09-10-2015 04:09 AM - edited 03-11-2019 11:34 PM
Hi guys,
There is a ASA installed in our network, it consist of three interfaces inside, outside and DMZ. I want to ping inside interface IP from subnet's which are behind the outside/DMZ interface but for some reason I'm not able to ping. I have allowed icmp in all interfaces and allowed those subnets in ACL's.
Could anyone please help with this, it will be great help.
Thanks- Jadesh
09-10-2015 05:27 AM
Works as designed ... The ASA doesn't allow to ping a remote interface from a different interface. You only can ping the interface that is nearest to you.
09-10-2015 06:12 AM
Hey Karsten,
Thank you for the information.
By chance is there any way/tweak which can make this possible i.e. which can make ping inside interface IP from subnet's which are behind other interface.
Thanks- Jadesh
09-10-2015 07:35 AM
> By chance is there any way/tweak which can make this possible i.e. which can make ping inside interface IP from subnet's which are behind other interface.
For sure! You could build a VPN-tunnel from your client-location to a VPN-gateway located on the inside of your network. Now you ping through this tunnel and it will work!
Well, obviously not what you are looking for ... What about rethinking about your requirement? Why do you have to ping the inside interface?
09-10-2015 07:51 AM
Well, I would have to rethink about my requirement now I guess.
But for the VPN-tunnel solution, do I have to create VPN-tunnel from inside interface ip itself or any other ip which is behind the inside interface ?
Thanks- Jadesh
09-10-2015 08:14 AM
> But for the VPN-tunnel solution, do I have to create VPN-tunnel from inside interface ip itself or any other ip which is behind the inside interface ?
Well, that suggestion (with an extra VPN-gateway in the internal network) was more to show that it's not worth to try to trick the ASA. Eventually the ASA will win!
But: Yes, if you build a VPN to the ASA, You can access the inside interface through the tunnel directly. That works with the help of the "management-access" function.
> Well, I would have to rethink about my requirement now I guess.
Should be the better way to address this problem.
09-10-2015 08:21 AM
Thank you so much Karsten for all your replies. It has helped me a lot. I'll let you know about the conclusion on this requirement.
Thanks again... :) cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide