[c-nsp] ASA 5505 doesn't like itself

Tom Sutherland tsutherland at i3businesssolutions.com
Tue Mar 1 20:54:36 EST 2011


I see.

I do know that you can ping from an inside interface through a VPN
tunnel to a remote host, and vice-versa although you need the
"management-access inside" command.  You can generate "interesting
traffic" this way as well:

ASA(config)# show cry ips sa | i ident
      local ident (addr/mask/prot/port): (10.4.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)

####Ping remote host through tunnel from inside

ASA(config)# ping inside 10.2.0.1     
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 110/124/130
ms

####Disable management-access

ASA(config)# no management-access inside 
ASA(config)# ping inside 10.2.0.1        
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

####Enable management-access

ASA(config)# management-access inside
ASA(config)# ping inside 10.2.0.1    
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/128/140
ms
ASA(config)# 



On Fri, 2011-02-25 at 16:11 -0500, Matthew Huff wrote:

> Cisco PIX/ASA are not routers. For example, you cannot ping from the inside network to the outside interface, or any other simular type of test.
> 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tom
> > Sutherland
> > Sent: Friday, February 25, 2011 4:01 PM
> > To: Michael Loether
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] ASA 5505 doesn't like itself
> > 
> > as a test, you might try:
> > 
> > icmp permit any inside
> > icmp permit any outside
> > 
> > from cisco command reference:
> > 
> > "To configure access rules for ICMP traffic that terminates at a
> > adaptive security appliance interface, use the icmp command."
> > 
> > 
> > On Thu, 2011-02-17 at 16:53 -0500, Michael Loether wrote:
> > 
> > > I have a ASA 5505 I am setting up at a small branch office.  Working towards a site to site VPN but
> > first I need to get it to talk to itself.  Traffic is not passing from inside to outside.
> > >
> > > interface Vlan1
> > >  nameif inside
> > >  security-level 100
> > >  ip address 172.19.1.1 255.255.255.0
> > > !
> > > interface Vlan2
> > >  nameif outside
> > >  security-level 0
> > >  ip address 64.183.175.22 255.255.255.252
> > > !
> > > interface Ethernet0/0
> > >  switchport access vlan 2
> > > !
> > > interface Ethernet0/1
> > > !
> > > nat (inside,outside) after-auto source dynamic any interface
> > >
> > > DHCPd is running on VL 1 and it is handing out IPs as expected.
> > >
> > > ping inside 64.183.175.21
> > > Type escape sequence to abort.
> > > Sending 5, 100-byte ICMP Echos to 64.183.175.21, timeout is 2 seconds:
> > > ?????
> > > Success rate is 0 percent (0/5)
> > >
> > > ACLs are any any ip on both inside and outside.
> > >
> > > Any suggestion would be appreciated.
> > >
> > > Mike
> > >
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5037 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20110301/65f75ac9/attachment-0001.bin>


More information about the cisco-nsp mailing list