ASA 5520 can't ping Config Problem

Unanswered Question
Sep 22nd, 2010

ASA 5520  Config same-security-level Problem

Hi All

I thought that putting an ip address  on the outside interface,the inside  secure interfaces, a default route  to the outside interface, a couple of  NAT statements was all that was  needed to get an ASA 5520 working. And that was basically all that was  asked.
Like  a lot of other stuff that I'm sure you've seen before,  more and more requests were added to the original remit to which I  thought, OK, I  know my way round this to a certain degree and I'm sure  that I'll work  out something or find a way round it using all the  available stuff from  Cisco and the web.( I've got a CCNP Switch exam  under my belt,working on  the rest, and a CCNA Security and Wireless and  Field Engineer  qualifications, so to a degree consider myself quite  knowledgable. So I  thought)
Anyway, the more I tried to fix the  problem the worse it  became. I'm not convinced that its too complicated  but the solution is  still eluding me.
What I tried to configure  was a system  with two  seperate inside networks for Data and Voice  protected by a ASA 5520  which acts as a router and sole access to the  outside world for both of these inside networks but also as  device that  would point to other connected legacy networks attached  to a  Nortel  switch located somewhere deep in the system, which are ear-marked for  migration to the ASA 5520 once the Nortel switch has been   decommissioned, and some deny statements for email smtp port 25.
After  setting up and proving internet access for both inside networks  G0/1  and G0/2 it was discoverd that a ping could not ping from either  inside  network to the other and likewise to the outside G0/0 interface  although  internet access was still available. I put an icmp inspect  command into  the global policy but this didn't work so did a kind of  Static NAT/ip  route fudge that seemed to sort the ping problem out.  However when  adding commands for VPN tunnels I lost the ping  functionality.
This  is where after trying to work out a solution  for over an hour I started  grasping at straws, which may explain some  commands in my config that  don't make any sense. I just couldn't see  where I had went wrong.
Anyway,  the customer is content enough with  firewall protected internet access  but its not sitting well with me  professionally that I've not provided  them with all that they asked  for.
My config now as it stands has  probably a few commands that  shouldn't be there and undoubtedly some  that should, but I fear I'm now  a bit out of my depth.
Ignoring the  routes to the other networks  via the Nortel switch, what I ultimately  need and I know this asking a  lot, is for someone  to take my  configuration, correct it and let me  see where I've gone wrong. Many thanks

