Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Can't ping the inside address of the ASA

Guys -

Below is a config of my ASA 5505. The ASA has a site-2-site tunnel with the corporate. From the coporate, I am able to ping every host behind the ASA 5505 but not the inside address of the ASA. And therefore I am also not able to ssh to the inside address.

Any ideas??

ASA Version 7.2(4)

!

hostname Site-ASA

domain-name abc.local

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 172.24.80.1 255.255.255.192

!

interface Vlan2

nameif outside

security-level 0

ip address XXX.XXX.XXX.XXX 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name aem.local

same-security-traffic permit intra-interface

access-list AEM2FJDC extended permit ip 172.24.80.0 255.255.255.192 192.168.254.0 255.255.255.0

access-list AEM2FJDC extended permit ip 172.24.80.0 255.255.255.192 192.168.248.0 255.255.255.0

access-list AEM2FJDC extended permit ip 172.24.80.0 255.255.255.192 172.16.108.0 255.255.255.0

access-list AEM2FJDC extended permit ip 172.24.80.0 255.255.255.192 172.16.110.0 255.255.254.0

access-list AEM2FJDC extended permit ip 172.24.80.0 255.255.255.192 26.26.26.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list AEM2FJDC

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac

crypto map VPNMAP 10 match address AEM2FJDC

crypto map VPNMAP 10 set peer XXX.XXX.XXX.XXX

crypto map VPNMAP 10 set transform-set 3desmd5

crypto map VPNMAP interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 172.24.80.0 255.255.255.192 inside

telnet timeout 5

ssh 172.16.110.0 255.255.254.0 inside

ssh 192.168.254.0 255.255.255.0 inside

ssh 172.24.80.0 255.255.255.192 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd dns 192.168.254.50 192.168.254.16

dhcpd wins 192.168.254.50 192.168.254.16

dhcpd lease 28800

dhcpd domain abc.local

!

dhcpd address 172.24.80.11-172.24.80.62 inside

dhcpd enable inside

!

username admin password YgCxRI4lQ4ZKOS2I encrypted

tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l

tunnel-group XXX.XXX.XXX.XXX ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Can't ping the inside address of the ASA

You need "management-access inside" configure on your ASA to access the inside interface through the IPSEC Tunnel.

Please refer the below URL for details:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.html#wp1794331

Regards,

Arul

** Please rate all helpful posts **

4 REPLIES
Cisco Employee

Re: Can't ping the inside address of the ASA

You need "management-access inside" configure on your ASA to access the inside interface through the IPSEC Tunnel.

Please refer the below URL for details:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.html#wp1794331

Regards,

Arul

** Please rate all helpful posts **

Community Member

Re: Can't ping the inside address of the ASA

Hi, May I know what is a use of Management access command and basically when it require to enable it?? Thanks

Cisco Employee

Re: Can't ping the inside address of the ASA

Generally, you cannot telnet,ping inside Interface from outside, however when you are coming over a VPN tunnel then you may require to telnet/ping/connect to inside interface, therefore management-access command ensures you are able to do so

Community Member

Re: Can't ping the inside address of the ASA

Thnaks!

284
Views
5
Helpful
4
Replies
CreatePlease to create content