ASA 5505 : not root

Unanswered Question
Feb 14th, 2008
User Badges:

hello

my 5505 have got a inside ip 10.202.0.X et outise ip 25.10.10.x outside and inside ar pingable independently but a 10.202.0.4 not ping 25.10.10.X acl rules are ok) and i see nothing in log

help ?


thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
guibarati Thu, 02/14/2008 - 07:49
User Badges:
  • Bronze, 100 points or more

Do you have the right nat confiured?

Still, i think you are not able to ping the own ASA's interface.


You need an ACL applied to the outside interface allowing icmp echo reply, or enable icmp in the inspection.

watocisco Thu, 02/14/2008 - 08:01
User Badges:

all this point are good, anyway i should see some info in log about the icmp blocked packet



watocisco Fri, 02/15/2008 - 02:38
User Badges:

my config is


WATO-CISCOASA5505-VPN# show running-config

: Saved

:

ASA Version 7.2(3)

!

hostname WATO-CISCOASA5505-VPN

domain-name XXX.fr

enable password XXXXXXXXXXXXX encrypted

multicast-routing

names

!

interface Vlan1

description Cote Firewall

nameif FW_PART_VPN

security-level 100

ip address 10.202.0.X 255.255.255.0

!

interface Vlan2

description Cote routeur 9 TEL

nameif ROOT_9TEL_WWW

security-level 0

ip address 62.106.X.X 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd XXXXXXXXXXXX encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name XXX.fr

access-list ROOT_9TEL_WWW_access_in remark PING TEST

access-list ROOT_9TEL_WWW_access_in extended permit icmp any any echo

access-list ROOT_9TEL_WWW_access_in remark PING REPLY

access-list ROOT_9TEL_WWW_access_in extended permit icmp any any echo-reply

access-list ROOT_9TEL_WWW_access_out remark FLUX MONTANT

access-list ROOT_9TEL_WWW_access_out extended permit ip any any

access-list ROOT_9TEL_WWW_access_out extended permit icmp any any echo

access-list FW_PART_VPN_access_out remark PING TEST

access-list FW_PART_VPN_access_out extended permit icmp any any echo-reply

access-list FW_PART_VPN_access_in extended permit icmp any any echo

access-list FW_PART_VPN_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

logging debug-trace

mtu FW_PART_VPN 1500

mtu ROOT_9TEL_WWW 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (ROOT_9TEL_WWW) 1 interface

nat (FW_PART_VPN) 1 0.0.0.0 0.0.0.0

access-group FW_PART_VPN_access_in in interface FW_PART_VPN

access-group FW_PART_VPN_access_out out interface FW_PART_VPN

access-group ROOT_9TEL_WWW_access_in in interface ROOT_9TEL_WWW

access-group ROOT_9TEL_WWW_access_out out interface ROOT_9TEL_WWW

!

router rip

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 FW_PART_VPN

http 10.202.0.0 255.255.255.0 FW_PART_VPN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config ROOT_9TEL_WWW

!


!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

username devtest nopassword privilege 15

prompt hostname context

Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXX

: end

watocisco Fri, 02/15/2008 - 02:40
User Badges:

when i do a packet tracer, it say me packet drop because acl implicite rule but no trace in log !!!! why ??


in fact i think the asa not root my packet.



please

guibarati Fri, 02/15/2008 - 03:48
User Badges:
  • Bronze, 100 points or more

Try to remove the access-list from outgoing traffic, let it only in the IN flow

watocisco Fri, 02/15/2008 - 04:08
User Badges:

i removed acl on outgoing traffic -> the same probeme


anyway i did a test with ping tool :

to ping 62.106.142.X from inside (10.202.0.X)


and


6 Feb 15 2008 12:11:25 110003 Routing failed to locate next hop for icmp from NP Identity Ifc:10.202.0.X/0 to FW_PART_VPN:62.106.142.X/0

Actions

This Discussion