******************************************************************************************************************

:
ASA   Version 8.2(1)
!
hostname ISC-EDI-ASWFW
domain-name   iscinternal.com
enable password DVYtjzRh.k2l3Eyj encrypted
passwd   2KFQnbNIdI.2KYOU encrypted
names
!
interface  GigabitEthernet0/0
nameif  outside
security-level 0
ip  address XX.XX.XX.154  255.255.255.248
!
interface  GigabitEthernet0/1
speed 100
duplex  full
nameif inside1
security-level 100
ip address  172.24.19.252 255.255.252.0
!
interface  GigabitEthernet0/2
speed  100
duplex full
nameif inside2
security-level 100
ip  address 172.24.23.254 255.255.252.0
!
interface   GigabitEthernet0/3
shutdown
no nameif
no security-level
no  ip address
!
interface Management0/0
nameif management
security-level  100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp  mode passive
dns domain-lookup inside1
dns  domain-lookup inside2
dns  domain-lookup outside
dns server-group  DefaultDNS
name-server  172.24.16.2
name-server 172.24.0.10
name-server XX.XX.XX.6
domain-name  iscinternal.com
same-security-traffic  permit inter-interface
same-security-traffic  permit intra-interface
access-list  VPN-NONAT extended permit ip  172.24.16.0 255.255.252.0 192.168.10.0  255.255.255.0
access-list  VPN-NONAT extended permit ip 172.24.16.0  255.255.252.0 172.24.8.0  255.255.252.0
access-list VPN-NONAT  extended permit ip 172.24.16.0  255.255.252.0 172.24.20.0 255.255.252.0
access-list  VPN-NONAT  extended permit ip 172.24.20.0 255.255.252.0 172.24.16.0  255.255.252.0
access-list  EDI-BRUSS extended permit ip 172.24.16.0  255.255.252.0 172.24.8.0  255.255.252.0
pager lines 24
logging  enable
logging timestamp
logging  buffer-size 16384
logging  monitor notifications
logging trap  errors
logging asdm  informational
logging host inside1 172.24.16.2
mtu  management  1500
mtu inside1 1500
mtu inside2 1500
mtu outside  1500
ip  local pool VPN-POOL 192.168.10.1-192.168.10.50 mask  255.255.255.0
no  failover
icmp unreachable rate-limit 1 burst-size  1
icmp permit  172.24.20.0 255.255.252.0 inside1
icmp permit  172.24.16.0  255.255.252.0 inside2
no asdm history enable
arp  timeout 14400
global  (outside) 1 interface
nat (inside1) 0  access-list VPN-NONAT
nat  (inside1) 1 0.0.0.0 0.0.0.0
nat  (inside2) 0 access-list VPN-NONAT
nat  (inside2) 1 0.0.0.0 0.0.0.0
route  outside 0.0.0.0 0.0.0.0  XX.XX.XX.153 1
route inside1 172.24.0.0  255.255.252.0 172.24.19.254 1
timeout  xlate 3:00:00
timeout conn  1:00:00 half-closed 0:10:00 udp 0:02:00  icmp 0:00:02
timeout sunrpc  0:10:00 h323 0:05:00 h225 1:00:00 mgcp  0:05:00 mgcp-pat 0:05:00
timeout  sip 0:30:00 sip_media 0:02:00  sip-invite 0:03:00 sip-disconnect 0:02:00
timeout   sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout   tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record   DfltAccessPolicy
aaa-server ACCESS-SRVR protocol radius
aaa-server   ACCESS-SRVR (inside1) host 172.24.16.2
key Fountain42!
aaa   authentication serial console ACCESS-SRVR LOCAL
aaa authentication   ssh console ACCESS-SRVR LOCAL
aaa authentication enable console   ACCESS-SRVR LOCAL
http server enable
http 192.168.1.0   255.255.255.0 management
http 172.24.16.0 255.255.252.0 inside1
http   172.24.20.0 255.255.252.0 inside2
http redirect outside 80
no   snmp-server location
no snmp-server contact
snmp-server enable   traps snmp authentication linkup linkdown coldstart
crypto ipsec   transform-set VPN-TRSET esp-3des esp-sha-hmac
crypto ipsec   security-association lifetime seconds 28800
crypto ipsec   security-association lifetime kilobytes 4608000
crypto map EDI-BRUSS   10 match address EDI-BRUSS
crypto map EDI-BRUSS 10 set pfs
crypto   map EDI-BRUSS 10 set peer XX.XX.XX.18
crypto map EDI-BRUSS 10 set   transform-set VPN-TRSET
crypto map EDI-BRUSS 10 set   security-association lifetime seconds 25200
crypto map EDI-BRUSS   interface outside
crypto isakmp identity address
crypto isakmp   enable outside
crypto isakmp policy 10
authentication pre-share
encryption  3des
hash sha
group 2
lifetime 25200
telnet  timeout 5
ssh  172.24.16.0 255.255.252.0 inside1
ssh 172.24.20.0  255.255.252.0  inside2
ssh timeout 5
console timeout 0
dhcpd  address  192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection   basic-threat
threat-detection statistics access-list
no   threat-detection statistics tcp-intercept
ntp server 62.206.250.163   source outside
webvpn
enable outside
svc image   disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list  enable
group-policy ANYCONNECT-POLICY internal
group-policy   ANYCONNECT-POLICY attributes
dns-server value 172.24.16.2   172.24.0.10
vpn-tunnel-protocol svc webvpn
webvpn
  svc   keep-installer installed
  svc ask enable default svc timeout 20
username   admin password we1JsUwd6pW4pQ2W encrypted
username dancoop password   NFAr6PJhZEifx4Wo encrypted
username dancoop attributes
service-type  remote-access
tunnel-group telecommuters type  remote-access
tunnel-group  TELECOMMUTERS type remote-access
tunnel-group  TELECOMMUTERS  general-attributes
address-pool VPN-POOL
default-group-policy  ANYCONNECT-POLICY
tunnel-group TELECOMMUTERS  webvpn-attributes
group-alias  sslgroup-users enable
tunnel-group  XX.XX.XX.18 type ipsec-l2l
tunnel-group  XX.XX.XX18 ipsec-attributes
pre-shared-key *
!
class-map  inspection_default
match  default-inspection-traffic
!
!
policy-map  type inspect dns  preset_dns_map
parameters
  message-length  maximum 512
policy-map  global_policy
class inspection_default
  inspect  dns  preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect   h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
   inspect  sqlnet
  inspect skinny 
  inspect sunrpc
  inspect  xdmcp
  inspect  sip 
  inspect netbios
  inspect tftp
   inspect icmp
!
service-policy  global_policy global
prompt  hostname context
Cryptochecksum:c410cd0af890f5fb81df2852aea8f4fb
:   end
no asdm history enable

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
August Ritchie Wed, 09/22/2010 - 13:18

Would you mind posting the results of this packet tracer where you input IP addresses on your inside1 and inside2 respectively that you want to ping between?

packet-tracer input inside1 icmp 8 0

pgatt62polly66 Thu, 09/23/2010 - 08:17

August

Thanks for the reply. The ASA is on a customer site so I do not have access to it at the moment but I will try your test suggestion out first chance and let you know the results if thats ok.

Regards etc

Magnus Mortensen Wed, 09/22/2010 - 13:29

Is the issue that hosts directly connected to the inside1 interface cannot reach hosts that are routed by the nortel (also located off inside1)? From your description it sound like the hosts that are direct connected to inside1 have the default gateway set to be the ASA, no?  It sound likw traffic would need to hairpin on the inside1 interface.   - magnus

pgatt62polly66 Thu, 09/23/2010 - 08:20

Magnus

Yes that is the issue I'm sure. Hairpinning is not something I'm strong on yet and I suppose once the Nortel switch is decommissioned all traffic should ppoint toward the ASA . Yes ?

Anyway. i'm not able to access the ASA as its on a customer site but will pass on your advice and let you know the outcome if thats ok.

Regards etc

pgatt62polly66 Fri, 09/24/2010 - 00:51

Hi Magnus

Isn't it true that two inside interfaces with each the same security level setting should be capable of communicating between each other by default, therefore foregoing any further configurations.

Pat

praprama Fri, 09/24/2010 - 01:45

Hey Pat,

By default, communication between interfaces with same security level is not allowed. To allow that, you need the command "same-security-traffic permit inter-interface".

Please note that having this command alone doesn't suffice. You will still need to permit traffic if you have ACLs, etc.

Hope this helps!!

Thanks and Regards,

Prapanch

pgatt62polly66 Fri, 09/24/2010 - 01:52

Thanks Prapanch,

I've got the relevant commands in my config but they still didn't do the trick.

More food for thought eh?

Cheers all the same

Pat

praprama Fri, 09/24/2010 - 02:00

Hey Pat,

I apologize if i am making you re-iterate things here but what all are the problems you are facing now? Please list those out and i will try my best to answer those.

Regards,

Prapanch

pgatt62polly66 Fri, 09/24/2010 - 04:00

Hi Prapanch

No problem at all

The inside secure networks off of G0/1 and G0/2 can both access the internet but the client wants to be able to ping bteween them for testing purposes and why not. Thinking this should be possible after referring to the 1500 page manual but not getting it to work I put a icmp inspect command into the global policy that you should see near the end of the config. There is also same-security commands in there too.

An earlier suggestion from Magnus was that it could require a hairpin set-up but I'll have to read up on that first.

There was another gateway in the system at the time, the Nortel switch I believe, and I don't know if that's causing an issue. Maybe it is maybe it isn't.

There were other statements that were intended to be placed into the config, namely static routes that should not be routed by the ASA but be sent to the Nortel until further developments. Namely the decommissioning of the Nortel, but I ran out of time. Any help would be great as I know the customer isn't fully satisfied.

If I can at least sort out the ping between both inside networks its a step in the right direction,

Regards Pat

praprama Fri, 09/24/2010 - 08:25

Hey Pat,

Issue mostly likely looks to be with the NAT rules. Try adding the below 2 commands and see if it works:

static (inside1,inside2) 172.24.16.0 172.24.16.0 netmask 255.255.252.0

static (inside2,inside1) 172.24.20.0 172.24.20.0 netmask 255.255.252.0

I am guessing that the 2 networks on inside1 and inside2 and 172.24.16.0/22 and 172.24.20.0/22. Hope that's right!

Regards,

Prapanch

praprama Fri, 09/24/2010 - 17:18

Hey Pat,

In general, we have 2 ways to read a static command in the below format:

static (i/f1,i/f2) a.b.c.d e.f.g.h

1) Source IP address Translation: In this case, we follow the normal NAT order of operation as given in the link below:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042696

2) Destination IP address translation: In this case, the firewall uses the destination IP address of the packet, and decides which interface should be the egress interface and how the destination IP address field in the packet has to be translated. Details can be found at the below link:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html#wp1090528

Let's assume a scenario. We have the above static command on an ASA and it receives a packet on the i/f2 interface of the ASA with a destination IP address as a.b.c.d. So, the ASA decides that this packet should be directed out i/f1 interface of the ASA and translates the destination IP address field to e.f.g.h. Please note that the packet still goes through the remaining stages of apcket processing (ACL, Source NATing, service-policy, etc.) but this "static" will be used to decide the egress interface (route-lookup).

Hope this makes things clear!! Let me know if there is something that is unclear!!

Thanks and Regards,

Prapanch

Actions

This Discussion