Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
839
Views
0
Helpful
7
Replies

ASA5510

Go to solution
josephschung
Level 1
Level 1

‎11-11-2010 02:58 AM - edited ‎03-11-2019 12:07 PM

Sir,

I have the below case:

PC -> Switch -> ASA5510

E0/0 is Public with security level 0

E0/1 is Inside with security level 10

E0/0 IP is 10.10.120.2 (switch VlAN gateway is 10.10.120.1)

E0/1 IP is 10.10.130.2 (switch VLAN gateway is 10.10.130.1)

PC IP is 10.10.10.11 (switch VLAN gateway is 10.10.10.1)

From PC, I can ping 10.10.130.2.

From PC, I CANNOT ping 10.10.120.2.

Any idea why?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to josephschung

‎11-12-2010 01:58 AM 

josephschung wrote:
I attach two txt files. One for ASA and the other for switch. These information is captured from my log yesterday. Now, I cannot access the equipment, which are on the site.
VLAN999 is for PC 
VLAN120 is for Public
VLAN130 is for Inside
Also, I have checked all ports are up and without error.
Thanks.

Joseph

What is happening is that you ping from your PC. It sends packets to it's default-gateway, presumably the L3 vlan interface on the switch. The switch then routes the ping to the outside interface of the ASA because it has a L3 vlan interface for the outside subnet. So the ping gets to the outside interface of the ASA.

But the ASA has a directly connected interface in the same vlan as the PC ie. vlan 999 so it can't send the traffic back via the outside interface. Indeed it may well be very confused as to exactly what is happening.

If the PC vlan was not the management vlan, or more specifically, the PC was in a vlan that did not have an interface on the ASA, then you could add a route to the ASA to tell it to send the return traffic via it's outside interface and it would work.

However, having said that, you absolutely shouldn't do that because you are routing "around" the firewall rather than going through it.

As the other posters have said by default you cannot ping aross the ASA to another ASA interface. If you want to test ping to the outside interface you should do it from a device that is on the outside of the ASA.

Jon

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎11-11-2010 03:04 AM

Your PC will not be able to ping the ASA E0/0 (outside interface) as it is not supported by default to ping across the ASA interfaces. You can only ping directly connect interface of the ASA.

PC is connected to the inside interface of the ASA I believe, ie: E0/1, so PC can only ping E0/1 - 10.10.130.2.

0 Helpful

Go to solution
josephschung
Level 1
Level 1
In response to Jennifer Halim

‎11-11-2010 07:37 AM

Hi Jennifer,

I created three VLANs in the switch, one for PC, one for Public and one for Inside. No ACL between the three VLANs, so all the three VLANs should be able to communicate to each other. I can ping the Public and Inside interface from the switch. But I can ping the Inside interface from the PC only.

Both Public and Inside interfaces have ICMP enable in ASA.

Any idea?

Thanks.

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to josephschung

‎11-11-2010 07:42 AM

Hello Joseph,

Ping is not allowed by default, would you please paste the config and the result of  the command sh run nat-control along with the goals to accomplish? There are a couple of insights that you may need to know prior configuring ASA`s and I will be more than glad to explain them to you.

Please paste the config and the goals.

Cheers.

Mike

Mike
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to josephschung

‎11-11-2010 07:42 AM 

josephschung wrote:
Hi Jennifer,
I created three VLANs in the switch, one for PC, one for Public and one for Inside. No ACL between the three VLANs, so all the three VLANs should be able to communicate to each other. I can ping the Public and Inside interface from the switch. But I can ping the Inside interface from the PC only.
Both Public and Inside interfaces have ICMP enable in ASA.
Any idea?
Thanks.

Joseph

When you say you created 3 vlans, do you mean L2 vlans or L2 vlans and L3 vlan interfaces ?

Can you post output from switch -

1) sh vlan brief

2) sh ip int brief

3) sh ip route

and indicate which is vlan for PC, which for inside and which for outside.

Edit - can you also post output of "sh route" from the ASA.

Jon

0 Helpful

Go to solution
josephschung
Level 1
Level 1
In response to Jon Marshall

‎11-11-2010 05:30 PM

I attach two txt files. One for ASA and the other for switch. These information is captured from my log yesterday. Now, I cannot access the equipment, which are on the site.

VLAN999 is for PC

VLAN120 is for Public

VLAN130 is for Inside

Also, I have checked all ports are up and without error.

Thanks.

75123-asa01.txt.zip
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to josephschung

‎11-12-2010 01:58 AM 

josephschung wrote:
I attach two txt files. One for ASA and the other for switch. These information is captured from my log yesterday. Now, I cannot access the equipment, which are on the site.
VLAN999 is for PC 
VLAN120 is for Public
VLAN130 is for Inside
Also, I have checked all ports are up and without error.
Thanks.

Joseph

What is happening is that you ping from your PC. It sends packets to it's default-gateway, presumably the L3 vlan interface on the switch. The switch then routes the ping to the outside interface of the ASA because it has a L3 vlan interface for the outside subnet. So the ping gets to the outside interface of the ASA.

But the ASA has a directly connected interface in the same vlan as the PC ie. vlan 999 so it can't send the traffic back via the outside interface. Indeed it may well be very confused as to exactly what is happening.

If the PC vlan was not the management vlan, or more specifically, the PC was in a vlan that did not have an interface on the ASA, then you could add a route to the ASA to tell it to send the return traffic via it's outside interface and it would work.

However, having said that, you absolutely shouldn't do that because you are routing "around" the firewall rather than going through it.

As the other posters have said by default you cannot ping aross the ASA to another ASA interface. If you want to test ping to the outside interface you should do it from a device that is on the outside of the ASA.

Jon

0 Helpful

Go to solution
josephschung
Level 1
Level 1
In response to Jon Marshall

‎11-16-2010 03:55 AM

Thanks.Your idea works fine.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card