nainasipra
asked on
ASA in Network?
Dear Experts,
my network diagram and configuration is attached herewith.
it is simple network with ASA.
my question is i can ping any ip from ASA but can't reach to other side of ASA. atleast I should able to ping from inside SW1 to outside SW2 without any ACL because security level 60 to 50 but i can not. please check some output given below for references and diagram is attached too.
ASA1(config)#
ASA1(config)# ping 192.168.201.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
ASA1(config)#
ASA1(config)#
ASA1(config)# ping 10.33.207.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.33.207.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/10/20 ms
ASA1(config)#
--------------------------
SW1#
SW1#ping 10.33.207.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.33.207.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/22/52 ms
SW1#
SW1#
SW1#
SW1#ping 192.168.201.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW1#
--------------------------
SW2#
SW2#ping 192.168.201.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/23/56 ms
SW2#
SW2#
SW2#ping 10.33.207.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.33.207.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW2#
--------------------------
network-diag.jpg
devices-config.txt
my network diagram and configuration is attached herewith.
it is simple network with ASA.
my question is i can ping any ip from ASA but can't reach to other side of ASA. atleast I should able to ping from inside SW1 to outside SW2 without any ACL because security level 60 to 50 but i can not. please check some output given below for references and diagram is attached too.
ASA1(config)#
ASA1(config)# ping 192.168.201.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
ASA1(config)#
ASA1(config)#
ASA1(config)# ping 10.33.207.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.33.207.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/10/20 ms
ASA1(config)#
--------------------------
SW1#
SW1#ping 10.33.207.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.33.207.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/22/52 ms
SW1#
SW1#
SW1#
SW1#ping 192.168.201.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW1#
--------------------------
SW2#
SW2#ping 192.168.201.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/23/56 ms
SW2#
SW2#
SW2#ping 10.33.207.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.33.207.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW2#
--------------------------
network-diag.jpg
devices-config.txt
ASKER
mr. Pete,
thanks for reply, i have attached configurations please check that, what nat i sould do?
thanks for reply, i have attached configurations please check that, what nat i sould do?
I have noticed that in recent ASA versions, you need to add a specific incoming rule to allow ICMP echo reply from any to any in order for this to work
To make it easier as I assume you are using NAT, (so there is no direct access to internal systems) an icmp any rule allows tracert and any other ICMP packets as well
Gareth
To make it easier as I assume you are using NAT, (so there is no direct access to internal systems) an icmp any rule allows tracert and any other ICMP packets as well
Gareth
You also don't appear to have a route or default gateway in either switch, how do they know where to send the packets for other networks?
Gareth
Gareth
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Only if you have icmp inspection enabled, and all your NAT rules are correct?
Pete