Turn off firewall on host.
Regards,
Joe Sanchez
On Jul 17, 2012, at 5:36 AM, Carlos G Mendioroz <tron_at_huapi.ba.ar> wrote:
> Please add a route *to the host* (i.e. the linux) so you can take the ASA out of the question...
>
>
> Tony Singh @ 17/07/2012 07:32 -0300 dixit:
>>
>>
>> hi carlos
>>
>> yes sorry should have mentioned from asa - first time playing with these...
>>
>> from linux host (192.168.1.6)
>>
>> root_at_dm8000:~# ping 10.0.0.2
>> PING 10.0.0.2 (10.0.0.2): 56 data bytes
>>
>> not getting anything back
>>
>> but ASA looks like it's passing the icmp on
>>
>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>> seq=38400 len=56
>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>> seq=38656 len=56
>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>> seq=38912 len=56
>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>> seq=39168 len=56
>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>> seq=39424 len=56
>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>> seq=39680 len=56
>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>> seq=39936 len=56
>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>> seq=40192 len=56
>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>> seq=40448 len=56
>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>> seq=40704 len=56
>> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
>> seq=40960 len=56
>>
>>
>>
>>
>>
>>
>> On 17 July 2012 10:56, Carlos G Mendioroz <tron_at_huapi.ba.ar
>> <mailto:tron_at_huapi.ba.ar>> wrote:
>>
>> Sorry, I thought you where trying to get from another host to the
>> wireless. Now I see that the ASA is not able to ping.
>> Can you ping a wireless host from another 192.168.1.1 host if you
>> add a route via .7 ? Sounds like a WLC ACL.
>>
>>
>> Tony Singh @ 17/07/2012 06:49 -0300 dixit:
>>
>>
>>
>> hi carlos - thanks but see below...
>>
>> ciscoasa(config)# same-security-traffic permit inter-interface
>> ciscoasa(config)# same-security-traffic permit intra-interface
>> ciscoasa(config)# ping 10.0.0.1
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
>> ?????
>> Success rate is 0 percent (0/5)
>>
>> ciscoasa(config)# debug icmp trace 15
>> debug icmp trace enabled at level 15
>> ciscoasa(config)# ping 10.0.0.1
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
>> ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139
>> seq=39650 len=72
>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139
>> seq=39650 len=72
>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139
>> seq=39650 len=72
>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139
>> seq=39650 len=72
>> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139
>> seq=39650 len=72
>> ?
>> Success rate is 0 percent (0/5)
>>
>>
>>
>> On 17 July 2012 10:36, Carlos G Mendioroz <tron_at_huapi.ba.ar
>> <mailto:tron_at_huapi.ba.ar>
>> <mailto:tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar>>> wrote:
>>
>> http://www.cisco.com/en/US/____products/ps6120/products_tech_____note09186a0080734db7.shtml
>> <http://www.cisco.com/en/US/__products/ps6120/products_tech___note09186a0080734db7.shtml>
>>
>>
>> <http://www.cisco.com/en/US/__products/ps6120/products_tech___note09186a0080734db7.shtml
>> <http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml>>
>> ?
>>
>> same security traffic permit intra-interface
>>
>> -Carlos
>>
>> Tony Singh @ 17/07/2012 05:21 -0300 dixit:
>>
>> hi experts
>>
>> problem
>> network behind wireless is 10.0.0.0/24
>> <http://10.0.0.0/24> <http://10.0.0.0/24>
>>
>> unable to access from asa defined
>> dhcp network 192.168.1.0/24 <http://192.168.1.0/24>
>> <http://192.168.1.0/24>
>>
>>
>> topology
>> wireless access point wan port --> ASA inside
>> switchport vlan 1
>>
>> on asa set a static route to say 10.x is behind 192.168.1.7
>> (which is the
>> address of the wan port of the wireless access point,
>> pings fine
>> from asa
>> and traffic from the 10.x range is able to get out to the
>> internet fine)
>>
>> route inside 10.0.0.0 255.255.255.0 192.168.1.7
>>
>> S 10.0.0.0 255.255.255.0 [1/0] via 192.168.1.7, inside
>>
>> but ping fails
>>
>> ciscoasa(config)# ping 10.0.0.1
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is
>> 2 seconds:
>> ?????
>> Success rate is 0 percent (0/5)
>>
>> using the ASDM packet tracer facility it show that it
>> is trying
>> to ping
>> from inside to outside interface, it fails due to acl-rule
>>
>> but on asa not seeing it here..
>>
>> ciscoasa(config)# show access-list
>> access-list cached ACL log flows: total 0, denied 0
>> (deny-flow-max 4096)
>> alert-interval 300
>>
>> problem is this probably a private vlan scenario as I
>> have a
>> network within
>> a network on my inside interface so the packet trace
>> going from
>> inside to
>> outside is wrong
>>
>> any advice would be great
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>>
>> _______________________________________________________________________________
>>
>> Subscription information may be found at:
>> http://www.groupstudy.com/____list/CCIELab.html
>> <http://www.groupstudy.com/__list/CCIELab.html>
>> <http://www.groupstudy.com/__list/CCIELab.html
>> <http://www.groupstudy.com/list/CCIELab.html>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Carlos G Mendioroz <tron_at_huapi.ba.ar
>> <mailto:tron_at_huapi.ba.ar> <mailto:tron_at_huapi.ba.ar
>> <mailto:tron_at_huapi.ba.ar>>>
>> LW7 EQI Argentina
>>
>>
>>
>>
>> --
>> Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar>>
>> LW7 EQI Argentina
>>
>>
>>
>
> --
> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Jul 17 2012 - 06:22:02 ART
This archive was generated by hypermail 2.2.0 : Wed Aug 01 2012 - 15:55:23 ART