I see. I do know that you can ping from an inside interface through a VPN tunnel to a remote host, and vice-versa although you need the "management-access inside" command. You can generate "interesting traffic" this way as well:
ASA(config)# show cry ips sa | i ident local ident (addr/mask/prot/port): (10.4.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0) ####Ping remote host through tunnel from inside ASA(config)# ping inside 10.2.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.2.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 110/124/130 ms ####Disable management-access ASA(config)# no management-access inside ASA(config)# ping inside 10.2.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.2.0.1, timeout is 2 seconds: ????? Success rate is 0 percent (0/5) ####Enable management-access ASA(config)# management-access inside ASA(config)# ping inside 10.2.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.2.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 120/128/140 ms ASA(config)# On Fri, 2011-02-25 at 16:11 -0500, Matthew Huff wrote: > Cisco PIX/ASA are not routers. For example, you cannot ping from the inside > network to the outside interface, or any other simular type of test. > > > -----Original Message----- > > From: cisco-nsp-boun...@puck.nether.net > > [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tom > > Sutherland > > Sent: Friday, February 25, 2011 4:01 PM > > To: Michael Loether > > Cc: cisco-nsp@puck.nether.net > > Subject: Re: [c-nsp] ASA 5505 doesn't like itself > > > > as a test, you might try: > > > > icmp permit any inside > > icmp permit any outside > > > > from cisco command reference: > > > > "To configure access rules for ICMP traffic that terminates at a > > adaptive security appliance interface, use the icmp command." > > > > > > On Thu, 2011-02-17 at 16:53 -0500, Michael Loether wrote: > > > > > I have a ASA 5505 I am setting up at a small branch office. Working > > > towards a site to site VPN but > > first I need to get it to talk to itself. Traffic is not passing from > > inside to outside. > > > > > > interface Vlan1 > > > nameif inside > > > security-level 100 > > > ip address 172.19.1.1 255.255.255.0 > > > ! > > > interface Vlan2 > > > nameif outside > > > security-level 0 > > > ip address 64.183.175.22 255.255.255.252 > > > ! > > > interface Ethernet0/0 > > > switchport access vlan 2 > > > ! > > > interface Ethernet0/1 > > > ! > > > nat (inside,outside) after-auto source dynamic any interface > > > > > > DHCPd is running on VL 1 and it is handing out IPs as expected. > > > > > > ping inside 64.183.175.21 > > > Type escape sequence to abort. > > > Sending 5, 100-byte ICMP Echos to 64.183.175.21, timeout is 2 seconds: > > > ????? > > > Success rate is 0 percent (0/5) > > > > > > ACLs are any any ip on both inside and outside. > > > > > > Any suggestion would be appreciated. > > > > > > Mike > > > > > > > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/