Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA GNS3 project working

Hi,

Does anyone have a ASA GNS3 working project?

I configured one, but i´m not having very sucess in making things work. I´m following Cisco matterials, but very strangly, simple things dont work.

So I need to know what the problem is, my instalation of asa, my installation of gns3 or my skills.

Kind Regards,

António

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Re: ASA GNS3 project working

Ok,

Lets try "packet-tracer" command to simulate a ICMP Echo arriving from R1 to ISP-R1

Insert the following command on the ASA CLI and copy/paste the output here

packet-tracer input inside icmp 192.168.200.1 8 0 62.28.190.65

- Jouni

Super Bronze

Re: ASA GNS3 project working

Hi,

You have targeted the actual IP address of the server in the DMZ in the "packet-tracer" command. You will have to use the NAT IP address as the target as we will naturally be simulating traffic that would be coming towards the public IP address rather than a private IP address

So try for example

packet-tracer input outside icmp 10.0.0.1 8 0 62.28.190.66

packet-tracer input outside tcp 10.0.0.1 12345 62.28.190.66 80

- Jouni

26 REPLIES
Super Bronze

ASA GNS3 project working

Hi,

I don't really know much about GNS3 as I have not really used it.

However I am not sure if your problem is something related to installing the actual software and the devices in that software OR is the problem more with the actual device configuration?

I can't really help with the GNS3 software related problems but could have a look at actual ASA configurations if those are the actual problem.

- Jouni

New Member

Re: ASA GNS3 project working

Hi,

My first post whas this one.

https://supportforums.cisco.com/thread/2237390

-AS

Super Bronze

ASA GNS3 project working

Hi,

So is there some problem with traffic passing through the ASA?

If there is some problem with traffic passing through the ASA then provide the current configuration of the ASA and description on what is not working.

- Jouni

New Member

Re: ASA GNS3 project working

Hi,

The configuration is on this post:

https://supportforums.cisco.com/thread/2237390

And a simple ping from the inside to outside interface doesn´t work.

I configured :

  1. The interfaces
  2. The NAT. Dynamic nat in the outside interface
  3. And the policy map to inspect icmp and the default traffic

So, after this configs the ping form inside  [SecLevel 100] to Outside [SecLevel 0] sould pass?

-AS

Super Bronze

ASA GNS3 project working

Hi,

The ICMP working depends on the what the destination IP addres is. I dont what you are using in the tests

It also has a strange configuration related to the network 10.0.0.0/24

The mentioned network is both directly configured on an ASA "management" interface and there is also a static route for the network pointing towards the "outside" interface. If the "management" interface is up then it means that traffic destined for network 10.0.0.0/24 is forwarded through the "management" interface and the static route configured for the network is useless as connected router always overrides a static route.

- Jouni

New Member

Re: ASA GNS3 project working

Hi,

To test ping, I try to ping from R1(192.168.200.1) to IPS_R1(62.28.190.65).

About that route. I allready removed it and doesnt work the ping traffic.

Tell me:

Interfaces are ok?

NAT is ok?

Policy map is ok?

It must be something else man...

Super Bronze

ASA GNS3 project working

Hi,

How are you using the source address 192.168.200.1?

If you simply type "ping x.x.x.x" then the ASA will use the "outside" interface IP address as the source. If you specify the "inside" interface as the source  in the extended ping then the traffic will go through WIHTOUT NAT.

NAT will not be applied from the ASA itself to my understanding.

So  you should use some host/device behind the "inside" interface to test ICMP / PING.

- Jouni

New Member

Re: ASA GNS3 project working

Hi,

When I ping from the ASA I ping every device. No problems with that.

But when I try to ping from the router. that is in the inside interface lan I just can make it pass through.

So no problem with routing.

More: From R1 I even cant ping asa public IP 62.28.190.66.

Super Bronze

ASA GNS3 project working

Hi,

You can only ping the interface IP address of ASA behind which the host is.

So hosts/networks behind "inside" can ping "inside" interface. Hosts/networks behind "outside" can ping the "outside" interface IP address. Hosts behind "inside" CANT ping the "outside" interface IP address.

- Jouni

New Member

Re: ASA GNS3 project working

Hi,

So I can´t ping google(ouside) from the inside network of my company. Is that what you are saying?

I´m sorry this just have to be a miss understude.

Imagine ISP_R1 is Vodafone router, my ISP. And ASA is between that router and R1(my company 2911). You are saying that I cant ping google through my ISP? Huumm.

Super Bronze

ASA GNS3 project working

Hi,

You mentioned that you were trying to ping the ASA "outside" interface IP address from R1 192.168.200.1 which is behind "inside" interface. This is not possible and is expected behaviour.

The only place where you can ping "outside" interface is from networks/hosts that are behind "outside" interface according to the ASAs routing table.

So you should be able to ping the ISP-R1 from the R1 but not the ASA "outside" interface.

If this was an actual ASA in live environment then you would naturally need a default route pointing towards the ISP-R1 on the ASA. Otherwise the ASA wouldnt know where to forward traffic destined to remote network.

- Jouni

New Member

Re: ASA GNS3 project working

Hi,

But in the case of the ISP_R1, the ASA is directly conected to that route. It needs a route any way?

-AS

Super Bronze

ASA GNS3 project working

Hi,

No, I mean in a live network it would require a default route to actually route traffic to remote network that are not directly connected to it.

I am not sure what the problem at the moment is. So far if I understood correctly, the problem was that you couldnt ping the ASA "outside" interface from the R1. And as stated this is something that can be expected as the ASA doesnt allow that in any situation.

