Not able to ping inside the interface from outside
Hello
I'm trying to stimulate a new network like the diagram of the topology below:
However, I have a problem:
ASA:
I can ping to:
192.168.200.1 (Site_RTR IP, int fa0/1)
192.168.200.2 (ASA vlan interface IP, outside interface)
10.133.95.12 (DC_RTR, int fa0/1)
10.133.200.1 (ASA vlan interface IP, inside the interface)
10.133.200.23 (machine)
The RTR website, I can do a ping to:
10.133.95.12
192.168.200.1
192.168.200.2
10.133.200.23 (machine)
but not
10.133.200.1 (ASA vlan interface IP, inside the interface)
Question 1:
It is possible to access / ping back to this address within the IP Interface from outside?
Question 2:
As all subnets 10.0.0.0/8 will go through the interface on the outside, however for the internet traffic, out thru interfacera outside 2.
I haven't set up any nat, is correct to nat all out for outside2?
NAT (inside outside2) source Dynamics one interface
Thanks for the help.
JJ
Hi JJ,
If you plan doing a ping within the IP address of the interface, while the traffic is coming from any interface other than inside, you won't able to ping inside the IP address of the interface.
This is by design, and you cannot change it by any ACL or other settings.
Thank you
Ishan
Please do not forget to select a correct answer and rate useful posts
Tags: Cisco Security
Similar Questions
-
ASA 5540 - cannot ping inside the interface
Hi all. We have recently upgraded PIX to ASA5540 and we saw a strange thing going. In a Word, we can ping the inside interface of the ASA from any beach on our 6500 network (which is connected directly behind the ASA on the inside), but one where our monitoring tools are placed. Inside there is an ACL that allows all of our core networks, but it does not help that the interface is really strange.
In the ASDM, I see messages like this:
ID ICMP echo request: 2004 x.x.x.x y.y.y.y on the inside interface to. I don't think that's the problem, but I could be wrong.
This is also the configuration of the interface VLAN VIRTUAL local area network from which we cannot ping inside the interface we can ping to and since this VLAN and machines without problem. The only problem is ping the inside interface of the ASA.
interface Vlanx
IP x.x.x.x 255.255.255.0
IP broadcast directed to 199
IP accounting output-packets
IP pim sparse - dense mode
route IP cache flow
load-interval 30
Has anyone experiences the problem like this before? Thanks in advance for any help.
Can you post the output of the following on the ASA:-
display the route
And the output of your base layer diverter: -.
show ip route<>
HTH >
-
Cannot ping inside the ASA from the inside interface
Don't know what I did wrong... appreciate any help
Here is the page layout
laptop--> cisco 3750 switch--> ASA5505 firewall--> future VPN tunnel
Laptop, switch interface VLAN and inside the ASA are all in the same subnet
Switch and ASA have all interfaces local network VIRTUAL 52 (the subnet in question), except for the external interface
-----------------
This is the problem
laptop getting ip addressing and def GW via DHCP from the firewall
switch and FW can ping each other without problem
FW can't ping, still gets the DHCP scope.
Thank you
Dave
Hello
How did you setup?
The laptop is connected to a port of the 3750 (VLAN 52).
The connection between the 3750 and the SAA is a chest or a link L3?
If the 3750 has a SVI belonging to VLAN52, you can ping from the correct PC? As well as the ASA?
Federico.
-
ASA - upgrade to 8.4, impossible to ping inside the interface via IPSec VPN
We have configured a site 5, site to site VPN scenario. Last week, we have upgraded 2 devices ASA 5505 to 8.4.2. Before the upgrade, our monitoring software would ping the inside interface from remote devices to confirm VPN tunnels were established, as well as the addresses of remote devices and the outside of the ASA. While we were on 8.2, remote equipment successfully ping the inside interface. After that we went to 8.4.2 we can do a ping to this interface. We looked at the newspapers and we see the ICMP traffic that is listed in the newspaper, but the remote equipment does not receive back icmp traffic. We can ping successfully from local hardware interface inside and the external interface of remote devices successfully. In addition, we can ping material behind the two devices in both directions successfully.
We are unable to remotely manage the device through the VPN tunnel
Net is:
ASA #1 inside 10.168.107.1 (running ASA 8.2)
ASA #2 inside 10.168.101.1 (running ASA 8,4)
Server 1 (behind the ASA #1) 10.168.107.34
Server 2 (behind the ASA #2) 10.168.101.14
Can ping server 1 Server 2
Can ping server 1 to 1 of the SAA
Can ping server 2-ASA 2
Can ping server 2 to server 1
Can ping server 2 ASA 1
Can ping ASA 2 ASA 1
can not ping ASA 1 and 2 of the ASA
can not ping server 1 and 2 of the ASA
cannot access the ASA 2 https for management interface, nor can the ASDM software
Here is the config on ASA (attached) 2.
Any thoughts would be appreciated.
Hey Joseph,.
Most likely, you hit this bug:
CSCtr16184 Details of bug
To-the-box traffic switches vpn hosts after upgrade to 8.4.2. Symptom:
After the upgrade of the ASA to 8.4.2 all management traffic to employment (including the)
ICMP/telnet/ssh/ASDM) hosts via the VPN (L2L or remote access VPN) can
fail the IP access address to the administration. Conditionsof :
1. the problem occurs if ASA is on 8.4.2. Not been seen on 8.4.1.
2. the user directly logged in the face of internal interfaces no problem with
ICMP/telnet/ssh/AMPS in their respective interfaces. Workaround:
The problem goes back to a Manual NAT statement that straddles the
address IP-access to the administration. The NAT must have both the
source areas and destination. Add the keyword "research route" at the end of
the statement by NAT solves the problem. Ex:
IP address access to the administration Interface of the ASA is 192.168.1.1. ! Statement by NAT overlapping:
NAT obj destination - 192.168.1.0 obj - 192.168.1.0 Shared source (indoor, outdoor)
VPN-vpn-obj static obj! New declaration:
NAT obj destination - 192.168.1.0 obj - 192.168.1.0 Shared source (indoor, outdoor)
public static obj - vpn vpn-obj-research routeHTH,
Raga
-
Ping inside the interface on a Pix 501 from outside the network
All the
I have a Pix 501 firewall at a remote site with an IPSEC tunnel established at HQ. We have an analysis tool which remote sites for us let proactively pings know when a site crashes. I want to set up this ping the inside interface of the Pix tool as I can with 871 routers; However I can't configure the Pix to allow ICMP inside interface. I know by default that the Pix does not allow ICMP to the opposite interface and I was wondering if someone could help me with a configuration that will allow this? I enclose my configuration of the pix!
Thank you
Brian
Hello
By raising the ordering tool, it seems that the 'management-access' command was introduced in version 6.3
I recommend spending at 6.3 If you can.
Federico.
-
Can not handle the ASA inside the interface of Site to Site VPN
Hi all
I was deploying new site to site between ASA 8.0 (HQ) and ASA 8.4 (branch). Everything works fine but I have a problem on the ASA-reach remote that I can't manage branch ASA with inside the interface IP address.
My setup on remote ASA
management-access inside
ICMP allow any inside
SSH 0.0.0.0 0.0.0.0 inside
SNMP-server host inside 10.0.1.101 communitry test-snmp version 2 c
My Test
-ping of the AC for inside the interface of remote ASA
- Client time-out see demand
- When debug icmp on ASA remote then ASA show only ICMP request to HQ no response back from remote ASA
I'm not sure whether it's a bug on ASA 8.4 or not because I can manage a remote other ASA what version 8.0 software HQ
Thanks in advance
Do not know what 8.4 version you use, but it is broken in the 8.4 (2), I stumbled upon the upgrade from same problem. SSH and ASDM will not connect through a VPN L2L interface inside. This worked well in 8.4 (1).
-
Not able to ping from EXSI and NEXUS of EXSI HOST default gateway
Hello
In my topology I use 2960 switch thanks to which are connected the my fabric for interconnection and the NEXUS, I am able to ping ESXI switch but when I ping the blade and the Nexus of ESXI HOST, is not ping and also not able to ping default gateway through EXSI.
I use X Vlan for all devices.
Please suggest...
The first thing is to make sure the VLAN ESX is defined from the NETWORK adapter to the router. the 5K the routing in this case? Also the fabric of interconnections and the pool mgmt of blade must be on the same VLAN / subnet. It seems that the FIM is on
.7/25 and blade MMIC in sur.100/25. They must be on the same subnet. for ESX, please ensure that your vNIC has the VLAN correct represented and that his license.
Hope this helps,
David Jarzynka
-
Cannot ping ASA inside the interface via VPN
Hello
I have a scenario with tunel VPN between a router and ASA and can ping subnet behind ASA subnet behind the router (and), but I cannot ping the ASA inside the interface on the VPN tunnel. I need to access the remote location ASDM. How can it be done?
Thanks for your suggestions.
Remi
Hello
You must have the 'inside access management' command configured on the SAA.
If you run a 8.3 software or newer on the SAA, should also look at the configuration 'nat' IF the above command solves your problem
-Jouni
-
Inside the interface of access IPSec on PIX
Hi all
I need advice with the following problem.
I have PIX 515E with 3 interfaces inside.
DMZ and outside, to 6.3 (3). Is it possible to access DMZ more inside the interface with IPSec of CISCO VPN client? IPSec creates a tunnel, the customer
has a new address of the address pool, but
in the paper, I have a message: not found translation etc... When I try to
reach any device in the DMZ. The reason seems
be with nat (dmz) 0, which should be inside the DMZ (social security social security 50 0). Even if I use nat (dmz) 0-list of remote access apart from it does not work. Any tips?
Thank you
Zdenek
Hello
Can you check if you are able to access the DMZ from the inside? If so, then u shud be able to access DMZ to connect remotely. This is because once the VPN client obtains the IP address of the inside pool, it's as good as he is in your home LAN. You can try putting inside DMZ natting... I mean put this command nat 0 because inside the DMZ, which will allow access to DMZ devices inside.
-
Not able to connect to the server with modem 56 k
I try to connect my Tecra via modem 56 k Internet.
Also, I tried with another computer laptop with the same details and that worked.
But when I try it on my Tecra I get an error that is not able to connect to the server.So I think that it is a parameter that is not defined correctly for the modem.
(If you compare it to another laptop all parameters are the same as windows).Thanks in advance,
Theo
Hello Theo
Please remove the Dial-up connections all created and after that, remove the modem from Device Manager. Restart the device and initially ensure that the modem is properly configured (query modem Agic under Diagnostics). I put t know which Tecra you have, but many of them have preinstalled TOSHIBA PC Diagnostic Tool. With this tool, you can see all the equipment including modem.
After having it set up new Dial-up connection and check the functionality. Be sure to wait for the tone option is disabled.
-
Itried the benchmark tool, it did not help. I tried the scanning from the prompt, it says that some files were corrupted and could not repair them. There is no error message at all
Maybe the info will offer something that you haven't tried:
First, launch... Task Manager...
How to launch the Task Manager instantly in Windows XP or Vista?
http://www.XP-Vista.com/tipstricks/how-to-launch-the-Task-Manager-instantly-in-Windows-XP-or-VistaThe Task Manager / processes tab select (highlight) any which instance of:
"wmplayer.exe" and left click on the button "complete the process".If you see a dialog box 'Warning'... left click Yes.
Close the Task Manager.
Try Windows Media Player again.
And... the following links may be worth a visit:
(925704) when I try to use Windows Media Player 11, the program
does not start, or some user interface elements are empty
http://support.Microsoft.com/kb/925704Please see the following article for info on opening a high command
Prompt in VistaWindows Vista - command prompt: frequently asked questions
http://Windows.Microsoft.com/en-us/Windows-Vista/command-prompt-frequently-asked-questions
(scroll down to: how to run a command with elevated privileges?)Good luck...
-
Not able to connect to the server via the AFN TCP
Hi all
After Googling carefully I finally decided to post my problem which is really sent me nightmares.
In my application, I try to connect to a TCP server by using the operator of internet network and after the connection string
URL = "socket: / /" + ip + ":" + port + ";" deviceside = true; connectionTimeout = 30000; APN =; tunnelauthusername =; tunnelauthpassword =; » ;
I am able to connect to the internet using the phone's browser, but not able to connect to the TCP server via app.
In my device APN authentication is disabled by default and the AFN, the name of user and password fields are white that's why I took these settings like white with a value in the connection string.
When I try to connect via wifi network using the suite of string
URL = "socket: / /" + ip + ":" + port + ";" deviceside = true; interface = wifi; connectionTimeout = 30000;
I am able to connect to the server, but not in the case via the AFN.
Please help me...
I'm here just stuck and not finding a way out.
Thank you
Finally I found the solution to the problem...
I used ConnectionFactory (network API) to connect to the TCP server and the used connection string is just
'socket://127.0.0.1:8089 '.
No need to specify the APN, user name, and password.
Here's the code used
ConnectionFactory connFact = new ConnectionFactory(); ConnectionDescriptor connDesc; connDesc = connFact.getConnection("socket://127.0.0.1:8087"); -
Not able to connect to the user account, error: user profile Service has no logon
I'm on a HP Pavilion dv7 with Windows 7. I created a user account for my wife but she cannot open a session because of the messages "the user profile Service has no logon. User profile cannot be loaded. »
Where and how can I fix it?
Thank you.
Larry
Original title: need help with setting up an account
Hi Larry,
Thanks for posting your query in Microsoft Community.From your description, it seems that you are not able to connect to the user account when you try to connect you get following error. The user profile Service has no logon
This behavior can occur if the user profile was deleted manually using the command prompt or by using Windows Explorer. A profile that is manually deleted does not remove the security identifier (SID) of the list of profiles in the registry.
If the SID is present, Windows will try to load the profile using the profile Image path that points to a nonexistent path. Therefore, the profile cannot be loaded.
To resolve the problem with the user account, you can follow these steps:
Method 1:
(a) click Start, type regedit in the start search box, and then press ENTER.
(b) search for, and then expand the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList(c) right click the SID that you want to remove, and then click on remove.
(d) log on to the computer and create a new profile.
You can also check this link:
Error message when you log a computer Windows Vista-based or Windows 7 by using a temporary profile: "the user profile Service has no logon. Unable to load the user profile.
http://support.Microsoft.com/kb/947215Important: The above section, method, or task contains steps that tell you how to modify the registry. However, serious problems can occur if you modify the registry incorrectly. Therefore, make sure that you proceed with caution. For added protection, back up the registry before you edit it. Then you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click on the number below to view the article in the Microsoft Knowledge Base:
Method 2: Also, see the steps in the following Microsoft article:
(a) error message when you log a computer Windows Vista-based or Windows 7 by using a temporary profile: "the user profile Service has no logon. Unable to load the user profile.
http://support.Microsoft.com/kb/947215Note: We strongly advise against making it the standard way to remove the user profiles on computers. Documented and supported approach is using the system advanced settings in the system, "Profiles" settings properties For programs, it is available using the API 'delete profile '.
If the SID is present, Windows will try to load the profile using the profile Image path that points to a nonexistent path. Therefore, the profile cannot be loaded.
(b) how to back up and restore the registry in Windows
Back up the registry
http://Windows.Microsoft.com/en-us/Windows7/back-up-the-registry(c) IF you still have the problem then you can follow the link provided below to fix the damaged user profile.
http://Windows.Microsoft.com/en-us/Windows7/fix-a-corrupted-user-profileFor any Windows help in the future, feel free to contact us and we will be happy to help you.
-
Not able to connect to the homegroup, it requires username and password
Original title: h/group connection on my year old d/top & my l/top 6 months, does not. Says I need a/c p/word-WHERE is it? I need to change the system time that is differs from earlier local. - thank you - Stantheman
Both computers are windows 7. Recently uploaded photo gallery on both, but because they won't talk to each other, I have to copy / paste from one to the other...
I'm 79 and reasonable computer. Daughter 51 tried very hard, but without success.
Hi Stanley,
Welcome to the Microsoft community. As you are not able to connect to the Homegroup, answering a question that helps us provide the best solution:
What antivirus software do you use?
Here are a few steps to try:
Visit the link to check if the homegroup settings is set correctly:
Homegroup from start to finish
http://Windows.Microsoft.com/is-is/Windows7/help/HomeGroup-from-start-to-finishMethod 1:
Visit the link and try the troubleshooter.
Open the homegroup troubleshooting utility
http://Windows.Microsoft.com/en-us/Windows7/open-the-HomeGroup-TroubleshooterMethod 2:
Visit the link to learn more ways to connect to the Homegroup.
Why I can't join a homegroup?
http://Windows.Microsoft.com/en-us/Windows7/why-can-t-I-join-a-HomeGroupHope this information helps. If you have any other questions feel free to respond and we would be happy to help.
-
I am not able to connect to the HFR (11.1.2.4) studio
Happy holidays / Merry Christmas!
My colleagues are able to connect to the HFR (11.1.2.4) studio using the http://servername:8200 / from their laptops
I am not able to connect to the studio HFR (11.1.2.4) from my laptop. I get this error message:
Error 404 - not found
Of RFC 2068 Hypertext Transfer Protocol - HTTP/1.1:
10.4.5 404 not found
Server not found anything matching the request URI. No indication is given whether the condition is temporary or permanent.
If the server does not wish to make this information available to the client, the status code 403 (refused) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through a configurable mechanism, that an old resource is permanently unavailable and has no forwarding address.
No idea why?
Please look at the KM and see if it helps...
After installing Financial Reporting (FR) Studio under Windows 7, an error at the launch: "run-time error '429': ActiveX component can't create object ' (Doc ID 2011899.1)
Maybe you are looking for
-
Toshiba 46YL875: no pictures and videos streaming from NAS
I have a problem with the media player on my TV and hope you can help.I have a 46YL875. Now, I have installed a Synology NAS DS213j. I have installed the DLNA media server.The TV recognizes it. Also the MP3 are played fine. But no photos (jpg) or vid
-
Save the data of the 6000 USB without Labview
Hi all. I'm sure that this questions is buried somewhere, so I apologize if I'm repeating a question that has already been asked and addressed. If this is a redundant question, simply pointing me back post relavent will help. I have a 6000 USB. I con
-
Lost access "sent messages". It is essential that I have again access to my 'sent messages' as history impacts futuire communicatio about events in a foreign country. I have Hotmail through Qwest Communications.
-
Compaq CQ62 screen lights with caps lock stuck.
Hello My computer compaq laptop is a month old. When I turn it on, I hear the fan, but that's all. No beeps and the only visible light is the caps lock key, which does not turn off. The screen is completely blank. No cursor blinking, no music windows