Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
290
Views
0
Helpful
4
Replies

Ping works from ASA to remote network but not from PCs behind ASA

jimgrumbles
Level 1
Level 1

‎12-02-2007 01:53 PM - edited ‎02-21-2020 01:49 AM

We have a joint venture with a company who has started to take IT into their own hands. Unfortunately they still need access to many of our systems. They recently installed an ASA 5505 with their own internet connection. They are also connected to us via Sprint MPLS and a Cisco 2801 we have on site (10.0.1.1) I have a static route in the ASA directing any traffic for 192.168.1.0 to 10.0.1.1. Pinging works fine from the ASA but none of the PCs behind the ASA can ping anything in the 192.168.1.0 network. To get it to work I had to add a manual route add command on the Windows XP machine. The client PCs use the ASA as their default gateway so I would assume it would just know to forward any request for 192.168.1.0 to 10.0.1.1. I've attached the config for the ASA on site there. I'm thinking this might be something to do with NAT since when I try to ping from a PC that ASA spits out something about "no translation group...."

I appreciate any help.

Preview file
4 KB
0 Helpful
4 Replies 4

jeremyault
Level 1
Level 1

‎12-02-2007 05:23 PM

I could be wrong but I think you need a NAT exception for traffic from the 10 network to the 192 network.

Try this:

access-list NONAT permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list NONAT

0 Helpful

henryrohlfs
Level 1
Level 1
In response to jeremyault

‎12-30-2007 06:46 PM

I'm curious if this worked since I have a similar problem routing to a second network on my inside interface.

0 Helpful

srue
Level 7
Level 7
In response to henryrohlfs

‎12-30-2007 09:07 PM

either turn on icmp inspection, or explicity allow echo-reply traffic back in to the ping source.

0 Helpful

jimgrumbles
Level 1
Level 1

‎01-03-2008 03:35 PM

Sorry about the lack of response. It looks like the way the remote technician setup the PC for me to access was on a separate network. I had assumed he had it on the same network as all the other PCs but apparently not, they were working normally. Thank you for the responses.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card