- Jouni

New Member

Re: ASA GNS3 project working

Hi,

I meant to say:

From R1 I want to ping ISP_R1. This let me know if the traffic icmp reaches the ISP and the inspect is working.

But its not working with that config.

-AS

Super Bronze

Re: ASA GNS3 project working

Ok,

Lets try "packet-tracer" command to simulate a ICMP Echo arriving from R1 to ISP-R1

Insert the following command on the ASA CLI and copy/paste the output here

packet-tracer input inside icmp 192.168.200.1 8 0 62.28.190.65

- Jouni

Super Bronze

Re: ASA GNS3 project working

Also just to confirm,

Seems to me that the R1 is mentioned to having IP 192.168.200.1 though it also seems that the ASA is configured with the same IP address of 192.168.200.1?

Are these the actual configurations as this naturally wouldnt work.

What are the interface IP address of R1 and ASA "inside" interface at the moment?

Does the R1 have a default route poiting towards the ASA "inside" interface IP address so R1 knows where to send traffic destined to other networks?

- Jouni

New Member

Re: ASA GNS3 project working

Hi,

If you see in the config R1 is 192.168.200.1 and ASA is .254.

Yes the R1 have the route to the 62.28.190.64 network through interface f0/0.

Does have to be through the next hope?

In a minute ill have the output. Initiating the VM

New Member

Re: ASA GNS3 project working

Hi.

Here are the screen shots:

HI,

The firewall lets pass it. So its very strange man. The routing in r1 and ISP_R1 and fine. Correct?

-AS

Super Bronze

ASA GNS3 project working

Hi,

Both Router routing tables list the 62.28.190.64/30 network as directly connected? Also the network 192.168.200.0/24 is mentioned on both routers? Those dont really make sense.

The R1 should have a Static Route

ip route 62.28.190.64 255.255.255.252 192.168.200.254

Or typically it would probably have a default route if the router doesnt have any other way out of the network.

ip route 0.0.0.0 0.0.0.0 192.168.200.254

Also the other discussion you linked says that the ASA "inside" is configured with IP address 192.168.200.1

interface GigabitEthernet4

nameif inside

security-level 100

ip address 192.168.200.1 255.255.255.0

- Jouni

Super Bronze

ASA GNS3 project working

And as you can see, the ASA "packet-tracer" simulation goes through without problems.

The actual problems seems to be related to the routers in the setup.

- Jouni

New Member

Re: ASA GNS3 project working

Jouni,

I´ll correct the routing problems and ill tell you more about it later.

Many thanks. You saved me a lot of time.

[]´s

António

New Member

Re: ASA GNS3 project working

Hi Jouni,

I were totaly rigth. Routing problems.

Jouni Rocks

Take care man.

- AS

Super Bronze

ASA GNS3 project working

Hi,

Glad to hear you got it working

- Jouni

New Member

Re: ASA GNS3 project working

Hi Jouni,

At this moment I´m experiencing a problem with NAT. Can you checks this plz?

Network Diagram:

ASA configs:

: Saved

: Written by enable_15 at 19:26:55.559 UTC Wed Sep 4 2013

!

ASA Version 8.4(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

nameif outside

security-level 0

ip address 62.28.190.66 255.255.255.252

!

interface GigabitEthernet1

shutdown

no nameif

security-level 0

no ip address

!

interface GigabitEthernet2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet3

nameif dmz

security-level 70

ip address 192.168.100.254 255.255.255.0

!

interface GigabitEthernet4

nameif inside

security-level 100

ip address 192.168.200.254 255.255.255.0

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

no ftp mode passive

object network Net-Inside

subnet 192.168.200.0 255.255.255.0

object network Net-Dmz

subnet 192.168.100.0 255.255.255.0

object network webserver-dmz

host 192.168.100.1

access-list OUTSIDE_DMZ_WEB extended permit tcp any host 192.168.100.1 eq www

access-list OUTSIDE_DMZ_WEB extended permit tcp any host 192.168.100.1 eq https

access-list OUTSIDE_DMZ_WEB extended permit tcp any host 192.168.100.1 eq whois

access-list OUTSIDE_DMZ_WEB extended permit icmp any host 192.168.100.1

pager lines 24

mtu outside 1500

mtu dmz 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-702.bin

no asdm history enable

arp timeout 14400

!

object network Net-Inside

nat (inside,outside) dynamic interface

object network Net-Dmz

nat (dmz,outside) dynamic interface

object network webserver-dmz

nat (dmz,outside) static interface service tcp www www

access-group OUTSIDE_DMZ_WEB in interface outside

route outside 10.0.0.0 255.255.255.0 62.28.190.65 1

route inside 192.168.15.0 255.255.255.0 192.168.200.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh timeout 5

console timeout 0

no threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:cb29abf617f52ce87c186e7aacc36cb5

: end

Packet tracer for ICMP from outside to DMZ

Packet tracer for HTTP from outside to DMZ will be post in message the insert picture crasshed.

Super Bronze

Re: ASA GNS3 project working

Hi,

You have targeted the actual IP address of the server in the DMZ in the "packet-tracer" command. You will have to use the NAT IP address as the target as we will naturally be simulating traffic that would be coming towards the public IP address rather than a private IP address

So try for example

packet-tracer input outside icmp 10.0.0.1 8 0 62.28.190.66

packet-tracer input outside tcp 10.0.0.1 12345 62.28.190.66 80

- Jouni

New Member

Re: ASA GNS3 project working

Pass both.

Forget man, I was testing in wrong way.

I tried to access and ping 192.168.100.1(Private Adress). Access Private addresses from outside ins´t possible with this config.

Thanks again.

1316
Views
0
Helpful
26
Replies