ā11-04-2011 10:10 AM - edited ā03-11-2019 02:46 PM
I have a problem with a routing.
My ASA 5510 is at ip 192.168.1.20
I have alos a router on IP Adress 192.168.1.30
I have created static route on the ASA for network 10.1.1.0 and network 10.1.10.1 to the gateway 192.168.1.30.
Problem I cannot ping the 10.1.1.0 and 10.1.10.1 networks...
In the logging I get Inbound ICMP deny message
I have open everything in the inbound Inside Interface.
Why can't I reach those networks?
My computer's gateway is the ASA 192.168.1.20. Everything else is working fine (WAN to LAN and LAN to WAN)
Only the LAN to LAN thing blocks...
Thanks for your help.
ā11-04-2011 10:33 AM
Can you add this??
policy-map global_policy
class inspection_default
inspect icmp
and if it doesn.t work can you providfe th nat and acl's that you have added??
Thanks,
Varun
ā11-04-2011 12:02 PM
Yes, I have added the inspect ICMP
I have created routes like this
route inside 10.1.1.0 255.255.255.0 192.168.1.30
route inside 10.1.10.0 255.255.255.252 192.168.1.30
Is this a problem of nat? Do i have to create Nat rules instead of static routes?
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit tcp any any
access-list Inside_access_in extended permit udp any any
access-list Inside_access_in extended permit icmp any any
ā11-04-2011 12:18 PM
No if you are pinging from outside interface to inside interface, then you would need to appli these access-list on the outside interface:
access-list outside_access_in extended permit ip any any
access-group outside_access_in in interface outside
alongwith the static.
Let me know from where are you pinging, inside to outside or outside to inside??
Thanks,
Varun
ā11-04-2011 01:50 PM
Actually it's inside inside...
-----------------------------------------------------
Mycomputer = 192.168.1.101
To Gateway = 192.168.1.20
Connected to subnet= 192.168.1.0
------------------------------------------------------
ASA = 192.168.1.20
Routes
route inside 10.1.1.0 255.255.255.0 192.168.1.30
route inside 10.1.10.0 255.255.255.252 192.168.1.30
Connected to subnet: 192.168.1.0 and WAN
-----------------------------------------------------
Router= 192.168.1.30
Connected to subnet 10.1.1.0 and 10.1.10.0
Hope it makes more sense
ā11-04-2011 02:08 PM
Hi,
then you must permit traffic entering an interface to exit the same interface with the global config command:
same-security-traffic permit inter-interface
Alain
ā11-04-2011 03:39 PM
thanks I'll try this and get back to you
Sent from Cisco Technical Support iPhone App
ā11-04-2011 07:31 PM
shouldn't be intra-interface ??
Sent from Cisco Technical Support iPhone App
ā11-04-2011 09:38 PM
Hi Jean,
You would need the following configuration then:
static (inside,inside) 10.1.1.0 10.1.1.0 norand nailed
static (inside,inside) 10.1.10.0 10.1.10.0 norand nailed
nat (inside) 10 0.0.0.0 0.0.0.0
global (inside) 10 interface
same-security-traffic permit intra-interface
sysopt noproxyarp inside
this should do.
Thanks,
Varun
ā11-07-2011 05:43 AM
it's not working Alain
Sent from Cisco Technical Support iPhone App
ā11-07-2011 05:46 AM
Now I get error: portmap translation creation failed for icmp src
Sent from Cisco Technical Support iPhone App
ā11-07-2011 05:48 AM
Did you try the config I suggested??? Its missing a nat statement, according to the error message.
Can you share your config with us? alongwith the source and teh destination.
Thanks,
Varun
ā11-07-2011 05:53 AM
varun
Because the 10.1.1.0 and 10.1.10.0 are routed by the other router, not this one
Sent from Cisco Technical Support iPhone App
ā11-07-2011 06:11 AM
Varun
The 10.1.1.0 and 10.1.10.0 are connected to the other router 192.168.1.30
So I can't nat this subnet on this particular ASA. So I've created routes on the ASA to route this particular traffic to the 192.168.1.30 router.
ā11-07-2011 08:33 AM
any ideas?
Sent from Cisco Technical Support iPhone App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: