C-o-M
asked on
ASA 5525 version 8.6
Hi,
I am using ASA 5525 with 8.6 version, and I am trying to ping through different interfaces, However I am not able to do that. My test results are
- can PING between the outside interface and the next hop (same subnet)
- cannot PING between the inside interface and the next hop (same subnet)
- cannot PING between the DMZ interface and the next hop (same subnet)
Please see below configuration for firewall for reference.
-------------------------- ---------- ---------- ---------- ---------- ---------- ----
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 16.x.x.x 255.255.255.248
interface GigabitEthernet0/1
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/1.16
vlan 16
nameif inside
security-level 100
ip address 17.x.x.x 255.255.255.0
interface GigabitEthernet0/3
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/3.69
vlan 69
nameif dmz
security-level 50
ip address 18.x.x.x 255.255.255.0
2. access-list o_inside extended permit icmp any any
access-list o_inside extended permit icmp any any echo
access-list o_inside extended permit icmp 17.x.x.x (Inside interface) 255.255.0.0 18.x.x.x (DMZ interface) 255.255.255.0
access-list o_inside extended permit icmp 17.x.x.x (Inside interface) 255.255.0.0 18.x.x.x (DMZ interface) 255.255.255.0
access-list o_dmz extended permit icmp any any
access-list outside extended permit icmp any any
access-list outside extended permit icmp any any echo-reply
icmp permit any outside
icmp permit any dmz
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
3. route inside 17.x.0.0 (Whole inside interface subnet) 255.255.0.0 17.x.x.x (Internal Network) 1
route dmz 17.x.x.0 (Internal) 255.255.255.0 18.x.x.x (DMZ Nework) 1
route outside 18.x.x.0 (DMZ) 255.255.255.0 16.x.x.x (Outside Network) 1
If possible could anyone please tell me what is wrong with the configuration, and what I need to add to achive the above desired result.
Thank You,
Kind Regards
I am using ASA 5525 with 8.6 version, and I am trying to ping through different interfaces, However I am not able to do that. My test results are
- can PING between the outside interface and the next hop (same subnet)
- cannot PING between the inside interface and the next hop (same subnet)
- cannot PING between the DMZ interface and the next hop (same subnet)
Please see below configuration for firewall for reference.
--------------------------
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 16.x.x.x 255.255.255.248
interface GigabitEthernet0/1
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/1.16
vlan 16
nameif inside
security-level 100
ip address 17.x.x.x 255.255.255.0
interface GigabitEthernet0/3
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/3.69
vlan 69
nameif dmz
security-level 50
ip address 18.x.x.x 255.255.255.0
2. access-list o_inside extended permit icmp any any
access-list o_inside extended permit icmp any any echo
access-list o_inside extended permit icmp 17.x.x.x (Inside interface) 255.255.0.0 18.x.x.x (DMZ interface) 255.255.255.0
access-list o_inside extended permit icmp 17.x.x.x (Inside interface) 255.255.0.0 18.x.x.x (DMZ interface) 255.255.255.0
access-list o_dmz extended permit icmp any any
access-list outside extended permit icmp any any
access-list outside extended permit icmp any any echo-reply
icmp permit any outside
icmp permit any dmz
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
3. route inside 17.x.0.0 (Whole inside interface subnet) 255.255.0.0 17.x.x.x (Internal Network) 1
route dmz 17.x.x.0 (Internal) 255.255.255.0 18.x.x.x (DMZ Nework) 1
route outside 18.x.x.0 (DMZ) 255.255.255.0 16.x.x.x (Outside Network) 1
If possible could anyone please tell me what is wrong with the configuration, and what I need to add to achive the above desired result.
Thank You,
Kind Regards
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I see access lists defined but not activated via access-group commands? Are these ACLs active?
harbor235 :}
harbor235 :}
ASKER
Helped in Troubleshooting
ASKER
Thanks