[c-nsp] ASA 5505 doesn't like itself
Tom Sutherland
tsutherland at i3businesssolutions.com
Tue Mar 1 20:54:36 EST 2011
I see.
I do know that you can ping from an inside interface through a VPN
tunnel to a remote host, and vice-versa although you need the
"management-access inside" command. You can generate "interesting
traffic" this way as well:
ASA(config)# show cry ips sa | i ident
local ident (addr/mask/prot/port): (10.4.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
####Ping remote host through tunnel from inside
ASA(config)# ping inside 10.2.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 110/124/130
ms
####Disable management-access
ASA(config)# no management-access inside
ASA(config)# ping inside 10.2.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
####Enable management-access
ASA(config)# management-access inside
ASA(config)# ping inside 10.2.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/128/140
ms
ASA(config)#
On Fri, 2011-02-25 at 16:11 -0500, Matthew Huff wrote:
> Cisco PIX/ASA are not routers. For example, you cannot ping from the inside network to the outside interface, or any other simular type of test.
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tom
> > Sutherland
> > Sent: Friday, February 25, 2011 4:01 PM
> > To: Michael Loether
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] ASA 5505 doesn't like itself
> >
> > as a test, you might try:
> >
> > icmp permit any inside
> > icmp permit any outside
> >
> > from cisco command reference:
> >
> > "To configure access rules for ICMP traffic that terminates at a
> > adaptive security appliance interface, use the icmp command."
> >
> >
> > On Thu, 2011-02-17 at 16:53 -0500, Michael Loether wrote:
> >
> > > I have a ASA 5505 I am setting up at a small branch office. Working towards a site to site VPN but
> > first I need to get it to talk to itself. Traffic is not passing from inside to outside.
> > >
> > > interface Vlan1
> > > nameif inside
> > > security-level 100
> > > ip address 172.19.1.1 255.255.255.0
> > > !
> > > interface Vlan2
> > > nameif outside
> > > security-level 0
> > > ip address 64.183.175.22 255.255.255.252
> > > !
> > > interface Ethernet0/0
> > > switchport access vlan 2
> > > !
> > > interface Ethernet0/1
> > > !
> > > nat (inside,outside) after-auto source dynamic any interface
> > >
> > > DHCPd is running on VL 1 and it is handing out IPs as expected.
> > >
> > > ping inside 64.183.175.21
> > > Type escape sequence to abort.
> > > Sending 5, 100-byte ICMP Echos to 64.183.175.21, timeout is 2 seconds:
> > > ?????
> > > Success rate is 0 percent (0/5)
> > >
> > > ACLs are any any ip on both inside and outside.
> > >
> > > Any suggestion would be appreciated.
> > >
> > > Mike
> > >
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5037 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20110301/65f75ac9/attachment-0001.bin>
More information about the cisco-nsp
mailing list