06-30-2009 02:15 AM - edited 03-10-2019 04:40 AM
I can not ping internal computer from ASA. Comp IP address 192.168.187.15, gateway is 192.168.187.14 which is ASA internal interface. I've got an IP Phone connected to the same ASA with Ip address 192.168.185.15 and internal ASA interface 192.168.185.14 and everything works fine. We are doing testing, do not be surprised of configuration.
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif ouside3
security-level 0
ip address 10.254.17.25 255.255.255.248
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.254.17.9 255.255.255.248
!
interface GigabitEthernet0/2
nameif Lan
security-level 100
ip address 192.168.185.14 255.255.255.0
!
interface GigabitEthernet0/3
nameif comp
security-level 50
ip address 192.168.187.14 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list 110 extended permit ip any any
access-list nat extended permit ip any any
access-list allow_ping extended permit icmp any any echo-reply
access-list allow_ping extended permit icmp any any source-quench
access-list allow_ping extended permit icmp any any unreachable
access-list allow_ping extended permit icmp any any time-exceeded
access-list allow_ping extended permit udp any any eq isakmp
access-list allow_ping extended permit esp any any
access-list allow_ping extended permit ah any any
access-list allow_ping extended permit gre any any
access-list nonat extended permit ip any any
access-list nat2 extended permit ip any any
access-list nonat2 extended permit ip any any
pager lines 24
logging asdm informational
mtu ouside3 1500
mtu outside 1500
mtu Lan 1500
mtu comp 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (Lan) 0 access-list nonat
nat (Lan) 1 access-list nat
nat (comp) 0 access-list nonat
nat (comp) 1 access-list nat
access-group allow_ping in interface outside
!
router eigrp 2008
neighbor 10.254.17.10 interface outside
network 10.254.17.8 255.255.255.248
network 192.168.185.0 255.255.255.0
network 192.168.187.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 10.254.17.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address 110
crypto map mymap 10 set peer 10.254.17.10
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
crypto map mymap2 20 match address 110
crypto map mymap2 20 set peer 10.254.17.18
crypto map mymap2 20 set transform-set myset
crypto map mymap2 interface comp
crypto map mymap3 30 match address 110
crypto map mymap3 30 set peer 10.254.17.26
crypto map mymap3 30 set transform-set myset
crypto map mymap3 interface ouside3
crypto isakmp identity address
crypto isakmp enable ouside3
crypto isakmp enable outside
crypto isakmp enable comp
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
priority-queue outside
threat-detection basic-threat
....
06-30-2009 03:39 AM
whta about the other way round , from comp to ASA interface can you ping ?
Check if any Security Software/Antivirus may be blocking it.
06-30-2009 03:43 AM
No pings from computer to ASA and no firewalls installed on computer. I even replaced computer with IP phone, it didnt work either. However, when I plug the same computer to the interface to which Ip phone was connected to, computer can ping ASA
06-30-2009 04:15 AM
can you turn on "debug icmp trace" on ASA, also set the following captures
access-l abc permit icmp host 192.168.187.14 host 192.168.187.15
access-l abc permit icmp host 192.168.187.15 host 192.168.187.14
capture cpi access-l abc interface inside
PIng from the computer and see what do you get in debugs and show capture cpi
are the packets arriving on the interface ?
06-30-2009 04:24 AM
This is what I get, looks like ASA does not reply. Why?
ciscoasa# sh capture cpi
5 packets captured
1: 05:20:14.494908 192.168.187.15 > 192.168.187.14: icmp: echo request
2: 05:20:19.526935 192.168.187.15 > 192.168.187.14: icmp: echo request
3: 05:20:25.026320 192.168.187.15 > 192.168.187.14: icmp: echo request
4: 05:20:30.525699 192.168.187.15 > 192.168.187.14: icmp: echo request
5: 05:20:36.025084 192.168.187.15 > 192.168.187.14: icmp: echo request
06-30-2009 06:05 AM
If you do a 'show arp' on the ASA do you see the mac-address of the pc?
Also on the pc do you see the mac-address of the ASA? 'arp -a'
Regards
Farrukh
06-30-2009 08:31 PM
Yes, ASA knows PC's mac address, as well as PC shows ASA's mac in arp table
06-30-2009 09:25 PM
Then I'm sure you have a firewall on your machine, is it Windows?
Also can you post the outpout of 'show run all icmp' from the ASA?
Regards
Farrukh
06-30-2009 09:25 PM
Then I'm sure you have a firewall on your machine, is it Windows?
Also can you post the outpout of 'show run all icmp' from the ASA?
Regards
Farrukh
06-30-2009 09:31 PM
I replaced this ASA with a different one, copied configs and I can ping the same computer from that different ASA. So it is not a Firewall issue
06-30-2009 09:45 PM
Issue is solved, there was a cryptomap applied to that interface
06-30-2009 10:02 PM
I'm glad that your issue is solved now. Its never a good idea to use 'permit ip any any' in crypto ACLs, its also not recommended by Cisco (ACL 110).
Regards
Farrukh
06-30-2009 10:27 PM
Why? What if I have more than 20 subnets to encrypt, is it better to define all of them in access list or just define any any?
06-30-2009 10:46 PM
This is because 'routing/control' plane traffic falls under 'permit ip any any'. Your problem was the ideal example, your control plane/management traffic (ping) got tangled in the data traffic (VPN). The same could happen to routing protocol traffic etc. (specailly on IOS routers). In ASA the crypto functions don't affect the routing protocol traffic in the same manner.
Regards
Farrukh
06-30-2009 11:16 PM
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide