07-04-2015 12:30 PM - edited 03-11-2019 11:13 PM
Hi guys,
I have this scenario (GW------ASA-------Core) I can ping between ASA+GW and ASA+core but I can't ping between Core + GW!
What is the problem?
Thanks.
07-04-2015 12:35 PM
Hi Mohammad,
Is your ASA routed-mode? Do you have proper routing on the ASA? Routing is not required for connected interfaces.
g1
07-04-2015 12:48 PM
Hi Ji Won,
I have default route to the GW and Static route to the core like this:
interface GigabitEthernet0/0
description " Connection to GW"
nameif outside
security-level 0
ip address 10.60.20.1 255.255.255.0
!
interface GigabitEthernet0/1
description " Connection to Core-1"
nameif inside
security-level 100
ip address 10.60.10.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 100
ip address 10.60.30.2 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
dns server-group DefaultDNS
name-server 84.235.6.55
name-server 84.235.57.230
domain-name Saudi.net.sa
same-security-traffic permit intra-interface
object network NAT
subnet 0.0.0.0 0.0.0.0
access-list PERMIT_ALL extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu DMZ 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
access-group PERMIT_ALL global
route outside 0.0.0.0 0.0.0.0 10.60.20.2 1
route inside 10.0.0.0 255.0.0.0 10.60.10.1 1
Any issue?
Thanks,
Mohammad
07-04-2015 01:00 PM
Does your GW has a route to the network behind the ASA?
07-04-2015 01:05 PM
Yes GW has static route routed to ASA. and default route to outside.
07-04-2015 01:11 PM
try this:
packet-tracer input inside icmp "core-ip" 8 0 "GW-ip"
show me the output.
g1
07-04-2015 01:22 PM
This command inside ASA ?
in core I have default route to ASA!
07-04-2015 01:25 PM
Yes, packet-tracer is a feature in ASA you can simulate packets and it will tell you where it drops the packet.
Try the command and show me the output
g1
07-04-2015 01:28 PM
ciscoasa(config)# packet-tracer input inside icmp 10.60.10.1 8 0 10.60.20.2
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.60.20.0 255.255.255.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group PERMIT_ALL global
access-list PERMIT_ALL extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Dynamic translate 10.60.10.1/0 to 10.60.20.1/31551
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 373270, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
ciscoasa(c
07-04-2015 01:46 PM
Add this line and let me know:
access-list out_in extended permit icmp any any
access-group out_in in interface outside
also, show me your default class policy-map
show run policy-map
g1
07-04-2015 01:51 PM
I added that access list and no success!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
inspect icmp
!
ciscoasa#
07-04-2015 01:52 PM
can you try to take out the icmp ispection and try? What's the software version of your ASA?
07-04-2015 08:36 PM
Wow! Thanks, it works! after removed it !!! strange.
My ASA version 8.3(1)
Many thanks
07-05-2015 03:22 AM
07-04-2015 01:15 PM
You should also confirm if Core has route to GW inside interface through ASA.
g1
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: