Pinging from the ASA CLI

Just a quick question for all the Cisco gurus out there.  I've got a l2l setup between a 10.92.39.0 network and a 10.91.150.0 network.  

Right now I'm logged onto the 10.91.150.0 asa and I am unable to ping the other network from the command line.  If I log into a server on this network I am able to ping the remote network.  What gives?  I need to be able to log into both of the asa's and ping the other networks to do some testing.

Thanks,

vne  
VNEAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ken BooneNetwork ConsultantCommented:
When you set up your l2l tunnels you define the networks that can talk to each other.  So you defined 10.92.39.0 and 10.91.150.0.  So that is what flows through the tunnels.  When you ping from a cisco device, the source ip address of the ping packet will be the ip address of the interface that the ping packet goes out.  So in your case when you are pinging the other side, the ping packet from the ASA is being sourced with the outside IP address which is not defined to flow through your tunnel so the packet goes into lala land.  So really the test is from internal address to internal address, because even if you set up your tunnel to allow the ASA to ASA which you can do, it doesn't mean that the security associations for the internal to internal networks are working.  With a router or switch you can do what is called an extended ping and specify the source ip address but I don't think you can do that on the ASA.
0
FrabbleCommented:
As kenboonejr says, however on the ASA you can specify an interface and it will use the interface address for the source
For example, ping inside x.x.x.x
0
lrmooreCommented:
You can also set the management access <interface> command
  management-access inside

This should allow you to ping the inside address of the ASA from a host on the other side of the vpn tunnel and maybe from asa to asa by designating the source ip.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mahrens007Commented:
type in "man inside"

This will allow you to ping the ASA inside IP.  

Then do: ping inside <the ip address of the other side>
0
VNEAuthor Commented:
Please award full points to Irmoore as he provided the answer that fixed the problem.

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.