Can you ping .1.7? How many interfaces are you talking about on the ASA?
Sent from handheld
On Jul 17, 2012, at 6:34 AM, "Tony Singh" <mothafungla_at_gmail.com> wrote:
> hi carlos
>
> yes sorry should have mentioned from asa - first time playing with these...
>
> from linux host (192.168.1.6)
>
> root_at_dm8000:~# ping 10.0.0.2
> PING 10.0.0.2 (10.0.0.2): 56 data bytes
>
> not getting anything back
>
> but ASA looks like it's passing the icmp on
>
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=38400 len=56
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=38656 len=56
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=38912 len=56
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=39168 len=56
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=39424 len=56
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=39680 len=56
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=39936 len=56
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=40192 len=56
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=40448 len=56
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=40704 len=56
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=40960 len=56
>
>
>
>
>
>
> On 17 July 2012 10:56, Carlos G Mendioroz <tron_at_huapi.ba.ar> wrote:
>
>> Sorry, I thought you where trying to get from another host to the
>> wireless. Now I see that the ASA is not able to ping.
>> Can you ping a wireless host from another 192.168.1.1 host if you add a
>> route via .7 ? Sounds like a WLC ACL.
>>
>>
>> Tony Singh @ 17/07/2012 06:49 -0300 dixit:
>>
>>>
>>>
>>> hi carlos - thanks but see below...
>>>
>>> ciscoasa(config)# same-security-traffic permit inter-interface
>>> ciscoasa(config)# same-security-traffic permit intra-interface
>>> ciscoasa(config)# ping 10.0.0.1
>>> Type escape sequence to abort.
>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
>>> ?????
>>> Success rate is 0 percent (0/5)
>>>
>>> ciscoasa(config)# debug icmp trace 15
>>> debug icmp trace enabled at level 15
>>> ciscoasa(config)# ping 10.0.0.1
>>> Type escape sequence to abort.
>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
>>> ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650 len=72
>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650 len=72
>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650 len=72
>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650 len=72
>>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139 seq=39650 len=72
>>> ?
>>> Success rate is 0 percent (0/5)
>>>
>>>
>>>
>>> On 17 July 2012 10:36, Carlos G Mendioroz <tron_at_huapi.ba.ar
>>> <mailto:tron_at_huapi.ba.ar>> wrote:
>>>
>>> http://www.cisco.com/en/US/__**products/ps6120/products_tech_**
>>> __note09186a0080734db7.shtml<http://www.cisco.com/en/US/__products/ps6120/products_tech___note09186a0080734db7.shtml>
>>>
>>> <http://www.cisco.com/en/US/**products/ps6120/products_tech_**
>>> note09186a0080734db7.shtml<http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml>
>>>>
>>> ?
>>>
>>> same security traffic permit intra-interface
>>>
>>> -Carlos
>>>
>>> Tony Singh @ 17/07/2012 05:21 -0300 dixit:
>>>
>>> hi experts
>>>
>>> problem
>>> network behind wireless is 10.0.0.0/24 <http://10.0.0.0/24>
>>>
>>> unable to access from asa defined
>>> dhcp network 192.168.1.0/24 <http://192.168.1.0/24>
>>>
>>>
>>> topology
>>> wireless access point wan port --> ASA inside switchport vlan 1
>>>
>>> on asa set a static route to say 10.x is behind 192.168.1.7
>>> (which is the
>>> address of the wan port of the wireless access point, pings fine
>>> from asa
>>> and traffic from the 10.x range is able to get out to the
>>> internet fine)
>>>
>>> route inside 10.0.0.0 255.255.255.0 192.168.1.7
>>>
>>> S 10.0.0.0 255.255.255.0 [1/0] via 192.168.1.7, inside
>>>
>>> but ping fails
>>>
>>> ciscoasa(config)# ping 10.0.0.1
>>> Type escape sequence to abort.
>>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
>>> ?????
>>> Success rate is 0 percent (0/5)
>>>
>>> using the ASDM packet tracer facility it show that it is trying
>>> to ping
>>> from inside to outside interface, it fails due to acl-rule
>>>
>>> but on asa not seeing it here..
>>>
>>> ciscoasa(config)# show access-list
>>> access-list cached ACL log flows: total 0, denied 0
>>> (deny-flow-max 4096)
>>> alert-interval 300
>>>
>>> problem is this probably a private vlan scenario as I have a
>>> network within
>>> a network on my inside interface so the packet trace going from
>>> inside to
>>> outside is wrong
>>>
>>> any advice would be great
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> ______________________________**______________________________**
>>> _______________
>>>
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/__**list/CCIELab.html<http://www.groupstudy.com/__list/CCIELab.html>
>>> <http://www.groupstudy.com/**list/CCIELab.html<http://www.groupstudy.com/list/CCIELab.html>
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar>>
>>> LW7 EQI Argentina
>>>
>>>
>>>
>>>
>> --
>> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Jul 17 2012 - 11:57:48 ART
This archive was generated by hypermail 2.2.0 : Wed Aug 01 2012 - 15:55:23 ART