Cisco Firewall :: Cannot Ping Through ASA 8.2(5) Error %-6-302021
Oct 13, 2011
I have new ASA with 8.2(5) , I tried to open the ICMP between inside and outside for testing , but I'm always getting the error %-6-302021 An ICMP session is removed in the fast-path when stateful ICMP is enabled using the inspect icmp command.
Although I did not add inspect icmp in the default inspection class.
I have done the same configuration on another ASA with different version 8.0 , and it works fine ..
Configuration :
------------------------
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any
access-group outside_access_in in interface outside
I'm facing a problem regarding loss of ping packets when i do ping test from nexus3k to another nexus3k connected directly.however there is no error counters on the interfaces on both of devices.the ping failutre is occurring only whenever i do ping test with a large number of ping packets.I don't see the ping loss symptom with default ping test (default ping test is 5 packets).
H/W : N3K-C3548P-10G S/W : 5.0(3)A1(1) nexus3k# ping 1.1.1.2 PING 1.1.1.2 (1.1.1.2): 56 data bytes 64 bytes from 1.1.1.2: icmp_seq=0 ttl=254 time=2.732 ms 64 bytes from 1.1.1.2: icmp_seq=0 ttl=254 time=2.732 ms
We have network topo ( attach file)Two switch run VRRP, if I ping 10.0.10.3 from switch SW-6504-01 with source 10.0.10.2, ping lost one packet every 10 packets.We have other interface vlan with same problem
this is some config:
! interface Port-channel1 switchport switchport trunk encapsulation dot1q switchport mode trunk no ip address ! interface GigabitEthernet3/47
I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.
Internet ISP -> Juniper SRX 210 Ge-0/0/0 Juniper fe0/0/2 -> Cisco ASA 5505 Cisco ASA 5505 - >Inernal LAN switch.
1. Internet is connected to Juniper Ge0/0/0 via /30 IP.
2. Juniper fe0/0/2 port is configured as inet port and configured the Internal public LAN pool provided by the ISP. And this port is directly connected to Cisco ASA 5505 E0/0. Its a /28 pool IP address. This interface is configured as outside and security level set to 0.
From Juniper SRX, am able to ping public Internet IPs (8.8.8.8).
Issue:
1. From ASA am unable to ping public ip configured on Juniper G0/0/0 port.(/30) 2. From ASA no other Public internet IP is pinging.
Troubleshooting Done so far.
1, Configured icmp inspection on ASA. 2. Used the packet tracer in ASA, it shows the packet is flowing outside without a drop. 3. Allowed all services in untrust zone in bound traffic in Juniper SRX. 4. Viewed the logs when I was trying the ping 8.8.8.8 in ASA. It says "Tear down ICMP connection for faddrr **** gaddr **
I have 2 modules of FWSM in 6500 switch (failover).I need 5 context.When I use in routed mode (like in the picture) , I cannot ping the servers behind the firewall. (I have ping to FW context),In transparent mode, it is not happening.what is the problem with routed mode?
We are going to impliment Spectrum (CA) in my network,i have ASA-5580-20 firewall now my spectrum server want to communicate with firewall,then only it will discover the firewall logs.Now the problem is my spectrum server is in MZ zone(10.10.10.45) security leval is 70 and my inside interface(10.20.20.101) security leval is 100.
I am unable to ping from spectrum server to firewall because of high security leval.How can i solve this problem,can i change my inside security leval to 69 then i think it will ping.
I've recently swapped out an old pix firewall for a new ASA5505 and have been trying to match the configs as best I can. However I still can't ping the new firewall from the server and it still won't let them serve out. The firewall exists on a separate VLAN (vlan30), but the previous pix never seemed to care about that. I'm wondering if that might be part of the problem.
I am trying to introduce an ASA5520 to my network based on the following diagram: ISP Internet ------> ASA5520 ------- > Cisco Router ------> LAN. The problem is I cannot ping the ASA from the LAN. I can ping it from inside the router. I already allow ICMP within ASA. If i remove the cisco router and replace it by a swich, I can ping the ASA with NO problem.
I have Vlan 100 (inside) and Vlan 65 (Outside)I'm trying to configure RDP and ping traffic from Vlan 100 to Vlan 65 One way.If I connect 2 PCs on E0/0 and E0/1 they can happily ping the their own VLAN ip add 192.168.100.3 and 172.16.65.1I've copied my config,
I am unable to ping my computer (attached via crossover). I can ping from the PC, but not from the PIX515. I'm using ethernet 1, and I have its IP set at 192.168.1.2/24, but for what ever reason I am unable to contact the computer. I tried messing with the access list a little bit but nothing so far.
PIX515(config)# show run : Saved : PIX Version 6.3(5) interface ethernet0 auto shutdown interface ethernet1 auto nameif ethernet0 outside security0
I just received a new SR520-FE router and am having a hard time getting it configured right. AS of now it is in my lab in a simulated "customer environment". I can ping what's behind it, what's in front of it. But I can't get outside access. I know it's probably something small so I am hoping another pair of eyes might be able to see what I don't. Here is the running-config. It's the factory setup minimally adjusted.
SR520 Base Config - MFG 1.0 User Access Verification Username: ciscoPassword: SR520#show runBuilding configuration... Current configuration : 6177 bytes!version 12.4no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname SR520!boot-start-markerboot-end-marker!logging message-counter syslogenable secret 5 $1$m/V3$CM6/dHniD1KgHsPZV6jV70!no aaa new-model!crypto pki trustpoint TP-self-signed-
I have simple setup lab in a GNS3. I having a problem pinging from the ASA to the outside world. If I'm in the rotuer, I can ping fine(ping 4.2.2.2), I'm getting reply back. But no luck on the ASA itself. For now I just wanted to get the ASA to ping outside the cloud. Then later I play around with the host pc. ASA Version 8.4(2) [code]
I have interited an ASA5505 problem. We're trying to manage the ASA remotely - we can connect to the device remotely via IPSec, we can ping other devices on the LAN network, but cannot ping the inside interface of the ASA - nor can we telnet/ssh/http to it. We can, however, connect to another router that's on the LAN and then SSH into the ASA's inside interface.
My IP via VPN: 10.133.20.8 The ASA interface we're trying to connect to via SSH or ASDM: 10.4.209.254 A router on the LAN we can connect to 10.4.209.250
We can ping other LAN devices such as 10.4.209.75, .90, .150 - so it's not a NAT/Route/Split Tunnel issue.I've attached the ASA config.
I have Cisco ASA5520 with a 8.4 code in GNS3. I have a problem pinging to the internet. On the ASA console, I can ping to outside world, but on vpc I cannot ping the outside world. But I can ping the ASA Inside interface and other VLANs, no problem. [code]
I just setup my home network with Pix 515 acting as my router/firewall but I can't seem to ping my internal PC from my ASA. I can access the internet and ping my Pix 515 inside interface from my pc but I can't ping my pc from my Pix 515. I can also renew/release IP's from my PC. I also did a packet tracer and it says that it was dropped due to an access list but I have one in place. Also my switch has the default config. Below is my config
Internet <----> Comcast modem <-----> Pix 515 <-------> Cisco switch <-----> PC MYFIREWALL# sh run : Saved
We are using Cisco ASA 5580 (8.2) firewall. When i try to ping from inside lan to firewall DMZ interface IP it is not pingable and but from inside users i am able to ping firewall inside interface IP address.
I think we can't ping to other interfaces of ASA by default. But can we allow the single IP address who can ping all the interfaces of firewall?
We are not doing any natting in firewall, for that we used the Load Balancer.
I currently have an ASA 5510 unit. I have a dmz setup which house some web servers and an inside interface. The web servers contain multiple public ip addresses which I have natted and access is fine.What is the most simple way to enable ping for my dmz from the outside. Meaning if someone outside the network pings one of the servers by its public ip address I would like it to respond to ping.
I cannot seem to determine exacly why I am not able to ping from the inside to outside using the standard 100/0 security levels respectively. I am dynamic natting the inside to the outside interface, something I don't usually do but cannot see why ICMP's are not passing through.
The Packet trace tool says there is something in the ACL but there really isn't.
