Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4091
Views
4
Helpful
6
Replies

Unable to ping ASA (8.3) 5510 interfaces

j.manley
Level 1
Level 1

‎10-04-2010 10:35 AM - edited ‎03-11-2019 11:49 AM

Hi all,

I am runinning into a problem configurating ICMP to my trunk interfaces on the ASA.  I can see the "Built inbound" in the logs, but I am receiving request timed out from the client.

I am trying to ICMP from 192.168.4.11 to 192.168.1.200 and the reverse.  Not sure what i am missing.

hostname ciscoasa
enable password xxxxxxx encrypted
passwd XXXXXXXx encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
no ip address
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.2
vlan 2      
nameif Barenet
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2.3
vlan 3
nameif Businessnet
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/2.4
vlan 4
nameif DMZ
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface Ethernet0/2.5
vlan 5
nameif OMS
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Ethernet0/3
shutdown    
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
object-group icmp-type ICMP_ALL
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object traceroute
access-list inside_access_in extended permit icmp any any object-group ICMP_ALL
access-list inside_access_in extended permit ip any any
access-list DMZ_access_in extended permit icmp any any object-group ICMP_ALL
access-list DMZ_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
mtu Barenet 1500
mtu DMZ 1500
mtu Businessnet 1500
mtu OMS 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route inside 192.168.0.0 255.255.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
username XXXXXXX  XXXXXXX
!
class-map inspection_default
match default-inspection-traffic
!            
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context

Labels:
0 Helpful
6 Replies 6

andre.ortega
Spotlight
Spotlight

‎10-04-2010 10:56 AM

You need configure NAT for inside-to-dmz and dmz-to-inside.

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to andre.ortega

‎10-04-2010 12:17 PM

Also if you are trying to ping through the ASA you will also need

policy-map global_policy
  class inspection_default

     inspect icmp

I hope it helps.

PK

j.manley
Level 1
Level 1
In response to Panos Kampanakis

‎10-04-2010 01:06 PM

Thanks, I have added your suggestions, but now I am receiving:(when I ping from 192.168.4.11[host] to 192.168.1.1[core switch])

"5    Oct 04 2010    12:53:11    305013    192.168.1.1                Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src DMZ:192.168.4.11 dst inside:192.168.1.1 (type 8, code 0) denied due to NAT reverse path failure"

0 Helpful

andre.ortega
Spotlight
Spotlight
In response to j.manley

‎10-04-2010 01:09 PM

Post configuration added.

Regards.

0 Helpful

j.manley
Level 1
Level 1
In response to andre.ortega

‎10-04-2010 01:13 PM

Updated config.  thanks


ASA Version 8.3(1)
!
hostname ciscoasa

names
!
interface Ethernet0/0
nameif outside
security-level 0
no ip address
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.2
vlan 2      
nameif Barenet
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2.3
vlan 3
nameif Businessnet
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/2.4
vlan 4
nameif DMZ
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface Ethernet0/2.5
vlan 5
nameif OMS
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Ethernet0/3
shutdown    
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
object-group icmp-type ICMP_ALL
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object traceroute
access-list inside_access_in extended permit icmp any any object-group ICMP_ALL
access-list inside_access_in extended permit ip any any
access-list DMZ_access_in extended permit icmp any any object-group ICMP_ALL
access-list DMZ_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
mtu Barenet 1500
mtu DMZ 1500
mtu Businessnet 1500
mtu OMS 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit 0.0.0.0 0.0.255.255 inside
no asdm history enable
arp timeout 14400
nat (inside,DMZ) source static any any unidirectional
!
nat (DMZ,inside) after-auto source static any any unidirectional
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route inside 192.168.0.0 255.255.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5b589c771f7f2d48d10b7b1a8813916b
: end

0 Helpful

andre.ortega
Spotlight
Spotlight
In response to j.manley

‎10-04-2010 01:27 PM

Try this (work in early versions... in 8.3 I dont know)

Remove:

nat (inside,DMZ) source static any any unidirectional

!
nat (DMZ,inside) after-auto source static any any unidirectional
Add:
access-list nonatinside extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
nat (inside) 0 access-list nonatinside
access-list nonatdmz extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (DMZ) 0 access-list nonatdmz

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card