Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5525 unable to communicating from internal network to secondary network

Find the ASA int configuration all networks getting internet but from 5.0 network to 40.0 network unable to access from 5.0 and 40.0 network interface not able to ping .


CISCOASA-5525# sh run int
interface GigabitEthernet0/0
 description WAN1
 nameif outside
 security-level 0
 ip address X.X.X.X
interface GigabitEthernet0/1
 description LAN
 nameif inside
 security-level 100
 ip address
interface GigabitEthernet0/2
 description DMZ
 nameif DMZ
 security-level 100
 ip address
interface GigabitEthernet0/3
 description HOSecondary
 nameif HOSecondary
 security-level 0
 ip address

Super Bronze

Hi, I am not really sure if I



I am not really sure if I follow. Can you clarify what traffic doesnt work and please share more than just the interface configurations.


Also with regards to the PING. If you mean that networks and cant ping the interface IP address of then this is to be expected. ASA will only let you ICMP the interface behind which the user is located.


So for example user behind DMZ can ping the interface IP address A user behind the HOSecondary interface can ping the interface IP address and so on. You can not PING an interface if the you are doing the PING from behind another interface. ASA wont allow that traffic and there is no configuration command around it.


- Jouni

Community Member

Thanks for replayWe need to

Thanks for replay

We need to access for telnet purpose ip address interface from and network users and also we have 8 servers on network some servers able ping from 40 and 1 series but some servers are not able ping .


Super Bronze

Hi, You should enable



You should enable management connections on the interface behind which the users needing management connections are. Instead of Telnet I would also suggest using SSH though Telnet could be left in there perhaps incase there is some SSH related problem which would require you to use some other management connection.


Again without your configurations we are blind as to what might be the problem.


ICMP/PING is not always the ideal way to test connections as a lot of times its either blocked at some part of the network or even on the actual hosts/servers.


If you want to go through the ASA configurations for ICMP traffic with one command then you can use the "packet-tracer" command which will tell you if the traffic is allowed by the ASA or not.


packet-tracer input <source interface> icmp <source ip> 8 0 <destination ip>


In the above command you should insert the following information

  • <source interface> = The interface "nameif" behind which the <source ip> address is located
  • <source ip> = The IP address of the host that is sending the ICMP
  • <destination ip> = The IP address towards which the ICMP is sent.


If you have allowed all traffic with ACLs then the problem is likely to be on the actual hosts.


Notice that if you configure interface with identical (same value) "security-level" values then you will an additional command to permit traffic between the interface. I notice that you have above atleast 2 internal interfaces with the same "security-level 100" if you have traffic between these interface then you need the configuration command


same-security-traffic permit inter-interface


Other option is to change that you dont have identical "security-level" values in which case you need interface ACLs to allow the traffic from lower -> higher "security-level" interface.


- Jouni


CreatePlease to create content