[c-nsp] ASA 5505 doesn't like itself

Michael K. Smith - Adhost mksmith at adhost.com
Thu Feb 17 20:27:50 EST 2011 

Do you have:

global (outside) 1 interface

or similar?

Mike

--
Michael K. Smith - CISSP, GSEC, GISP
Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com
w: +1 (206) 404-9500 f: +1 (206) 404-9050
PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Pete Lumbis
> Sent: Thursday, February 17, 2011 4:45 PM
> To: Michael Loether
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ASA 5505 doesn't like itself
> 
> You can't ping like that. You can ping from the inside interface to
> the outside, and vice versa. You can test traffic from the inside by
> pinging the outside interface for example. There is no way to change
> this behavior.
> 
> Also ICMP is IP, "permit ip any" will allow ICMP.
> 
> The only other thing is that ICMP inspection is not enabled by default
> (at least in some older code). If you plan to lock down your ACLs,
> you'll probably want to turn this on.
> 
> -Pete
> 
> On Thu, Feb 17, 2011 at 4:53 PM, Michael Loether <mike at azloether.com>
> wrote:
> > I have a ASA 5505 I am setting up at a small branch office.  Working towards
> a site to site VPN but first I need to get it to talk to itself.  Traffic is not passing
> from inside to outside.
> >
> > interface Vlan1
> >  nameif inside
> >  security-level 100
> >  ip address 172.19.1.1 255.255.255.0
> > !
> > interface Vlan2
> >  nameif outside
> >  security-level 0
> >  ip address 64.183.175.22 255.255.255.252
> > !
> > interface Ethernet0/0
> >  switchport access vlan 2
> > !
> > interface Ethernet0/1
> > !
> > nat (inside,outside) after-auto source dynamic any interface
> >
> > DHCPd is running on VL 1 and it is handing out IPs as expected.
> >
> > ping inside 64.183.175.21
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 64.183.175.21, timeout is 2 seconds:
> > ?????
> > Success rate is 0 percent (0/5)
> >
> > ACLs are any any ip on both inside and outside.
> >
> > Any suggestion would be appreciated.
> >
> > Mike
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list