Solved

ASA in Network?

Posted on 2014-07-31
5
249 Views
Last Modified: 2014-09-08
Dear Experts,

my network diagram and configuration is attached herewith.
it is simple network with ASA.
my question is i can ping any ip from ASA but can't reach to other side of ASA. atleast I should able to ping from inside SW1 to outside SW2 without any ACL because security level 60 to 50 but i can not. please check some output given below for references and diagram is attached too.


ASA1(config)#
ASA1(config)# ping 192.168.201.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
ASA1(config)#
ASA1(config)#
ASA1(config)# ping 10.33.207.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.33.207.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/10/20 ms
ASA1(config)#
-------------------------------------
SW1#
SW1#ping 10.33.207.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.33.207.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/22/52 ms
SW1#
SW1#
SW1#
SW1#ping 192.168.201.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW1#
----------------------------------------------------
SW2#
SW2#ping 192.168.201.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/23/56 ms
SW2#
SW2#
SW2#ping 10.33.207.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.33.207.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW2#
-----------------------------------------
network-diag.jpg
devices-config.txt
0
Comment
Question by:nainasipra
5 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 40231633
>>I should able to ping from inside SW1 to outside SW2 without any ACL because security level 60 to 50 but i can not.

Only if you have icmp inspection enabled, and all your NAT rules are correct?

Pete
0
 

Author Comment

by:nainasipra
ID: 40231708
mr. Pete,
thanks for reply, i have attached configurations please check that, what nat i sould do?
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 40233572
I have noticed that in recent ASA versions, you need to add a specific incoming rule to allow ICMP echo reply from any to any in order for this to work
To make it easier as I assume you are using NAT, (so there is no direct access to internal systems) an icmp any rule allows tracert and any other ICMP packets as well
Gareth
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 40233578
You also don't appear to have a route or default gateway in either switch, how do they know where to send the packets for other networks?
Gareth
0
 
LVL 5

Accepted Solution

by:
Feroz Ahmed earned 500 total points
ID: 40255144
Hi,

The reason why you are not able to ping from Inside to outside check for policy Map whether you have defined Policy Map the configuration should be as below :

ASA#(Config-t)
ASA(Config-t)#policy-map Global_policy
ASA(Config-t)#classinspection_default
ASA(Config-t)#Inspect ICMP

Once the above configuration is done you should be able to ping from inside to outside.Try this let me know if atall you still face an issue send me ASA (Sh running configuration as well as Sh Startup Configuration).
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
eigrp routing loop 5 41
VXLAN - same in VMWare NSX and Cisco Environments? 2 59
Wired Network vs Wireless 12 57
SIP / Streaming - real time communications testing 8 51
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question