09-02-2013 10:19 AM - edited 03-11-2019 07:33 PM
Hi,
Does anyone have a ASA GNS3 working project?
I configured one, but i´m not having very sucess in making things work. I´m following Cisco matterials, but very strangly, simple things dont work.
So I need to know what the problem is, my instalation of asa, my installation of gns3 or my skills.
Kind Regards,
António
Solved! Go to Solution.
09-02-2013 12:05 PM
Ok,
Lets try "packet-tracer" command to simulate a ICMP Echo arriving from R1 to ISP-R1
Insert the following command on the ASA CLI and copy/paste the output here
packet-tracer input inside icmp 192.168.200.1 8 0 62.28.190.65
- Jouni
09-04-2013 12:46 PM
Hi,
You have targeted the actual IP address of the server in the DMZ in the "packet-tracer" command. You will have to use the NAT IP address as the target as we will naturally be simulating traffic that would be coming towards the public IP address rather than a private IP address
So try for example
packet-tracer input outside icmp 10.0.0.1 8 0 62.28.190.66
packet-tracer input outside tcp 10.0.0.1 12345 62.28.190.66 80
- Jouni
09-02-2013 10:25 AM
Hi,
I don't really know much about GNS3 as I have not really used it.
However I am not sure if your problem is something related to installing the actual software and the devices in that software OR is the problem more with the actual device configuration?
I can't really help with the GNS3 software related problems but could have a look at actual ASA configurations if those are the actual problem.
- Jouni
09-02-2013 10:30 AM
09-02-2013 10:36 AM
Hi,
So is there some problem with traffic passing through the ASA?
If there is some problem with traffic passing through the ASA then provide the current configuration of the ASA and description on what is not working.
- Jouni
09-02-2013 10:42 AM
Hi,
The configuration is on this post:
https://supportforums.cisco.com/thread/2237390
And a simple ping from the inside to outside interface doesn´t work.
I configured :
So, after this configs the ping form inside [SecLevel 100] to Outside [SecLevel 0] sould pass?
-AS
09-02-2013 11:13 AM
Hi,
The ICMP working depends on the what the destination IP addres is. I dont what you are using in the tests
It also has a strange configuration related to the network 10.0.0.0/24
The mentioned network is both directly configured on an ASA "management" interface and there is also a static route for the network pointing towards the "outside" interface. If the "management" interface is up then it means that traffic destined for network 10.0.0.0/24 is forwarded through the "management" interface and the static route configured for the network is useless as connected router always overrides a static route.
- Jouni
09-02-2013 11:20 AM
Hi,
To test ping, I try to ping from R1(192.168.200.1) to IPS_R1(62.28.190.65).
About that route. I allready removed it and doesnt work the ping traffic.
Tell me:
Interfaces are ok?
NAT is ok?
Policy map is ok?
It must be something else man...
09-02-2013 11:24 AM
Hi,
How are you using the source address 192.168.200.1?
If you simply type "ping x.x.x.x" then the ASA will use the "outside" interface IP address as the source. If you specify the "inside" interface as the source in the extended ping then the traffic will go through WIHTOUT NAT.
NAT will not be applied from the ASA itself to my understanding.
So you should use some host/device behind the "inside" interface to test ICMP / PING.
- Jouni
09-02-2013 11:29 AM
Hi,
When I ping from the ASA I ping every device. No problems with that.
But when I try to ping from the router. that is in the inside interface lan I just can make it pass through.
So no problem with routing.
More: From R1 I even cant ping asa public IP 62.28.190.66.
09-02-2013 11:34 AM
Hi,
You can only ping the interface IP address of ASA behind which the host is.
So hosts/networks behind "inside" can ping "inside" interface. Hosts/networks behind "outside" can ping the "outside" interface IP address. Hosts behind "inside" CANT ping the "outside" interface IP address.
- Jouni
09-02-2013 11:41 AM
Hi,
So I can´t ping google(ouside) from the inside network of my company. Is that what you are saying?
I´m sorry this just have to be a miss understude.
Imagine ISP_R1 is Vodafone router, my ISP. And ASA is between that router and R1(my company 2911). You are saying that I cant ping google through my ISP? Huumm.
09-02-2013 11:48 AM
Hi,
You mentioned that you were trying to ping the ASA "outside" interface IP address from R1 192.168.200.1 which is behind "inside" interface. This is not possible and is expected behaviour.
The only place where you can ping "outside" interface is from networks/hosts that are behind "outside" interface according to the ASAs routing table.
So you should be able to ping the ISP-R1 from the R1 but not the ASA "outside" interface.
If this was an actual ASA in live environment then you would naturally need a default route pointing towards the ISP-R1 on the ASA. Otherwise the ASA wouldnt know where to forward traffic destined to remote network.
- Jouni
09-02-2013 11:53 AM
Hi,
But in the case of the ISP_R1, the ASA is directly conected to that route. It needs a route any way?
-AS
09-02-2013 11:59 AM
Hi,
No, I mean in a live network it would require a default route to actually route traffic to remote network that are not directly connected to it.
I am not sure what the problem at the moment is. So far if I understood correctly, the problem was that you couldnt ping the ASA "outside" interface from the R1. And as stated this is something that can be expected as the ASA doesnt allow that in any situation.
- Jouni
09-02-2013 12:01 PM
Hi,
I meant to say:
From R1 I want to ping ISP_R1. This let me know if the traffic icmp reaches the ISP and the inspect is working.
But its not working with that config.
-AS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide