Solved

ASA in Network?

Posted on 2014-07-31
5
245 Views
Last Modified: 2014-09-08
Dear Experts,

my network diagram and configuration is attached herewith.
it is simple network with ASA.
my question is i can ping any ip from ASA but can't reach to other side of ASA. atleast I should able to ping from inside SW1 to outside SW2 without any ACL because security level 60 to 50 but i can not. please check some output given below for references and diagram is attached too.


ASA1(config)#
ASA1(config)# ping 192.168.201.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
ASA1(config)#
ASA1(config)#
ASA1(config)# ping 10.33.207.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.33.207.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/10/20 ms
ASA1(config)#
-------------------------------------
SW1#
SW1#ping 10.33.207.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.33.207.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/22/52 ms
SW1#
SW1#
SW1#
SW1#ping 192.168.201.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW1#
----------------------------------------------------
SW2#
SW2#ping 192.168.201.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/23/56 ms
SW2#
SW2#
SW2#ping 10.33.207.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.33.207.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW2#
-----------------------------------------
network-diag.jpg
devices-config.txt
0
Comment
Question by:nainasipra
5 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 40231633
>>I should able to ping from inside SW1 to outside SW2 without any ACL because security level 60 to 50 but i can not.

Only if you have icmp inspection enabled, and all your NAT rules are correct?

Pete
0
 

Author Comment

by:nainasipra
ID: 40231708
mr. Pete,
thanks for reply, i have attached configurations please check that, what nat i sould do?
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 40233572
I have noticed that in recent ASA versions, you need to add a specific incoming rule to allow ICMP echo reply from any to any in order for this to work
To make it easier as I assume you are using NAT, (so there is no direct access to internal systems) an icmp any rule allows tracert and any other ICMP packets as well
Gareth
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 40233578
You also don't appear to have a route or default gateway in either switch, how do they know where to send the packets for other networks?
Gareth
0
 
LVL 5

Accepted Solution

by:
Feroz Ahmed earned 500 total points
ID: 40255144
Hi,

The reason why you are not able to ping from Inside to outside check for policy Map whether you have defined Policy Map the configuration should be as below :

ASA#(Config-t)
ASA(Config-t)#policy-map Global_policy
ASA(Config-t)#classinspection_default
ASA(Config-t)#Inspect ICMP

Once the above configuration is done you should be able to ping from inside to outside.Try this let me know if atall you still face an issue send me ASA (Sh running configuration as well as Sh Startup Configuration).
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now