.11.1): 56 data bytes
64 bytes from 10.0.11.1: icmp_seq=0 ttl=254 time=3.809 ms
64 bytes from 10.0.11.1: icmp_seq=1 ttl=254 time=1.305 ms
64 bytes from 10.0.11.1: icmp_seq=2 ttl=254 time=1.972 ms
64 bytes from 10.0.11.1: icmp_seq=3 ttl=254 time=1.92 ms
64 bytes from 10.0.11.1: icmp_seq=4 ttl=254 time=1.931 ms

on asa:

cap test interface skko_test match icmp any any

sh cap test

0 packet captured

0 packet shown

the nexus is connected to a switch and then to asa. i added the new vlan to the trunks in both switches.

i rechecked the cap test:

sh cap test

1 packet captured

   1: 08:55:53.186681 802.1Q vlan#17 P0 10.0.11.6 > 10.0.180.1: icmp: echo request
1 packet shown

put it's not the result of pings from the nexus as when i make new pings the packet capture does not increase although 10.0.11.6 is the nexus.

in packet tracer the packet is allowed.

Who is doing the routing for Nexus (sh ip ro vrf management)? Can you also post a show route on ASA?

From what you posted, most likely the packets will first reach the Management_LAN and then traverse the ASA to the skko_test interface which would not be allowed - see previous posts.

Even if you would have a specific route for the Nexus to reach directly the skko_test interface route, most probably the return route would be through the Management_LAN which would break the URPf rule on ASA.

Traian

nexus#

 sh ip ro vrf management
IP Route Table for VRF "management"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]

0.0.0.0/0, ubest/mbest: 1/0
    *via 10.0.11.1, [1/0], 3w6d, static
10.0.11.0/24, ubest/mbest: 1/0, attached
    *via 10.0.11.6, mgmt0, [0/0], 3w6d, direct
10.0.11.6/32, ubest/mbest: 1/0, attached
    *via 10.0.11.6, mgmt0, [0/0], 3w6d, local

on asa:

D EX 172.17.32.0 255.255.224.0 [170/3072] via 172.16.1.1, 602:28:50, outside
D EX 172.17.0.0 255.255.224.0 [170/3072] via 172.16.1.1, 602:28:50, outside
D EX 172.16.0.0 255.255.255.0 [170/3072] via 172.16.1.1, 602:28:50, outside
C    172.16.1.0 255.255.255.240 is directly connected, outside
D EX 172.18.2.192 255.255.255.192
           [170/3328] via 172.16.1.1, 602:28:50, outside
D EX 172.18.2.0 255.255.255.0 [170/3072] via 172.16.1.1, 602:28:50, outside
D EX 172.18.3.0 255.255.255.0 [170/3328] via 172.16.1.1, 602:28:50, outside
C    192.168.201.0 255.255.255.0 is directly connected, IP-Telefon
C    10.0.10.0 255.255.255.0 is directly connected, Admin
C    10.0.11.0 255.255.255.0 is directly connected, Management_LAN
D EX 10.0.12.0 255.255.255.0 [170/3072] via 172.16.1.1, 602:28:50, outside
D EX 10.96.99.0 255.255.255.0 [170/3072] via 172.16.1.1, 602:28:50, outside
C    10.0.0.0 255.255.255.0 is directly connected, FW-Servers

D    10.1.32.32 255.255.255.240 [90/3328] via 172.16.1.3, 602:28:53, outside
                                [90/3328] via 172.16.1.1, 602:28:53, outside
D    10.1.32.48 255.255.255.240 [90/3072] via 172.16.1.3, 602:28:53, outside
                                [90/3072] via 172.16.1.1, 602:28:53, outside
D    10.1.32.3 255.255.255.255 [90/130816] via 172.16.1.3, 602:28:53, outside

C    10.0.126.0 255.255.255.0 is directly connected, FW-KMC
D EX 10.16.99.0 255.255.255.0 [170/3072] via 172.16.1.1, 602:28:53, outside
C    10.0.130.0 255.255.255.0 is directly connected, FW-Appl
C    10.0.128.0 255.255.255.0 is directly connected, FW-Face
C    10.0.132.0 255.255.255.0 is directly connected, FW-DB
C    10.0.180.0 255.255.255.0 is directly connected, skko_test
S*   0.0.0.0 0.0.0.0 [1/0] via 172.16.1.1, outside

i don't know what is urpf rule but sounds like it is broken?

Hi Majed,

From the DATA provided i think this is your setup:

[Nexus]------(Management_LAN)[ASA](skko_test)-----------------[10.0.181.1]

>> Now for this setup chcek the routing on ASA.
>> ACLs on ASA.
>> Output of command:
packet in Management_LAN icmp nexus_ip 8 0 10.0.181.1

Share some details about how the traffic is going to flow from ASA and what is the route that you have on ASA for 10.0.181.1

Thanks,

R.Seth

there is no command that starts with packet there is packet-tracer..

the acl is permit ip any any

the setup is as follows: vsphere nexus (vrf management) the cisco switch the the asa.

the servers in the 10.0.180.0/24 subnet are supposed to reach the asa and from there either to the outside or to other vlans.

Hi Majed,

Please attach the output of packet tracer output, use below mentioned command.

ASA will auto complete all the keywords.

packet in Management_LAN icmp nexus_ip 8 0 10.0.181.1

Thanks,