Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
360
Views
13
Helpful
6
Replies

Unable to ping inside interface IP from a subnet behind the outside interface

jadesha.jeer1
Level 1
Level 1

‎09-10-2015 04:09 AM - edited ‎03-11-2019 11:34 PM

Hi guys,

 

There is a ASA installed in our network, it consist of three interfaces inside, outside and DMZ. I want to ping inside interface IP from subnet's which are behind the outside/DMZ interface but for some reason I'm not able to ping. I have allowed icmp in all interfaces and allowed those subnets in ACL's.

 

Could anyone please help with this, it will be great help.

 

Thanks- Jadesh

Labels:
0 Helpful
6 Replies 6

Karsten Iwen
VIP
VIP

‎09-10-2015 05:27 AM

Works as designed ... The ASA doesn't allow to ping a remote interface from a different interface. You only can ping the interface that is nearest to you. 

jadesha.jeer1
Level 1
Level 1
In response to Karsten Iwen

‎09-10-2015 06:12 AM

Hey Karsten,

 

Thank you for the information.

 

By chance is there any way/tweak which can make this possible i.e. which can make ping inside interface IP from subnet's which are behind other interface.

 

Thanks- Jadesh

0 Helpful

Karsten Iwen
VIP
VIP
In response to jadesha.jeer1

‎09-10-2015 07:35 AM

> By chance is there any way/tweak which can make this possible i.e. which can make ping inside interface IP from subnet's which are behind other interface.

For sure! You could build a VPN-tunnel from your client-location to a VPN-gateway located on the inside of your network. Now you ping through this tunnel and it will work!

Well, obviously not what you are looking for ... What about rethinking about your requirement? Why do you have to ping the inside interface?

jadesha.jeer1
Level 1
Level 1
In response to Karsten Iwen

‎09-10-2015 07:51 AM

Well, I would have to rethink about my requirement now I guess.

But for the VPN-tunnel solution, do I have to create VPN-tunnel from inside interface ip itself or any other ip which is behind the inside interface ?

 

Thanks- Jadesh

0 Helpful

Karsten Iwen
VIP
VIP
In response to jadesha.jeer1

‎09-10-2015 08:14 AM

> But for the VPN-tunnel solution, do I have to create VPN-tunnel from inside interface ip itself or any other ip which is behind the inside interface ?

Well, that suggestion (with an extra VPN-gateway in the internal network) was more to show that it's not worth to try to trick the ASA. Eventually the ASA will win!

But: Yes, if you build a VPN to the ASA, You can access the inside interface through the tunnel directly. That works with the help of the "management-access" function. 

> Well, I would have to rethink about my requirement now I guess.

Should be the better way to address this problem.

jadesha.jeer1
Level 1
Level 1
In response to Karsten Iwen

‎09-10-2015 08:21 AM

Thank you so much Karsten for all your replies. It has helped me a lot. I'll let you know about the conclusion on this requirement.

 

Thanks again... :) cheers

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card