Solved

ASA in Network?

Posted on 2014-07-31
5
252 Views
Last Modified: 2014-09-08
Dear Experts,

my network diagram and configuration is attached herewith.
it is simple network with ASA.
my question is i can ping any ip from ASA but can't reach to other side of ASA. atleast I should able to ping from inside SW1 to outside SW2 without any ACL because security level 60 to 50 but i can not. please check some output given below for references and diagram is attached too.


ASA1(config)#
ASA1(config)# ping 192.168.201.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
ASA1(config)#
ASA1(config)#
ASA1(config)# ping 10.33.207.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.33.207.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/10/20 ms
ASA1(config)#
-------------------------------------
SW1#
SW1#ping 10.33.207.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.33.207.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/22/52 ms
SW1#
SW1#
SW1#
SW1#ping 192.168.201.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW1#
----------------------------------------------------
SW2#
SW2#ping 192.168.201.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/23/56 ms
SW2#
SW2#
SW2#ping 10.33.207.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.33.207.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW2#
-----------------------------------------
network-diag.jpg
devices-config.txt
0
Comment
Question by:nainasipra
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 40231633
>>I should able to ping from inside SW1 to outside SW2 without any ACL because security level 60 to 50 but i can not.

Only if you have icmp inspection enabled, and all your NAT rules are correct?

Pete
0
 

Author Comment

by:nainasipra
ID: 40231708
mr. Pete,
thanks for reply, i have attached configurations please check that, what nat i sould do?
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 40233572
I have noticed that in recent ASA versions, you need to add a specific incoming rule to allow ICMP echo reply from any to any in order for this to work
To make it easier as I assume you are using NAT, (so there is no direct access to internal systems) an icmp any rule allows tracert and any other ICMP packets as well
Gareth
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 40233578
You also don't appear to have a route or default gateway in either switch, how do they know where to send the packets for other networks?
Gareth
0
 
LVL 5

Accepted Solution

by:
Feroz Ahmed earned 500 total points
ID: 40255144
Hi,

The reason why you are not able to ping from Inside to outside check for policy Map whether you have defined Policy Map the configuration should be as below :

ASA#(Config-t)
ASA(Config-t)#policy-map Global_policy
ASA(Config-t)#classinspection_default
ASA(Config-t)#Inspect ICMP

Once the above configuration is done you should be able to ping from inside to outside.Try this let me know if atall you still face an issue send me ASA (Sh running configuration as well as Sh Startup Configuration).
0

Featured Post

Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question