[c-nsp] ASA 5505 doesn't like itself
Pete Lumbis
alumbis at gmail.com
Thu Feb 17 19:44:58 EST 2011
You can't ping like that. You can ping from the inside interface to
the outside, and vice versa. You can test traffic from the inside by
pinging the outside interface for example. There is no way to change
this behavior.
Also ICMP is IP, "permit ip any" will allow ICMP.
The only other thing is that ICMP inspection is not enabled by default
(at least in some older code). If you plan to lock down your ACLs,
you'll probably want to turn this on.
-Pete
On Thu, Feb 17, 2011 at 4:53 PM, Michael Loether <mike at azloether.com> wrote:
> I have a ASA 5505 I am setting up at a small branch office. Working towards a site to site VPN but first I need to get it to talk to itself. Traffic is not passing from inside to outside.
>
> interface Vlan1
> nameif inside
> security-level 100
> ip address 172.19.1.1 255.255.255.0
> !
> interface Vlan2
> nameif outside
> security-level 0
> ip address 64.183.175.22 255.255.255.252
> !
> interface Ethernet0/0
> switchport access vlan 2
> !
> interface Ethernet0/1
> !
> nat (inside,outside) after-auto source dynamic any interface
>
> DHCPd is running on VL 1 and it is handing out IPs as expected.
>
> ping inside 64.183.175.21
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 64.183.175.21, timeout is 2 seconds:
> ?????
> Success rate is 0 percent (0/5)
>
> ACLs are any any ip on both inside and outside.
>
> Any suggestion would be appreciated.
>
> Mike
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list