Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
890
Views
0
Helpful
2
Replies

Unable to ping ASA interfaces (ASA intra-interface)

awadheshkumar
Level 1
Level 1

‎04-13-2012 05:41 AM - edited ‎03-11-2019 03:53 PM

Hi,

I can not ping the DMZ hosts from my Inside or from other interface Network and vice-versa

mention below is my ASA Config:

: Saved

:

ASA Version 8.0(5)

!

hostname Test

domain-name default.domain.invalid

dns-guard

!

interface Ethernet0/0

description + + + + Connection to Internet (Outside) + + + +

nameif outside

security-level 0

ip address 202.X.X.X 255.255.255.224

!

interface Ethernet0/1

description + + + + Connection to LAN (Inside) + + + +

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/3

description VV

nameif VV

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 172.16.1.1 255.255.255.0

management-only

!

boot system disk0:/asa805-k8.bin

no ftp mode passive

clock timezone IST 5 30

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 203.122.X.X

name-server 203.122.X.X

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list 110 remark + + + +  OUTSIDE + + + +

access-list 110 extended permit icmp any any

access-list 110 extended permit icmp any any echo

access-list 110 extended permit icmp any any echo-reply

access-list 110 extended permit icmp any any source-quench

access-list 110 extended permit icmp any any unreachable

access-list 110 extended permit icmp any any time-exceeded

access-list 120 remark + + + + INSIDE + + + +

access-list 120 extended permit icmp any any

access-list PropRem_splitTunnelAcl remark VPN_Client_local_Lan_access

access-list PropRem_splitTunnelAcl standard permit host 0.0.0.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu VV 1500

mtu management 1500

ip local pool R_IP_vpn 192.168.0.240-192.168.0.250 mask 255.255.255.0

ip local pool R_IP_VPN2 192.168.1.240-192.168.1.250 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any DMZ

arp timeout 14400

nat-control

global (outside) 1 interface

global (outside) 2 202.63.X.X netmask 255.255.255.224

global (outside) 3 202.63.X.X netmask 255.255.255.224

global (outside) 4 202.63.X.X netmask 255.255.255.224

global (outside) 5 202.63.X.X netmask 255.255.255.224

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

static (DMZ,outside) 202.63.x.x 192.168.1.18 netmask 255.255.255.255

static (DMZ,outside) 202.63.X.X 192.168.1.11 netmask 255.255.255.255

static (inside,outside) 202.63.X.X 192.168.0.2 netmask 255.255.255.255

static (DMZ,outside) 202.63.X.X 192.168.1.20 netmask 255.255.255.255

static (DMZ,outside) 202.63.X.X 192.168.1.19 netmask 255.255.255.255

static (DMZ,outside) 202.63.x.x 192.168.1.10 netmask 255.255.255.255

static (DMZ,outside) 202.63.x.x 192.168.1.12 netmask 255.255.255.255

static (DMZ,outside) 202.63.x.x 192.168.1.6 netmask 255.255.255.255

static (DMZ,outside) 202.63.x.x 192.168.1.13 netmask 255.255.255.255

static (DMZ,outside) 202.63.x.x 192.168.1.7 netmask 255.255.255.255

static (DMZ,outside) 202.63.x.x 192.168.1.14 netmask 255.255.255.255

static (DMZ,outside) 202.63.x.x 192.168.1.2 netmask 255.255.255.255

static (DMZ,outside) 202.63.x.x 192.168.1.201 netmask 255.255.255.255

static (DMZ,outside) 202.63.x.x 192.168.1.202 netmask 255.255.255.255

static (DMZ,outside) 202.63.x.x 192.168.1.9 netmask 255.255.255.255

access-group 110 in interface outside

route outside 0.0.0.0 0.0.0.0 202.63.X.X 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto map DMZ_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map DMZ_map interface DMZ

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp enable DMZ

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

group-policy PropRem internal

group-policy PropRem attributes

dns-server value 4.2.2.2 203.X.X.x

split-tunnel-policy tunnelspecified

split-tunnel-network-list value PropRem_splitTunnelAcl

tunnel-group PropRem type remote-access

tunnel-group PropRem general-attributes

address-pool R_IP_VPN2

default-group-policy PropRem

tunnel-group PropRem ipsec-attributes

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

: end

Labels:
0 Helpful
2 Replies 2

awadheshkumar
Level 1
Level 1

‎04-16-2012 05:53 AM

Hi,

I required a desperate help on this.

Please help me some one

0 Helpful

maik.behley
Level 1
Level 1
In response to awadheshkumar

‎04-17-2012 06:51 AM

You need to bound an access-list with icmp echo-reply statement on your dmz interface.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card