Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5020 Interface issue

I have 2 interfaces on a ASA 5020. One external and one internal.
External is on a C mask and internal is on a \23 mask.  

I am inside another firewall so I have NAT setup and I have any to any between the interfaces.

Each interface talks to its side of the network but it seems that the 2 interfaces are not talking to each other. I can ping to each side with no problem with the correct interface but if I use the interface interface to ping out it doesn't work and the same with using the prod interface with pinging internally.

Not sure what I am missing.  


Super Bronze

Hi, If your problem is that



If your problem is that you can not PING a remote interface then that is by design and can not be made to work with any configuration.


What I specifically mean is that you can only PING the interface behind which you are located. If your host is behind "inside" interface it can PING the "inside" interface IP address but not the "outside" interface IP address. To be able to PING the "outside" interface IP address the host must be in a subnet that is located/found behind the "outside" interface.


Hope this helps :)


- Jouni

Community Member

Jouni,Here is my issue then. 


Here is my issue then.  From a windows server within the inside interface. I am not getting out to the internet.  How can I figure our where my issue is.

Like I said there is a production ASA in the front of all of this and those engineers says the problem is not them.



You could run a packet tracer

You could run a packet tracer and see what that shows.  Enter the following command by adding the relavent interface name for the ingress interface where the server is connected to, and the server's private IP.

packet-tracer input <interface name> tcp <windows server IP> 12345 80 detail

The output should give you an idea if there is a drop for the traffic passing through your ASA...or not.  And it should give us an idea where to start looking if there is a drop.  If you want help looking at the output, please post the full output here (remove any public IPs).


Please remember to select a correct answer and rate helpful posts


Please remember to rate and select a correct answer
CreatePlease to create content