Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Can not ping internal network from ASA

Posted on 2009-06-30
17
Medium Priority
?
610 Views
Last Modified: 2012-05-07
I can not ping internal computer from ASA. Comp IP address 192.168.187.15, gateway is 192.168.187.14 which is ASA internal interface. I've got an IP Phone connected to the same ASA with Ip address 192.168.185.15 and internal ASA interface 192.168.185.14 and everything works fine. We are doing testing, do not be surprised of configuration.
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 nameif ouside3
 security-level 0
 ip address 10.254.17.25 255.255.255.248
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 10.254.17.9 255.255.255.248
!
interface GigabitEthernet0/2
 nameif Lan
 security-level 100
 ip address 192.168.185.14 255.255.255.0
!
interface GigabitEthernet0/3
 nameif comp
 security-level 50
 ip address 192.168.187.14 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list 110 extended permit ip any any
access-list nat extended permit ip any any
access-list allow_ping extended permit icmp any any echo-reply
access-list allow_ping extended permit icmp any any source-quench
access-list allow_ping extended permit icmp any any unreachable
access-list allow_ping extended permit icmp any any time-exceeded
access-list allow_ping extended permit udp any any eq isakmp
access-list allow_ping extended permit esp any any
access-list allow_ping extended permit ah any any
access-list allow_ping extended permit gre any any
access-list nonat extended permit ip any any
access-list nat2 extended permit ip any any
access-list nonat2 extended permit ip any any
pager lines 24
logging asdm informational
mtu ouside3 1500
mtu outside 1500
mtu Lan 1500
mtu comp 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (Lan) 0 access-list nonat
nat (Lan) 1 access-list nat
nat (comp) 0 access-list nonat
nat (comp) 1 access-list nat
access-group allow_ping in interface outside
!
router eigrp 2008
 neighbor 10.254.17.10 interface outside
 network 10.254.17.8 255.255.255.248
 network 192.168.185.0 255.255.255.0
network 192.168.187.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 10.254.17.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address 110
crypto map mymap 10 set peer 10.254.17.10
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
crypto map mymap2 20 match address 110
crypto map mymap2 20 set peer 10.254.17.18
crypto map mymap2 20 set transform-set myset
crypto map mymap2 interface comp
crypto map mymap3 30 match address 110
crypto map mymap3 30 set peer 10.254.17.26
crypto map mymap3 30 set transform-set myset
crypto map mymap3 interface ouside3
crypto isakmp identity address
crypto isakmp enable ouside3
crypto isakmp enable outside
crypto isakmp enable comp
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
....

Open in new window

0
Comment
Question by:fgasimzade
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 7
17 Comments
 
LVL 1

Expert Comment

by:munir_hayat
ID: 24743922
Simply configure static route on ASA.
For example:
                      ip route 0.0.0.0 0.0.0.0 x.x.x.x 1
Where x is the address of the ASA to which Your LAN is connected.
I am sure this will solve your problem
0
 
LVL 1

Expert Comment

by:munir_hayat
ID: 24743943
Simply configure static route on ASA.
For example:
                      ip route 0.0.0.0 0.0.0.0 x.x.x.x 1
Where x is the address of the ASA to which it connected to outside.
I am sure this will solve your problem.
if it do not solve your problem than tell me about ASA is it connected to the router
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24743944
This network i directly connected, I cant see why it is not working.
0
Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

 
LVL 18

Author Comment

by:fgasimzade
ID: 24743949
munir_hayat

Computer i connected to ASA. Computer IP address 192.168.187.15, ASA Ip address 192.168.187.14 - they can not ping each other.
0
 
LVL 1

Expert Comment

by:munir_hayat
ID: 24743952
let me know about the interface address to which it is connected directly
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24743963
interface GigabitEthernet0/3
 nameif comp
 security-level 50
 ip address 192.168.187.14 255.255.255.0

you can find configs in my first post
0
 
LVL 1

Expert Comment

by:munir_hayat
ID: 24743970
Dear i means the outside interface address  to which it is connected
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24743976
Why do you need outside interface address? It is simple - computer IP address 192.168.187.15, ASA ip address 192.168.187.14. They are DIRECTLY connected, but can not ping each other.
0
 
LVL 1

Expert Comment

by:munir_hayat
ID: 24743989
route outside 0.0.0.0 0.0.0.0 10.254.17.10 1
change it to
route outside 0.0.0.0 0.0.0.0 10.254.17.9 1
or
route outside 0.0.0.0 0.0.0.0 10.254.17.25 1

0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24744002
It looks like you dont understand me.. Computer and ASA are DIRECTLY connected
0
 
LVL 1

Expert Comment

by:munir_hayat
ID: 24744019
ok. change your network cable try straight and cross cable
2.Match your computer subnet mask and you ASA Subnet mask.
this will solve your problem
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24744027
I have already done all those things, it didnt help
0
 
LVL 1

Expert Comment

by:munir_hayat
ID: 24744060
have you created VLAN
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24744087
There is no need in Vlans, because on the same ASA I have IP phone connected with IP address 192.168.185.15, connected to 192.168.185.14 ASA interface and everything works just fine
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24751611
Still need help. ARP knows PC's mac address, as well as PC shows ASA's mac in arp table, but they do not ping each other..
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24751615
ASA know PC's mac address
0
 
LVL 18

Accepted Solution

by:
fgasimzade earned 0 total points
ID: 24751778
The issue is solved, there was a cryptomap applied to that interface
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
How does someone stay on the right and legal side of the hacking world?
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question