Not able to ping other network on Cisco ASA-5500

Unanswered Question
Dec 27th, 2013
User Badges:

Hi everyone,


Can  anyone please let me know what exactly I have to do to ping the other network ip address. As we have PIN(136.141.21.254) and PAN(10.0.16.254) as two networks . We have only one security level and that too we have  applied ACL's  in such a way for pinging and troubleshooting incase if required. Please let us know if we have to change any thing or add something to this configuration. Here i'm attaching the config of ASA. Please help me .




136.141.21.254hostname IPCS16-FWDA254
enable password MuI.b20iebVYFYjj encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.16.64 MGMT
name 10.0.16.61 MGMT_61
name 10.0.16.51 PDGC_51
name 10.0.16.52 PDGC_52
name 136.141.21.238 PDGS_01
name 136.141.21.239 PDGS_02
name 136.141.21.240 PDGS_COMMON
!
interface Ethernet0/0
description LAN/STATE Failover Interface
!
interface Ethernet0/1
description IPCS15 FWDA PIN Interface
nameif PIN
security-level 1
ip address 136.141.21.254 255.255.255.224
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
nameif CVOTS
security-level 1
ip address 172.16.8.254 255.255.255.0
!
interface Redundant1
description PAN Interface - Redundant
member-interface Ethernet0/2
member-interface Ethernet0/3
nameif PAN
security-level 1
ip address 10.0.16.254 255.255.255.0
!
ftp mode passive
clock timezone AST 3
same-security-traffic permit inter-interface
object-group service ABB_800xA_History
service-object tcp eq 1583
service-object tcp eq 7605
service-object tcp eq 7606
service-object tcp eq 7613
service-object tcp eq 7614
service-object tcp eq 7618
service-object udp eq 7609
service-object udp eq 7617
service-object udp eq 7618
object-group service McAfee
service-object tcp eq 135
service-object tcp eq 242
service-object tcp eq 2568
service-object tcp eq 445
service-object tcp eq 8081
service-object tcp eq 8443
service-object tcp eq 8444
service-object tcp eq 8801
service-object tcp eq https
service-object tcp eq ldap
service-object tcp eq ldaps
service-object udp eq 1434
service-object udp eq 8082
service-object tcp-udp eq echo
service-object udp eq netbios-ns
service-object udp eq ntp
object-group network DM_INLINE_NETWORK_1
network-object host PDGC_51
network-object host PDGC_52
object-group network DM_INLINE_NETWORK_2
network-object host PDGS_01
network-object host PDGS_02
network-object host PDGS_COMMON
object-group service RDP tcp
description Remote Desktop Protocol
port-object eq 3389
object-group network DM_INLINE_NETWORK_3
network-object host PDGS_01
network-object host PDGS_02
object-group network DM_INLINE_NETWORK_4
network-object host PDGS_01
network-object host PDGS_02
object-group network DM_INLINE_NETWORK_5
network-object host PDGS_01
network-object host PDGS_02
network-object host PDGS_COMMON
object-group network DM_INLINE_NETWORK_6
network-object host PDGC_51
network-object host PDGC_52
object-group network DM_INLINE_NETWORK_7
network-object host PDGS_01
network-object host PDGS_02
access-list PAN_access_in remark History Service Exclusions
access-list PAN_access_in extended permit object-group ABB_800xA_History object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list PAN_access_in remark McAfee Exceptions
access-list PAN_access_in extended permit object-group McAfee host MGMT object-group DM_INLINE_NETWORK_3
access-list PAN_access_in remark RDP From MGMT TO Associated IPCS Nodes on PIN
access-list PAN_access_in extended permit tcp host MGMT object-group DM_INLINE_NETWORK_4 object-group RDP
access-list PAN_access_in extended permit icmp any any
access-list PIN_access_in remark History Service Exclusions
access-list PIN_access_in extended permit object-group ABB_800xA_History object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list PIN_access_in remark McAfee Exceptions
access-list PIN_access_in extended permit object-group McAfee object-group DM_INLINE_NETWORK_7 host MGMT
access-list PIN_access_in remark Ping between PIN & PAN for troubleshooting
access-list PIN_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu PIN 1500
mtu CVOTS 1500
mtu PAN 1500
failover
failover lan unit secondary
failover lan interface FW_Link Ethernet0/0
failover link FW_Link Ethernet0/0
failover interface ip FW_Link 192.168.1.254 255.255.255.0 standby 192.168.1.253
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group PIN_access_in in interface PIN
access-group PAN_access_in in interface PAN
route PIN 0.0.0.0 0.0.0.0 PDGS_COMMON 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.255.0.0 PAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 136.141.23.3 source PIN
ntp server 136.141.23.2 source PIN prefer
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:68e8fe43a9211f9b5dbfcdb74885b73c
: end


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Karsten Iwen Fri, 12/27/2013 - 04:54
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

You already have allowed all ICMP in your ACL. With that, PING should work through the ASA.


If you only want to test it with ping you could make your config more secure by only allowing ICMP-Echo-requests and enabling statefull inspection for ICMP:


no access-list PAN_access_in extended permit icmp any any

access-list PAN_access_in extended permit icmp any any echo

no access-list PIN_access_in extended permit icmp any any

access-list PIN_access_in extended permit icmp any any echo


policy-map global_policy

class inspection_default

  inspect icmp


Perhaps you should also restrict that on the networks in use.



But if you want to ping the remote-interface of the ASA (136.141.21.254 from a system on PAN or 10.0.16.254 from a system on the PIN), then it will always fail because that is not supported on the ASA.



-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Actions

This Discussion

Related Content