Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

Pinging from ASA using Interface as Source - Packet-Tracer

Hi There,

I have the following Interfaces and routes.

 

interface GigabitEthernet0/0.127
 vlan 127
 nameif Vlan127
 security-level 50
 ip address 192.168.127.1 255.255.255.0
!
interface GigabitEthernet0/0.128
 vlan 128
 nameif Vlan128
 security-level 50
 ip address 192.168.128.1 255.255.255.0
!
interface GigabitEthernet0/0.129
 vlan 129
 nameif Vlan129
 security-level 50
 ip address 192.168.129.1 255.255.255.0
!
interface GigabitEthernet0/0.250
 description Vid_Conf
 vlan 250
 nameif vlan250
 security-level 100
 ip address 10.44.250.1 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172.27.100.160 255.255.252.0


route outside 0.0.0.0 0.0.0.0 217.x.x.x
route inside 10.0.0.0 255.0.0.0 172.27.100.10 1
route inside 172.16.0.0 255.240.0.0 172.27.100.10 1

 

I'm running a packet tracer to see if I can ping one of my inside networks using the vlan interface IP as the source.

 

 

 packet-tracer input vlan250 icmp 10.44.250.1 8 0 172.27.4.1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.240.0.0     inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: vlan250
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

Should I be able to use the VLAN250 Interface IP as the source?

If I use another address within that network the packet tracer allows ICMP. See below

 

 

# packet-tracer input vlan250 icmp 10.44.250.10 8 0 172.27.4.1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.240.0.0     inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:

and so forth...

 

1 REPLY
Hall of Fame Super Silver

I believe you can only source

I believe you can only source traffic from ASA the itself on the interface which is the correct egress to the target network (when that target is a connected network). 

348
Views
0
Helpful
1
Replies
CreatePlease login to create content