Can not ping internal network from ASA

Unanswered Question
Jun 30th, 2009

I can not ping internal computer from ASA. Comp IP address 192.168.187.15, gateway is 192.168.187.14 which is ASA internal interface. I've got an IP Phone connected to the same ASA with Ip address 192.168.185.15 and internal ASA interface 192.168.185.14 and everything works fine. We are doing testing, do not be surprised of configuration.

ASA Version 8.2(1)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif ouside3

security-level 0

ip address 10.254.17.25 255.255.255.248

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 10.254.17.9 255.255.255.248

!

interface GigabitEthernet0/2

nameif Lan

security-level 100

ip address 192.168.185.14 255.255.255.0

!

interface GigabitEthernet0/3

nameif comp

security-level 50

ip address 192.168.187.14 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

no ip address

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

access-list 110 extended permit ip any any

access-list nat extended permit ip any any

access-list allow_ping extended permit icmp any any echo-reply

access-list allow_ping extended permit icmp any any source-quench

access-list allow_ping extended permit icmp any any unreachable

access-list allow_ping extended permit icmp any any time-exceeded

access-list allow_ping extended permit udp any any eq isakmp

access-list allow_ping extended permit esp any any

access-list allow_ping extended permit ah any any

access-list allow_ping extended permit gre any any

access-list nonat extended permit ip any any

access-list nat2 extended permit ip any any

access-list nonat2 extended permit ip any any

pager lines 24

logging asdm informational

mtu ouside3 1500

mtu outside 1500

mtu Lan 1500

mtu comp 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (Lan) 0 access-list nonat

nat (Lan) 1 access-list nat

nat (comp) 0 access-list nonat

nat (comp) 1 access-list nat

access-group allow_ping in interface outside

!

router eigrp 2008

neighbor 10.254.17.10 interface outside

network 10.254.17.8 255.255.255.248

network 192.168.185.0 255.255.255.0

network 192.168.187.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 10.254.17.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map mymap 10 match address 110

crypto map mymap 10 set peer 10.254.17.10

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

crypto map mymap2 20 match address 110

crypto map mymap2 20 set peer 10.254.17.18

crypto map mymap2 20 set transform-set myset

crypto map mymap2 interface comp

crypto map mymap3 30 match address 110

crypto map mymap3 30 set peer 10.254.17.26

crypto map mymap3 30 set transform-set myset

crypto map mymap3 interface ouside3

crypto isakmp identity address

crypto isakmp enable ouside3

crypto isakmp enable outside

crypto isakmp enable comp

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

priority-queue outside

threat-detection basic-threat

....

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
abinjola Tue, 06/30/2009 - 03:39

whta about the other way round , from comp to ASA interface can you ping ?

Check if any Security Software/Antivirus may be blocking it.

fgasimzade Tue, 06/30/2009 - 03:43

No pings from computer to ASA and no firewalls installed on computer. I even replaced computer with IP phone, it didnt work either. However, when I plug the same computer to the interface to which Ip phone was connected to, computer can ping ASA

abinjola Tue, 06/30/2009 - 04:15

can you turn on "debug icmp trace" on ASA, also set the following captures

access-l abc permit icmp host 192.168.187.14 host 192.168.187.15

access-l abc permit icmp host 192.168.187.15 host 192.168.187.14

capture cpi access-l abc interface inside

PIng from the computer and see what do you get in debugs and show capture cpi

are the packets arriving on the interface ?

fgasimzade Tue, 06/30/2009 - 04:24

This is what I get, looks like ASA does not reply. Why?

ciscoasa# sh capture cpi

5 packets captured

1: 05:20:14.494908 192.168.187.15 > 192.168.187.14: icmp: echo request

2: 05:20:19.526935 192.168.187.15 > 192.168.187.14: icmp: echo request

3: 05:20:25.026320 192.168.187.15 > 192.168.187.14: icmp: echo request

4: 05:20:30.525699 192.168.187.15 > 192.168.187.14: icmp: echo request

5: 05:20:36.025084 192.168.187.15 > 192.168.187.14: icmp: echo request

Farrukh Haroon Tue, 06/30/2009 - 06:05

If you do a 'show arp' on the ASA do you see the mac-address of the pc?

Also on the pc do you see the mac-address of the ASA? 'arp -a'

Regards

Farrukh

fgasimzade Tue, 06/30/2009 - 20:31

Yes, ASA knows PC's mac address, as well as PC shows ASA's mac in arp table

Farrukh Haroon Tue, 06/30/2009 - 21:25

Then I'm sure you have a firewall on your machine, is it Windows?

Also can you post the outpout of 'show run all icmp' from the ASA?

Regards

Farrukh

Farrukh Haroon Tue, 06/30/2009 - 21:25

Then I'm sure you have a firewall on your machine, is it Windows?

Also can you post the outpout of 'show run all icmp' from the ASA?

Regards

Farrukh

fgasimzade Tue, 06/30/2009 - 21:31

I replaced this ASA with a different one, copied configs and I can ping the same computer from that different ASA. So it is not a Firewall issue

fgasimzade Tue, 06/30/2009 - 21:45

Issue is solved, there was a cryptomap applied to that interface

Farrukh Haroon Tue, 06/30/2009 - 22:02

I'm glad that your issue is solved now. Its never a good idea to use 'permit ip any any' in crypto ACLs, its also not recommended by Cisco (ACL 110).

Regards

Farrukh

fgasimzade Tue, 06/30/2009 - 22:27

Why? What if I have more than 20 subnets to encrypt, is it better to define all of them in access list or just define any any?

Farrukh Haroon Tue, 06/30/2009 - 22:46

This is because 'routing/control' plane traffic falls under 'permit ip any any'. Your problem was the ideal example, your control plane/management traffic (ping) got tangled in the data traffic (VPN). The same could happen to routing protocol traffic etc. (specailly on IOS routers). In ASA the crypto functions don't affect the routing protocol traffic in the same manner.

Regards

Farrukh

Actions

This Discussion