×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Unable to ping ASA (8.3) 5510 interfaces

Unanswered Question
Oct 4th, 2010
User Badges:

Hi all,


I am runinning into a problem configurating ICMP to my trunk interfaces on the ASA.  I can see the "Built inbound" in the logs, but I am receiving request timed out from the client.


I am trying to ICMP from 192.168.4.11 to 192.168.1.200 and the reverse.  Not sure what i am missing.


hostname ciscoasa
enable password xxxxxxx encrypted
passwd XXXXXXXx encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
no ip address
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.2
vlan 2      
nameif Barenet
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2.3
vlan 3
nameif Businessnet
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/2.4
vlan 4
nameif DMZ
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface Ethernet0/2.5
vlan 5
nameif OMS
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Ethernet0/3
shutdown    
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
object-group icmp-type ICMP_ALL
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object traceroute
access-list inside_access_in extended permit icmp any any object-group ICMP_ALL
access-list inside_access_in extended permit ip any any
access-list DMZ_access_in extended permit icmp any any object-group ICMP_ALL
access-list DMZ_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
mtu Barenet 1500
mtu DMZ 1500
mtu Businessnet 1500
mtu OMS 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route inside 192.168.0.0 255.255.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
username XXXXXXX  XXXXXXX
!
class-map inspection_default
match default-inspection-traffic
!            
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
andre.ortega Mon, 10/04/2010 - 10:56
User Badges:
  • Bronze, 100 points or more
  • Participante em Destaque,

    Escolha da Audiência, Maio de 2015

You need configure NAT for inside-to-dmz and dmz-to-inside.

Panos Kampanakis Mon, 10/04/2010 - 12:17
User Badges:
  • Cisco Employee,

Also if you are trying to ping through the ASA you will also need


policy-map global_policy
  class inspection_default

     inspect icmp


I hope it helps.


PK

j.manley Mon, 10/04/2010 - 13:06
User Badges:

Thanks, I have added your suggestions, but now I am receiving:(when I ping from 192.168.4.11[host] to 192.168.1.1[core switch])


"5    Oct 04 2010    12:53:11    305013    192.168.1.1                Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src DMZ:192.168.4.11 dst inside:192.168.1.1 (type 8, code 0) denied due to NAT reverse path failure"

andre.ortega Mon, 10/04/2010 - 13:09
User Badges:
  • Bronze, 100 points or more
  • Participante em Destaque,

    Escolha da Audiência, Maio de 2015

Post configuration added.

Regards.

j.manley Mon, 10/04/2010 - 13:13
User Badges:

Updated config.  thanks



ASA Version 8.3(1)
!
hostname ciscoasa


names
!
interface Ethernet0/0
nameif outside
security-level 0
no ip address
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.2
vlan 2      
nameif Barenet
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2.3
vlan 3
nameif Businessnet
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/2.4
vlan 4
nameif DMZ
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface Ethernet0/2.5
vlan 5
nameif OMS
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Ethernet0/3
shutdown    
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
object-group icmp-type ICMP_ALL
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object traceroute
access-list inside_access_in extended permit icmp any any object-group ICMP_ALL
access-list inside_access_in extended permit ip any any
access-list DMZ_access_in extended permit icmp any any object-group ICMP_ALL
access-list DMZ_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
mtu Barenet 1500
mtu DMZ 1500
mtu Businessnet 1500
mtu OMS 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit 0.0.0.0 0.0.255.255 inside
no asdm history enable
arp timeout 14400
nat (inside,DMZ) source static any any unidirectional
!
nat (DMZ,inside) after-auto source static any any unidirectional
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route inside 192.168.0.0 255.255.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials


!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5b589c771f7f2d48d10b7b1a8813916b
: end

andre.ortega Mon, 10/04/2010 - 13:27
User Badges:
  • Bronze, 100 points or more
  • Participante em Destaque,

    Escolha da Audiência, Maio de 2015


Try this (work in early versions... in 8.3 I dont know)


Remove:


nat (inside,DMZ) source static any any unidirectional

!
nat (DMZ,inside) after-auto source static any any unidirectional
Add:
access-list nonatinside extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
nat (inside) 0 access-list nonatinside
access-list nonatdmz extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (DMZ) 0 access-list nonatdmz


Actions

This Discussion