?
Solved

ASA in Network?

Posted on 2014-07-31
5
Medium Priority
?
254 Views
Last Modified: 2014-09-08
Dear Experts,

my network diagram and configuration is attached herewith.
it is simple network with ASA.
my question is i can ping any ip from ASA but can't reach to other side of ASA. atleast I should able to ping from inside SW1 to outside SW2 without any ACL because security level 60 to 50 but i can not. please check some output given below for references and diagram is attached too.


ASA1(config)#
ASA1(config)# ping 192.168.201.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
ASA1(config)#
ASA1(config)#
ASA1(config)# ping 10.33.207.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.33.207.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/10/20 ms
ASA1(config)#
-------------------------------------
SW1#
SW1#ping 10.33.207.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.33.207.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/22/52 ms
SW1#
SW1#
SW1#
SW1#ping 192.168.201.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW1#
----------------------------------------------------
SW2#
SW2#ping 192.168.201.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/23/56 ms
SW2#
SW2#
SW2#ping 10.33.207.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.33.207.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW2#
-----------------------------------------
network-diag.jpg
devices-config.txt
0
Comment
Question by:nainasipra
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 40231633
>>I should able to ping from inside SW1 to outside SW2 without any ACL because security level 60 to 50 but i can not.

Only if you have icmp inspection enabled, and all your NAT rules are correct?

Pete
0
 

Author Comment

by:nainasipra
ID: 40231708
mr. Pete,
thanks for reply, i have attached configurations please check that, what nat i sould do?
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 40233572
I have noticed that in recent ASA versions, you need to add a specific incoming rule to allow ICMP echo reply from any to any in order for this to work
To make it easier as I assume you are using NAT, (so there is no direct access to internal systems) an icmp any rule allows tracert and any other ICMP packets as well
Gareth
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 40233578
You also don't appear to have a route or default gateway in either switch, how do they know where to send the packets for other networks?
Gareth
0
 
LVL 5

Accepted Solution

by:
Feroz Ahmed earned 2000 total points
ID: 40255144
Hi,

The reason why you are not able to ping from Inside to outside check for policy Map whether you have defined Policy Map the configuration should be as below :

ASA#(Config-t)
ASA(Config-t)#policy-map Global_policy
ASA(Config-t)#classinspection_default
ASA(Config-t)#Inspect ICMP

Once the above configuration is done you should be able to ping from inside to outside.Try this let me know if atall you still face an issue send me ASA (Sh running configuration as well as Sh Startup Configuration).
0

Featured Post

Are You Using the Best Web Development Editor?

The worlds of web hosting and web development are constantly evolving. Every year we see design trends change, coding standards adapt and new frameworks/CMS created. With such a quick pace of change it’s easy to get lost trying to keep up.

See if your editor made the list.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question