cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1409
Views
0
Helpful
34
Replies

Basic conf ASA 5505

p.maillot
Level 1
Level 1

Hello,

I'm a newbie on ASA, I need some assistance.

I have this schema.

Host 192.168.1.0/ ---> ASA INSIDE ----->ASA OUTSIDE ------> to my interface router

From host 192.168.1.0/24 I can ping INSIDE interface from my ASA but I cannot ping interface OUTISIDE and no interface from my router at this address 172.16.0.5/252

Under my conf.

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 1I5BT/dHhpGbnQvr encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 100

ip address 172.16.0.6 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 172.16.0.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!

username admin password p1ClWSkbSujddlxc encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:885202205e413b4a47e7f59d572ef3d7

: end

2 Accepted Solutions

Accepted Solutions

Collin Clark
VIP Alumni
VIP Alumni

From the inside host you are not allowed to ping the outside interface (that's part of the security of the firewall). From the router you should be able to ping the outside IP though. Try adding this line-

icmp permit any outside

Try pinging and if it fails, take a look at the log show logging buff | inc ICMP and see where it's failing.

Hope that helps.

View solution in original post

Hello Pascal,

Please do the following

(Assuming that NAT for internet connection etc does not take place in router for 192.168.1.0/24 network)

nat (inside) 1 0 0

global (outside) 1 interface

interface Vlan2

security 0

no same-security-traffic permit inter-interface

no same-security-traffic permit intra-interface

no access-list inside_access_in extended permit ip any any

no access-list outside_access_in extended permit ip any any

no access-group inside_access_in in interface inside

no access-group outside_access_in in interface outside

policy-map global_policy

class inspection_default

inspect icmp

Regards

View solution in original post

34 Replies 34

Collin Clark
VIP Alumni
VIP Alumni

From the inside host you are not allowed to ping the outside interface (that's part of the security of the firewall). From the router you should be able to ping the outside IP though. Try adding this line-

icmp permit any outside

Try pinging and if it fails, take a look at the log show logging buff | inc ICMP and see where it's failing.

Hope that helps.

Thank Collin but no change with

icmp permit any outside and icmp permit any inside

This command don't exist show logging buff | inc ICMP.

I can do only

ciscoasa# sh logging ?

asdm Show ASDM syslog buffer content

message Show enabled and disabled messages at non-default level

queue Show syslog queue

setting Show syslog setting

| Output modifiers

try access-list outside_access_in extended permit icmp any any

Francisco

should work.

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any source-quench

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

Sorry, show logging is correct.

Always same problem with

access-list outside_access_in extended permit icmp any any

And after sh logging?

ciscoasa# sh logging

Syslog logging: disabled

Facility: 20

Timestamp logging: disabled

Standby logging: disabled

Deny Conn when Queue Full: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: disabled

Trap logging: disabled

History logging: disabled

Device ID: disabled

Mail logging: disabled

ASDM logging: level informational, 0 messages logged

Same problem with.

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any source-quench

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

Hello Pascal,

Please do the following

(Assuming that NAT for internet connection etc does not take place in router for 192.168.1.0/24 network)

nat (inside) 1 0 0

global (outside) 1 interface

interface Vlan2

security 0

no same-security-traffic permit inter-interface

no same-security-traffic permit intra-interface

no access-list inside_access_in extended permit ip any any

no access-list outside_access_in extended permit ip any any

no access-group inside_access_in in interface inside

no access-group outside_access_in in interface outside

policy-map global_policy

class inspection_default

inspect icmp

Regards

Jon Marshall
Hall of Fame
Hall of Fame

nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 interface

Jon

now why didnt i though of that :)

good job jon

Same problem. See my last conf

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 1I5BT/dHhpGbnQvr encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 172.16.0.6 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any source-quench

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit icmp any any time-exceeded

pager lines 24

logging asdm informational

mtu inside 1500

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 172.16.0.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!

username admin password p1ClWSkbSujddlxc encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:885202205e413b4a47e7f59d572ef3d7

: end

ciscoasa(config)#

use "sh logg | inc icmp" under CLI and post outout.

When I use "sh logg | inc icmp" under CLI, nothing appears.

Config looks OK, now please explain the problem in details. Please keep in mind that by default, you can NOT! ping the inside interface of ASA from your router connected to outside interface. And with this configuration, you can NOT! ping hosts in 192.168.1.0/24 on their actual IPs since they are NATed. If you describe what you exactly want to achieve, then we will advise accordingly

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: