[c-nsp] ASA 5505 doesn't like itself

Thu Feb 17 22:01:11 EST 2011

Hey Mike--

   It looks t me like you are tying to ping an IP address that is on the
untrusted interface by way of the inside interface. The ASA will not do
that. Given that the destination IP address is on a connected subnet, the
ASA knows the route. Try your ping again without the word "inside" and see
what happens.

interface Vlan2
 nameif outside
 security-level 0
 ip address 64.183.175.22 255.255.255.252
!

ping inside 64.183.175.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 64.183.175.21, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

   If I try to ping my ASA's default route specifying the inside interface
as the path to take out, the ping fails just like yours did.

cjw

Message: 8
> Date: Thu, 17 Feb 2011 14:53:04 -0700
> From: Michael Loether <mike at azloether.com>
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA 5505 doesn't like itself
> Message-ID: <21225BA4-4A84-4163-81C8-EEACDED793B0 at azloether.com>
> Content-Type: text/plain; charset=us-ascii
>
> I have a ASA 5505 I am setting up at a small branch office.  Working
> towards a site to site VPN but first I need to get it to talk to itself.
>  Traffic is not passing from inside to outside.
>
> interface Vlan1
>  nameif inside
>  security-level 100
>  ip address 172.19.1.1 255.255.255.0
> !
> interface Vlan2
>  nameif outside
>  security-level 0
>  ip address 64.183.175.22 255.255.255.252
> !
> interface Ethernet0/0
>  switchport access vlan 2
> !
> interface Ethernet0/1
> !
> nat (inside,outside) after-auto source dynamic any interface
>
> DHCPd is running on VL 1 and it is handing out IPs as expected.
>
> ping inside 64.183.175.21
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 64.183.175.21, timeout is 2 seconds:
> ?????
> Success rate is 0 percent (0/5)
>
> ACLs are any any ip on both inside and outside.
>
> Any suggestion would be appreciated.
>
> Mike
>