Thank you Julio and AM

Here is the output:

Packet gets dropped by an implicit rule, "deny all" but I am suppose to  INSPECT icmp according to the global_policy map in place:

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect icmp

ciscoasa(config)# packet-tracer input House-LAN icmp 192.168.1.1 8 0 192.168.10.1

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.10.1    255.255.255.255 identity
             
Phase: 4     
Type: ACCESS-LIST
Subtype:     
Result: DROP 
Config:      
Implicit Rule
Additional Information:
             
Result:      
input-interface: House-LAN
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop 
Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa(config)# packet-tracer input WIFI icmp 192.168.10.1 8 0 192.168.1.1

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.1     255.255.255.255 identity
             
Phase: 4     
Type: ACCESS-LIST
Subtype:     
Result: DROP 
Config:      
Implicit Rule
Additional Information:
             
Result:      
input-interface: WIFI
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop 
Drop-reason: (acl-drop) Flow is denied by configured rule

Is ICMP considered an IP packet or do I need to allow ICMP as well ?

Hi,

Don't use ASAs interface IP addresses in the "packet-tracer". If you do the "packet-tracer" will always fail. Use some other random address from both of the networks and after that the output should reflect the true situation.

Add yes, IP contains ICMP also.

- Jouni

You are right.

I tried it, and got a lot more results. I will check these out and post them here....

thanks !

Yes, when i said run packet tracer, i meant to use the any device address on each VLAN not the ASA interfaces.

Also, i noticed 1 implicit deny on the House-LAN and WIFI beside the permit rule. It should be only one implicit permit rule for each high security level interfaces. The same security traffic also is enabled and traffic should traverse between those interfaces with no problems.

Please run packet tracer again using actual device addresses.

Regards,

AM

Thanks, I found where it is denied, but looking a the config, il looks OK for me.

I stared and compared the 2 networks, it all looks good.

When I ping   192.168.10.12 from 192.168.1.8 all is good.

packet-tracer input house-LAN icmp 192.168.1.8 8 0 192.168.10.12

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.10.0    255.255.255.0   WIFI

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4     
Type: IP-OPTIONS
Subtype:     
Result: ALLOW
Config:      
Additional Information:
             
Phase: 5     
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:      
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:
             
Phase: 6     
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:      
Additional Information:
             
Phase: 7     
Type: NAT-EXEMPT
Subtype:     
Result: ALLOW
Config:      
  match ip House-LAN 192.168.1.0 255.255.255.0 WIFI 192.168.10.0 255.255.255.0
    NAT exempt
    translate_hits = 268, untranslate_hits = 99
Additional Information:
             
Phase: 8     
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:      
Additional Information:
             
Phase: 9     
Type: NAT    
Subtype:     
Result: ALLOW
Config:      
nat (House-LAN) 1 0.0.0.0 0.0.0.0
  match ip House-LAN any WIFI any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 57, untranslate_hits = 0
Additional Information:
             
Phase: 10    
Type: NAT    
Subtype: host-limits
Result: ALLOW
Config:      
nat (House-LAN) 1 0.0.0.0 0.0.0.0
  match ip House-LAN any House-LAN any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 7, untranslate_hits = 0
Additional Information:
             
Phase: 11    
Type: NAT    
Subtype: rpf-check
Result: ALLOW
Config:      
nat (WIFI) 1 0.0.0.0 0.0.0.0
  match ip WIFI any House-LAN any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
             
Phase: 12    
Type: NAT    
Subtype: host-limits
Result: ALLOW
Config:      
nat (WIFI) 1 0.0.0.0 0.0.0.0
  match ip WIFI any House-LAN any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
             
Phase: 13    
Type: IP-OPTIONS
Subtype:     
Result: ALLOW
Config:      
Additional Information:
             
Phase: 14    
Type: FLOW-CREATION
Subtype:     
Result: ALLOW
Config:      
Additional Information:
New flow created with id 158286, packet dispatched to next module
             
Result:      
input-interface: House-LAN
input-status: up
input-line-status: up
output-interface: WIFI
output-status: up
output-line-status: up
Action: allow

But when I ping 192.168.1.8 from 192.168.10.12 it fails:

packet-tracer input house-LAN icmp 192.168.10.12 8 0 192.168.1.8

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   House-LAN

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 4     
Type: IP-OPTIONS
Subtype:     
Result: ALLOW
Config:      
Additional Information:
             
Phase: 5     
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:      
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:
             
Phase: 6     
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:      
Additional Information:
             
Phase: 7     
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:      
  match ip House-LAN 192.168.1.0 255.255.255.0 House-LAN 192.168.10.0 255.255.255.0 -HOUSE-LAN ASSOCIATED WITH 192.168.10.0 ????? This is the problem...

