1. Home
  2. Cisco Systems
  3. pinging ASA interfaces

pinging ASA interfaces

I can't ping an interface from a host on a higher security interface. this traffic is not being natted. with debug icmp trace i see the echo request but no reply in log or capture. in asp drop i see disallowed by configured rule increment, but, a) it's not clear that's for this traffic and b) the higher security int has a rule that allows this which is getting hit and the lower security interface has a permit ip any any on it. But I'm just trying to ping the interface. The config is rather large so I thought I'd try to get some general advice before trying sanitize for a post.

Thanks

Reply to
linguafr
Loading thread data ...

Where is the host, which interface are you trying to ping. If you are pinging from the inside through to the outside interface this is not going to work.

I believe that you can ping the inside from the inside, the outside from the outside but not the outside from the inside / vice versa. Additionally, you say nothing about access-lists etc.

You also have not indicated whether you are using PIX 6.X or 7.X.

Regards

Darren

Reply to
Darren Green

trying to ping an interface with security-level 10 from a host coming in through an interface with security-level 100. like trying to ping the dmz interface from an inside host. i've done that before.

Reply to
linguafr

added these icmp lines as well. nagios is on the inside int sec = 100. int p2p sec = 10

again i have an acl on the inside int allowing icmp from nagios to p2p. is see the acl get hit and i see the request packet in debug, but, no response. there is a nat 0 line for this traffic on the inside int so it should not be natted. i can ping from host nagios to hosts on the p2p int as well, just not the int itself.

icmp permit host nagios echo-reply p2p icmp permit host nagios p2p

it seems to me this is equivalent to wanting to ping a dmz interface from an inside host, which I'm pretty certain i've done before.

Reply to
linguafr

You cannot ping any interface on either the Pix or the ASA unless it is the interface that is facing you. There is one exception to that and it is when there is a VPN and you use the "management-access XXXX (interface)" command. It allows you to ping it as well as telnet/ssh/http based on your security policy for device access.

Reply to
Brian V

Thanks for clearing this up, Brian.

Reply to
linguafr

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.