Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA5510 Quirk?

Hello,

We set up our ASA5510 with a company that does IDS for us on the outside of it with a SonicWall. When our sites that VPN in come to our system, they are unable to ping select devices on our system. For example, they might not be able to ping 192.168.1.200. But if I add a NAT statement that says 192.168.1.200 = 192.168.1.200, it allows the traffic through. I see no reason for this, as other devices on the same subnet are fine. Everything is addressed class c. Any help would be great!

Thanks in advance,

Adam Filkins

Northstar Financial Group, INC

1 REPLY
New Member

Re: ASA5510 Quirk?

I am not sure of the specifics of your configuration. Instead of making assumptions, I would like suggest a couple of troubleshooting ideas. Have you tried: packet-tracer, capture command and enabling debug level logging (with all syslog messages enabled)

Packet-tracer might look like

packet-tracer input outside icmp x.x.x.x 8 0 192.168.1.200 detailed

repeat packet-tracer for a host that responds to ICMP.

Capture feature

Access-list test permit icmp any host 192.168.1.200

Access-list test permit icmp host 192.168.1.200 any

Access-list test permit icmp any host 192.168.1.x (working host)

Access-list test permit icmp host 192.168.1.x any

Capture capturename access-list test interface

Test with ICMP

Show capture capturename

As for syslog, are there any messages related to ICMP, source and destination IP addresses.

Are the outputs the same?

Hope this helps.

106
Views
0
Helpful
1
Replies
CreatePlease to create content