Is there simply an issue of Natting to the WAN interface on a 5510?
host PC (192.168.9.3) -----> gateway (192.168.9.2) ----- Pix E1 (192.168.9.1)/Pix E0 (81.x.x.250) ------ Internet
The 192.168.9.2 gateway is a 3560 switch connected to the PIX. I can ping out to the Internet via IP from the PIX, but not via the host PC (192.168.9.3) on the LAN. PIX and gateway configs below. Am I missing something that's preventing me pinging out to the Internet from the internal LAN?
PIX config
test-cal-pix01# sh run : Saved : PIX Version 8.0(3) ! hostname test-cal-pix01 enable password btf1YD.Vq7mE6vEA encrypted
We want to use an ASA as a pure routing device. Our network has several internal subnets (10.1.x.0/24), and we want to be able to reach them from outside and to allow access between them.
We have a defined a VLAN for each subnet range with the same security-level, added it to an Ethernet port and made the Ethernet that acts as outside as a trunk, and defined it as the global routing.
We cannot ping any of the subnet IPs defined in the ASA from outside nor we can ping it from the internal IP addresses.
I am trying to configure Nat on a clean ASA 5505, but can't get it to work. I ran the commands below. On the ASA I can ping the internet and inside vlan ip. On my laptop I can ping the ASA inside vlan ip, but I can't ping the outside vlan ip. From another network I can ping the ASA outside public ip. Is there an access-list that denies inside from accessing outside?
I am running version 8.4(3) and I erased the existing configuration.
I'm a CIsco ISR, Setting up my first ASA, which seems to be going well.I've setup an IPSEC VPN to a non Cisco device. And have connectivity between devices in each subnet.
-Subnet A - non Cisco - 10.10.13.0/24 -Subnet B - ASA 5505 - 192.168.2.0/24 (ASA is .254)
From Subnet A I can ping every device except the ASA on .254.
Edited Config attached, IP's changed for privacy, passwords removed.Let me know if I've removed too much of the config.
I have 2 ASA and would like to build a Side-to-Side VPN between these ASA. So I can learn something about configure a ASA for different thinks. But now I don`t can Ping from a Client to the Internet-Router.My Configuration is:
I cannot seem to ping from the outside of my 5520 firewall to an inside network. I have a single physical outside interface connected to a Layer 2 switch, with a laptop connected to it. This is on network 10.11.131.0/28. From there, I cannot ping to the inside interface (which is a sub interface on G0/0) with network 10.11.130.0/24/ For some reason, it doesnt work.
Now. I had access-lists in place, but have removed them for testing and it still doesnt work. I have set the security level of inside and outside to 100, and entered the same-security-traffic permit inter-interface command - still no joy. Below is the relevant configuration.
I've got a little problem with my ASA 5515-X after upgrade from version 8.6 to 9.1.
I've got two 5515-X in A/S-mode and upgraded both as described on cisco's website (first standby-unit, failover, etc.). Everything worked just fine except pinging the ASA-interfaces themselfes. Before upgrade it was possible to ping from any subnet to the internal interface, but now it's not. If I'm on the router next to the ASA I'm able to ping, but every ping from behind that router fails. The ICMP-packets get into the ASA (counter on ACL raises up), but no reply is getting into the source.
The configuration fir ICMP was not changed and says "permit 0.0.0.0 0.0.0.0" for any ICMP on the internal interface. The router betwenn my subnet and the ASA has no ACL installed and - as said above - the ICMP gets obviously to the ASA but doesn't come back!?
I have been tasked with replacing our company eSoft router with a Cisco ASA 5505 with the upgraded security license. I have been working on the configuration for a couple of weeks now, after reading hundreds of forum posts, watching youtube videos, and endless google searching, and despite my best efforts I am still having an issue I can’t figure out.
I have a couple of subnets, that when the ASA is connected, I cannot ping, nor can they get to the internet or our Exchange server. At this point I’m not sure if it’s an access rule issue, NAT issue, or DNS issue.
Here is the network layout:
ASA: 192.168.0.2 (Primary Gateway) 192.168.0.0 (Primary facility, ASA is the gateway) 192.168.2.0 (Second facility, connected via Verizon point-to-point) 192.168.3.0 (Third facility, connected via Verizon point-to-point)
