Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
546
Views
0
Helpful
1
Replies

Pinging from ASA using Interface as Source - Packet-Tracer

GRANT3779
Spotlight
Spotlight

‎05-08-2014 08:30 AM - edited ‎03-11-2019 09:10 PM

Hi There,

I have the following Interfaces and routes.

 

interface GigabitEthernet0/0.127
 vlan 127
 nameif Vlan127
 security-level 50
 ip address 192.168.127.1 255.255.255.0
!
interface GigabitEthernet0/0.128
 vlan 128
 nameif Vlan128
 security-level 50
 ip address 192.168.128.1 255.255.255.0
!
interface GigabitEthernet0/0.129
 vlan 129
 nameif Vlan129
 security-level 50
 ip address 192.168.129.1 255.255.255.0
!
interface GigabitEthernet0/0.250
 description Vid_Conf
 vlan 250
 nameif vlan250
 security-level 100
 ip address 10.44.250.1 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172.27.100.160 255.255.252.0


route outside 0.0.0.0 0.0.0.0 217.x.x.x
route inside 10.0.0.0 255.0.0.0 172.27.100.10 1
route inside 172.16.0.0 255.240.0.0 172.27.100.10 1

 

I'm running a packet tracer to see if I can ping one of my inside networks using the vlan interface IP as the source.

 

 

 packet-tracer input vlan250 icmp 10.44.250.1 8 0 172.27.4.1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.240.0.0     inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: vlan250
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

Should I be able to use the VLAN250 Interface IP as the source?

If I use another address within that network the packet tracer allows ICMP. See below

 

 

# packet-tracer input vlan250 icmp 10.44.250.10 8 0 172.27.4.1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.240.0.0     inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:

and so forth...

 

Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-08-2014 08:49 AM

I believe you can only source traffic from ASA the itself on the interface which is the correct egress to the target network (when that target is a connected network). 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card