Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3803
Views
0
Helpful
26
Replies

ASA GNS3 project working

Go to solution
Antonio Simoes
Level 1
Level 1

‎09-02-2013 10:19 AM - edited ‎03-11-2019 07:33 PM

Hi,

Does anyone have a ASA GNS3 working project?

I configured one, but i´m not having very sucess in making things work. I´m following Cisco matterials, but very strangly, simple things dont work.

So I need to know what the problem is, my instalation of asa, my installation of gns3 or my skills.

Kind Regards,

António

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Antonio Simoes

‎09-02-2013 12:05 PM

Ok,

Lets try "packet-tracer" command to simulate a ICMP Echo arriving from R1 to ISP-R1

Insert the following command on the ASA CLI and copy/paste the output here

packet-tracer input inside icmp 192.168.200.1 8 0 62.28.190.65

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Antonio Simoes

‎09-04-2013 12:46 PM

Hi,

You have targeted the actual IP address of the server in the DMZ in the "packet-tracer" command. You will have to use the NAT IP address as the target as we will naturally be simulating traffic that would be coming towards the public IP address rather than a private IP address

So try for example

packet-tracer input outside icmp 10.0.0.1 8 0 62.28.190.66

packet-tracer input outside tcp 10.0.0.1 12345 62.28.190.66 80

- Jouni

View solution in original post

0 Helpful
26 Replies 26

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎09-02-2013 10:25 AM

Hi,

I don't really know much about GNS3 as I have not really used it.

However I am not sure if your problem is something related to installing the actual software and the devices in that software OR is the problem more with the actual device configuration?

I can't really help with the GNS3 software related problems but could have a look at actual ASA configurations if those are the actual problem.

- Jouni

0 Helpful

Go to solution
Antonio Simoes
Level 1
Level 1
In response to Jouni Forss

‎09-02-2013 10:30 AM

Hi,

My first post whas this one.

https://supportforums.cisco.com/thread/2237390

-AS

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Antonio Simoes

‎09-02-2013 10:36 AM

Hi,

So is there some problem with traffic passing through the ASA?

If there is some problem with traffic passing through the ASA then provide the current configuration of the ASA and description on what is not working.

- Jouni

0 Helpful

Go to solution
Antonio Simoes
Level 1
Level 1
In response to Jouni Forss

‎09-02-2013 10:42 AM

Hi,

The configuration is on this post:

https://supportforums.cisco.com/thread/2237390

And a simple ping from the inside to outside interface doesn´t work.

I configured :

  1. The interfaces
  2. The NAT. Dynamic nat in the outside interface
  3. And the policy map to inspect icmp and the default traffic

So, after this configs the ping form inside  [SecLevel 100] to Outside [SecLevel 0] sould pass?

-AS

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Antonio Simoes

‎09-02-2013 11:13 AM

Hi,

The ICMP working depends on the what the destination IP addres is. I dont what you are using in the tests

It also has a strange configuration related to the network 10.0.0.0/24

The mentioned network is both directly configured on an ASA "management" interface and there is also a static route for the network pointing towards the "outside" interface. If the "management" interface is up then it means that traffic destined for network 10.0.0.0/24 is forwarded through the "management" interface and the static route configured for the network is useless as connected router always overrides a static route.

- Jouni

0 Helpful

Go to solution
Antonio Simoes
Level 1
Level 1
In response to Jouni Forss

‎09-02-2013 11:20 AM

Hi,

To test ping, I try to ping from R1(192.168.200.1) to IPS_R1(62.28.190.65).

About that route. I allready removed it and doesnt work the ping traffic.

Tell me:

Interfaces are ok?

NAT is ok?

Policy map is ok?

It must be something else man...

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Antonio Simoes

‎09-02-2013 11:24 AM

Hi,

How are you using the source address 192.168.200.1?

If you simply type "ping x.x.x.x" then the ASA will use the "outside" interface IP address as the source. If you specify the "inside" interface as the source  in the extended ping then the traffic will go through WIHTOUT NAT.

NAT will not be applied from the ASA itself to my understanding.

So  you should use some host/device behind the "inside" interface to test ICMP / PING.

- Jouni

0 Helpful

Go to solution
Antonio Simoes
Level 1
Level 1
In response to Jouni Forss

‎09-02-2013 11:29 AM

Hi,

When I ping from the ASA I ping every device. No problems with that.

But when I try to ping from the router. that is in the inside interface lan I just can make it pass through.

So no problem with routing.

More: From R1 I even cant ping asa public IP 62.28.190.66.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Antonio Simoes

‎09-02-2013 11:34 AM

Hi,

You can only ping the interface IP address of ASA behind which the host is.

So hosts/networks behind "inside" can ping "inside" interface. Hosts/networks behind "outside" can ping the "outside" interface IP address. Hosts behind "inside" CANT ping the "outside" interface IP address.

- Jouni

0 Helpful

Go to solution
Antonio Simoes
Level 1
Level 1
In response to Jouni Forss

‎09-02-2013 11:41 AM

Hi,

So I can´t ping google(ouside) from the inside network of my company. Is that what you are saying?

I´m sorry this just have to be a miss understude.

Imagine ISP_R1 is Vodafone router, my ISP. And ASA is between that router and R1(my company 2911). You are saying that I cant ping google through my ISP? Huumm.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Antonio Simoes

‎09-02-2013 11:48 AM

Hi,

You mentioned that you were trying to ping the ASA "outside" interface IP address from R1 192.168.200.1 which is behind "inside" interface. This is not possible and is expected behaviour.

The only place where you can ping "outside" interface is from networks/hosts that are behind "outside" interface according to the ASAs routing table.

So you should be able to ping the ISP-R1 from the R1 but not the ASA "outside" interface.

If this was an actual ASA in live environment then you would naturally need a default route pointing towards the ISP-R1 on the ASA. Otherwise the ASA wouldnt know where to forward traffic destined to remote network.

- Jouni

0 Helpful

Go to solution
Antonio Simoes
Level 1
Level 1
In response to Jouni Forss

‎09-02-2013 11:53 AM

Hi,

But in the case of the ISP_R1, the ASA is directly conected to that route. It needs a route any way?

-AS

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Antonio Simoes

‎09-02-2013 11:59 AM

Hi,

No, I mean in a live network it would require a default route to actually route traffic to remote network that are not directly connected to it.

I am not sure what the problem at the moment is. So far if I understood correctly, the problem was that you couldnt ping the ASA "outside" interface from the R1. And as stated this is something that can be expected as the ASA doesnt allow that in any situation.

- Jouni

0 Helpful

Go to solution
Antonio Simoes
Level 1
Level 1
In response to Jouni Forss

‎09-02-2013 12:01 PM

Hi,

I meant to say:

From R1 I want to ping ISP_R1. This let me know if the traffic icmp reaches the ISP and the inspect is working.

But its not working with that config.

-AS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card