  NAT exempt
    translate_hits = 0, untranslate_hits = 8
Additional Information:
             
Phase: 8     
Type: NAT    
Subtype:     
Result: DROP 
Config:      
nat (House-LAN) 1 0.0.0.0 0.0.0.0
  match ip House-LAN any House-LAN any   ---- what is this ????

dynamic translation to pool 1 (No matching global)
    translate_hits = 8, untranslate_hits = 0
Additional Information:
             
Result:      
input-interface: House-LAN
input-status: up
input-line-status: up
output-interface: House-LAN
output-status: up
output-line-status: up
Action: drop 
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA Version 8.2(1)
!
hostname ciscoasa
enable password 9jNfZuG3TC5tCVH0 encrypted
passwd b9rdqCG21C.trMZp encrypted
names
!
interface Vlan1
nameif House-LAN
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif ISP-OUTSIDE
security-level 0
ip address dhcp
!
interface Vlan12
nameif WIFI
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!            
interface Ethernet0/1
!            
interface Ethernet0/2
!            
interface Ethernet0/3
!            
interface Ethernet0/4
!            
interface Ethernet0/5
switchport access vlan 12
!            
interface Ethernet0/6
!            
interface Ethernet0/7
!            
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list WIFI extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list WIFI extended permit ip 192.168.10.0 255.255.255.0 xx.xx.xx.xx 255.255.255.0
access-list House-LAN extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list House-LAN extended permit ip 192.168.1.0 255.255.255.0 xx.xx.xx.xx 255.255.255.0
access-list ISP-OUTSIDE extended permit ip xx.xx.xx.xx 255.255.255.0 192.168.1.0 255.255.255.0
access-list ISP-OUTSIDE extended permit ip xx.xx.xx.xx 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu House-LAN 1500
mtu ISP-OUTSIDE 1500
mtu WIFI 1500
no failover  
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (ISP-OUTSIDE) 1 interface
nat (House-LAN) 0 access-list House-LAN
nat (House-LAN) 1 0.0.0.0 0.0.0.0
nat (ISP-OUTSIDE) 0 access-list ISP-OUTSIDE
nat (WIFI) 0 access-list WIFI
nat (WIFI) 1 0.0.0.0 0.0.0.0
route ISP-OUTSIDE 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 House-LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 House-LAN
ssh timeout 60
ssh version 2
console timeout 0
dhcp-client client-id interface ISP-OUTSIDE
dhcpd auto_config ISP-OUTSIDE
!            
dhcpd address 192.168.1.5-192.168.1.36 House-LAN
dhcpd dns 24.200.241.37 interface House-LAN
dhcpd domain homelab.com interface House-LAN
dhcpd enable House-LAN
!            
dhcpd address 192.168.10.5-192.168.10.150 WIFI
dhcpd dns 8.8.8.8 interface WIFI
dhcpd domain homelab.com interface WIFI
dhcpd enable WIFI
!            
             
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 66.46.33.9 source ISP-OUTSIDE prefer
webvpn       
username jbachman password tvTwKjq/0Pm2Xeh6 encrypted privilege 15
!            
class-map inspection_default
match default-inspection-traffic
!            
!            
policy-map type inspect dns preset_dns_map
parameters  
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect icmp
!            
service-policy global_policy global
prompt hostname context
Cryptochecksum:540ec0c8a87fb490bf587e36c6fe792b
: end   

The output and the input are the same interface, that's why the NAT fails translation...

Result:      

input-interface: House-LAN

input-status: up

input-line-status: up

output-interface: House-LAN

output-status: up

output-line-status: up

Action: drop 

Drop-reason: (acl-drop) Flow is denied by configured rule

Hello,

Exactly, since the first post we saw that,

But that is because you are doing the packet tracer wrong.

It's packet-tracer input WIFI icmp 192.168.10.12 8 0 192.168.1.8

Please read the following http://www.laguiadelnetworking.com/the-usage-of-the-packet-tracer-feature-on-the-asa/

Cheers,

Julio Carvajal Segura

Thanks for the link Julio. Very first time with Packet Tracer....

Well, now with this method, Packet Tracer works, both sides.

Still as I said on my first post, I still canr ping from 192.168.10.12 to 192.168.1.8... Other way works...

I got oneway ping.... I might just format the whole thing....

Hello,

Dont do that I bet that if we do captures we will see where the problem is but before providing you the capture syntax.

Can you check if the windows firewall is disabled on both units?

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

OK, you are correct. I have disable the W7 Firewall on the PC and ping works. Then I have reenabled it and configured a rule to allow ping into the PC. That's weird because I never had problems before I installed the ASA5505, and the ASA should be open for everything between inside interfaces ...

Anyways, pings works, and I have disable W7 firewall to keep on troubleshooting. - (to get it out of the way fro now)

Now I have airvideo running on the PC (using Bonjour!) , and same thing, the airvideo running on the ipad (wifi) on VLAN12 connot connect to the PC on land lan vlan1. So I do have a problem the ASA blocking ports even if I did configure the ASA rules to allow any any between the interfaces...

It is as VLAN routing is actually working, but not enabled for all the L4 potocols and ports betwwen inside interfaces,even if I have opened everything, and all interfaces are at the same security level... Well this CCNA security cert  is giving me good learning challanges...

I am working on this issue now.

Does the global policy applys only for outside interface ?

Or is is also applied  in between interfaces ?

policy-map global_policy
class inspection_default

inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect icmp