I have an ASA5510 w/ Security+ that's giving me issues with some static routes. The inside network is 192.168.1.0/24, the inside interface is 192.168.1.3. There is a second router in the network that exists at 192.168.1.180. I need any traffic destined for the subnet 192.168.20.0/24 to go to the 180 gateway. All machines use the asa(192.168.1.3) as their gateway. I have a few routes in the asa:
All machines are able to get on the internet, but none can reach the 20.x network. When I try to ping the 20.x network I get the following error in the logs of the ASA: Deny inbound icmp src inside:192.X.X.X dst inside:10.X.X.X (type 8, code 0)
I know my routes are programmed into the 192.168.1.180 router correctly, becuase if i set a machine's gateway to be 1.180, i can ping and get to the 20.x network fine. But the ASA is preventing the routes from completing. Any ideas?
No, I'm not able to reach my hosts using any protocols. I have a Fluke Etherscope which is running a webserver at 192.168.20.250, and i can't reach it. It seems like my traffic is making there, but unable to return, due to the ASA dropping the packets, although i may be wrong about that.
Rudy, yes that's correct. If use my router as the gateway, everything seems to work fine. When i use that ASA as my default gateway, i can't reach (or get return packets) from the 20.x network.
Also, I guess that's correct about the ICMP-inspection policy, I never seem to be able to ping hosts on the internet.
Result of the command: "packet-tracer input inside tcp 192.168.1.181 12345 192.168.20.253 80 detail"
Forward Flow based lookup yields rule:
in id=0xab8c5d98, priority=1, domain=permit, deny=false
According to you, all machines in your inside network is not able to ping 20.x network when the ASA is the default gateway and works fine if you use the router as the default gateway. Just like Marius said, are you able to reach 20.x using different protocol? If yes and only ICMP that is not working, then it is high likely that your ICMP policy is the cause.
I see that you have a policy map configured for inspecting icmp, but it is applied on the outside interface.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :