Re: ASA 5505 network behind an access point from Tony Singh on 2012-07-17 (Ccielab archives 07/2012)

From: Tony Singh <mothafungla_at_gmail.com>
Date: Tue, 17 Jul 2012 10:49:47 +0100

hi carlos - thanks but see below...

ciscoasa(config)# same-security-traffic permit inter-interface
ciscoasa(config)# same-security-traffic permit intra-interface
ciscoasa(config)# ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

ciscoasa(config)# debug icmp trace 15
debug icmp trace enabled at level 15
ciscoasa(config)# ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650 len=72
?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650 len=72
?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650 len=72
?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650 len=72
?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650 len=72
?
Success rate is 0 percent (0/5)

On 17 July 2012 10:36, Carlos G Mendioroz <tron_at_huapi.ba.ar> wrote:

> http://www.cisco.com/en/US/**products/ps6120/products_tech_**
> note09186a0080734db7.shtml<http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml>?
>
> same security traffic permit intra-interface
>
> -Carlos
>
> Tony Singh @ 17/07/2012 05:21 -0300 dixit:
>
>> hi experts
>>
>> problem
>> network behind wireless is 10.0.0.0/24 unable to access from asa defined
>> dhcp network 192.168.1.0/24
>>
>> topology
>> wireless access point wan port --> ASA inside switchport vlan 1
>>
>> on asa set a static route to say 10.x is behind 192.168.1.7 (which is the
>> address of the wan port of the wireless access point, pings fine from asa
>> and traffic from the 10.x range is able to get out to the internet fine)
>>
>> route inside 10.0.0.0 255.255.255.0 192.168.1.7
>>
>> S 10.0.0.0 255.255.255.0 [1/0] via 192.168.1.7, inside
>>
>> but ping fails
>>
>> ciscoasa(config)# ping 10.0.0.1
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
>> ?????
>> Success rate is 0 percent (0/5)
>>
>> using the ASDM packet tracer facility it show that it is trying to ping
>> from inside to outside interface, it fails due to acl-rule
>>
>> but on asa not seeing it here..
>>
>> ciscoasa(config)# show access-list
>> access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
>> alert-interval 300
>>
>> problem is this probably a private vlan scenario as I have a network
>> within
>> a network on my inside interface so the packet trace going from inside to
>> outside is wrong
>>
>> any advice would be great
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> ______________________________**______________________________**
>> ___________
>> Subscription information may be found at:
>> http://www.groupstudy.com/**list/CCIELab.html<http://www.groupstudy.com/list/CCIELab.html>
>>
>>
>>
>>
>>
>>
>>
>>
> --
> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina

Blogs and organic groups at http://www.ccie.net
Received on Tue Jul 17 2012 - 10:49:47 ART

This archive was generated by hypermail 2.2.0 : Wed Aug 01 2012 - 15:55:23 ART