the ASA5520 is *not* a router. And it is *not* possible to ping an ASA interface other than the one which is closest to you.

Hi Steven, I disagree with you on " it is *not* possible to ping an ASA interface other than the one which is closest to you".

Perhaps I am missunderstanding it.

For instance, you may have two same security level interaces under two difference subnets and be able to ping accross each other including their respective physical interfaces in the case of implementing same-security-traffic permit inter-interface.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167

Thank you very much for your input. I have configured the ASA with two interfaces. I have set the interfaces within the same trusted level (100). And I checked the radiobutton that the firewall can accept traffic through interfaces that have the same security level. The configuration of the interfaces is:

Interface 1:

IP: 192.168.1.1

Mask: 255.255.255.0

Interface 2:

IP: 172.16.1.1

Mask: 255.255.240.0

This is my test environment. I only configured the interfaces, not rules or anything like that. A ping command within the same subnet is possible but from one interface to the other is not possible. I want to create a DMZ with the ASA as frontend firewall and an ISA server as backend firewall. This means that the interfaces must communicate in order to send traffic from the internet to DMZ to LAN and the other way around.

Lets put aside for a minute pinging interfaces accross, do you have vlans for each of these networks configured on your inside switch? can a host from 192.168.1.x net freely ping another host on 172.16.1.x network and vice versa?

I haven't configured vlans. Is that a requirement to ping from one interface to the other? At the moment it is not possible to ping from one host in 192.168.1.x to a host on 172.16.1.x and vice versa. Thanks.

you need to separate the networks with respective VLANS.. where does your ASA interfaces currently connects to in respect to your inside interfaces.

e.g

ASA_firewall

Interface ethernet2-or-gigabit

nameif VLAN2

security-level 0

ip address 192.168.1.1 255.255.255.0

Interface ethernet3-or-gigabit

nameif VLAN3

security-level 0

ip address 172.16.1.1 255.255.240.0

same-security-traffic permit inter-interface

global (outside) 1 interface

nat(VLAN2) 1 192.168.1.0 255.255.255.0

nat(VLAN3) 1 172.16.1. 255.255.255.240

e.g on switch similar config

Switch:

vlan database

vtp transparent

vtp domain test_lab

vtp password cisco

vlan 2 name net_192.168.1.0/24

vlan 3 name net_172.16.1.0/28

interface fastethernet0/1

Description ASA_Ethernet2_Connection

switchport access vlan 2

interface fastethernet0/2

Description ASA_Ethernet3_Connection

switchport access vlan 3

interface fastethernet0/4

Description HOST_192.168.1.100

switchport access vlan 2

interface fastethernet0/5

Description HOST_172.16.1.10

switchport access vlan 3

with this simple config you should be able to ping/reach hosts without acls, if you cannot please look at asa logs to see what the problem could be, post results.

Thank you very much. I will try this configuration. I will let you know if this configuration has worked for me.

Hi, have your test being successfull let me know what the update is.

Rgds

Jorge

Hi,

Me and my colleague are gonna start monday with the initial installation. I will let you know somewhere next week if the configuration has worked. Thank you very much!

Regards

Martijn

Martijn, not problem we are here to help you in this issue , I'll keep my eyes opened.

Rgds

Jorge