I am having trouble pinging from one zone to another
Zone - Management can not ping Zone-Inside and visa versa. At first I was able to ping the managment pc but couldnt ping the inside pc. I have played around with the service policy and ACL but no luck. Any help would be apprectiated
hostname ciscoasa enable password 2KFQnbNIdI.2KYOU encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface GigabitEthernet0 nameif management security-level 100 ip address 192.168.100.5 255.255.255.0 ! interface GigabitEthernet1 nameif INSIDE security-level 100 ip address 192.168.200.1 255.255.255.0 ! interface GigabitEthernet2 nameif OUTSIDE security-level 0 ip address 22.214.171.124 255.255.255.0 ! interface GigabitEthernet3 nameif DMZ security-level 50 ip address 172.20.20.1 255.255.255.0 ! interface GigabitEthernet4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet5 shutdown no nameif no security-level no ip address ! ftp mode passive same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network Inside-Network host 192.168.200.0 object network test host 192.168.0.0 object network ASA-Gateway host 126.96.36.199 object network Management-Gateway host 188.8.131.52 object-group icmp-type SG-ICMP icmp-object echo icmp-object echo-reply access-list LAN-WAN-FTP extended permit tcp any any eq ftp access-list management_access_in extended permit tcp any 184.108.40.206 255.255.255.0 eq telnet pager lines 24 logging enable logging asdm informational mtu management 1500 mtu INSIDE 1500 mtu OUTSIDE 1500 mtu DMZ 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-713.bin no asdm history enable arp timeout 14400 access-group management_access_in in interface management route OUTSIDE 0.0.0.0 0.0.0.0 220.127.116.11 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 192.168.100.10 255.255.255.255 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15 ! class-map global-class match any ! ! policy-map global-policy class global-class inspect icmp ! service-policy global-policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DD CEService destination address email email@example.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily
access-list management_access_in extended permit tcp any 18.104.22.168 255.255.255.0 eq telnet
...on your management interface. That will prohibit other traffic from being originated on hosts connected via that interface.
You can check the flow through the ASA for a given protocol source destination address etc using packet-tracer cli utility. It will highlight what step is failing in establishing the flow. See this link for reference.
I agree with Marvin's observation about your ACL. That's the most obvious thing to change because it affects the ASA's default behavior which is to allow traffic through the ASA if it's going out an interface with a lower security level, and let the stateful return traffic back in that interface. In fact, since your ACL is allowing Telnet through to go out the outside interface (which has the lowest security level), the default behavior (no ACL required) would already allow that, and the ACL you have in place is only necessary if your intent is to restrict Telnet to only the 22.214.171.124/24 subnet and no other addresses.
Regarding your change to the service policies, I would suggest that unless you have good reason to, removing the standard inspections is probably not a good idea. They are there by default for a reason. Adding ICMP to the list is fine, and something I've done frequently, but without good reason otherwise, I would add the other default protocols back in.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...