06-13-2012 03:31 AM - edited 03-11-2019 04:18 PM
Hello all,
I am facing issue with my ASA 5510 Ver 7.2(2) , since i lose connectivity to the public network through my LAN
When i login to firewall i can ping public network( internet) however when i try to ping the other end of my inside interface ( MY LAN ) it give me the following
FIREWALL# ping 192.168.10.1
Type escapes sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
I tried to reload the inside interface but still same result.
When i reload the ASA the traffic flow normally and i can get normal ping on my LAN side
FIREWALL# ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
This thing happened twice so far.
Is there an explanation for this behavior?
06-13-2012 02:26 PM
Please can you post your firewall config?
Also what has changed within your network?
When did you notice this problem occuring?
Can you also paste a show version and show local-host output please?
06-13-2012 10:59 PM
Hi John,
nothing has been changed in my network, this setup is up and the same since 7 years
find the config below:
FIREWALL# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname FIREWALL
domain-name ato.com
enable password S5Kris64iLo/jAvo encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address X.X.X.210 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.2 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.200.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
passwd S5Kris64iLo/jAvo encrypted
ftp mode passive
clock timezone AST 3
dns server-group DefaultDNS
domain-name ato.com
access-list ato_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list ato_splitTunnelAcl standard permit 192.168.11.0 255.255.255.0
access-list ato_splitTunnelAcl standard permit 192.168.12.0 255.255.255.0
access-list ato_splitTunnelAcl standard permit 192.168.13.0 255.255.255.0
access-list ato_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0
access-list ato_splitTunnelAcl standard permit 192.168.15.0 255.255.255.0
access-list ato_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list ato_splitTunnelAcl standard permit 192.168.30.0 255.255.255.0
access-list ato_splitTunnelAcl standard permit 192.168.31.0 255.255.255.0
access-list ato_splitTunnelAcl standard permit 192.168.40.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.14.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.31.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 10.10.10.0 255.255.255.0
access-list outside_access_in extended permit tcp any host X.X.X.211 eq smtp log errors
access-list outside_access_in extended permit tcp any host X.X.X.211 eq 3389 log errors
access-list outside_access_in extended permit tcp any host X.X.X.215 eq www
access-list outside_access_in extended permit tcp any host X.X.X.216 eq www
access-list outside_access_in extended permit tcp any host X.X.X.217 eq 8000
access-list outside_access_in extended permit tcp any host X.X.X.217 eq www
access-list outside_access_in extended permit tcp any host X.X.X.218 eq www
access-list outside_access_in extended permit tcp any host X.X.X.219 eq www
access-list outside_access_in extended permit tcp any host X.X.X.220 eq www
access-list outside_access_in extended permit tcp any host X.X.X.221 eq www
access-list outside_access_in extended permit tcp any host X.X.X.222 eq www
access-list outside_access_in extended permit tcp any host X.X.X.215 eq https
access-list outside_access_in extended permit tcp any host X.X.X.216 eq https
access-list outside_access_in extended permit tcp any host X.X.X.217 eq https
access-list outside_access_in extended permit tcp any host X.X.X.218 eq https
access-list outside_access_in extended permit tcp any host X.X.X.219 eq https
access-list outside_access_in extended permit tcp any host X.X.X.220 eq https
access-list outside_access_in extended permit tcp any host X.X.X.221 eq https
access-list outside_access_in extended permit tcp any host X.X.X.222 eq https
access-list outside_access_in extended permit tcp any host X.X.X.211 eq https
access-list outside_access_in extended permit tcp any host X.X.X.211 eq www
access-list outside_access_in extended permit tcp any host X.X.X.211 eq pop3
access-list outside_access_in extended permit tcp any host X.X.X.211 eq imap4
access-list outside_access_in extended permit tcp any host X.X.X.212 eq www
access-list outside_access_in extended permit tcp any host X.X.X.212 eq citrix-ica
pager lines 24
logging enable
logging asdm errors
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool VPN_POOL 10.10.10.1-10.10.10.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.10.0 255.255.255.0
nat (inside) 1 192.168.11.0 255.255.255.0
nat (inside) 1 192.168.12.0 255.255.255.0
nat (inside) 1 192.168.13.0 255.255.255.0
nat (inside) 1 192.168.14.0 255.255.255.0
nat (inside) 1 192.168.15.0 255.255.255.0
nat (inside) 1 192.168.20.0 255.255.255.0
nat (inside) 1 192.168.30.0 255.255.255.0
nat (inside) 1 192.168.31.0 255.255.255.0
static (inside,outside) X.X.X.211 192.168.20.112 netmask 255.255.255.255 dns
static (inside,outside) X.X.X.215 192.168.20.105 netmask 255.255.255.255 dns
static (inside,outside) X.X.X.216 192.168.20.216 netmask 255.255.255.255 dns
static (inside,outside) X.X.X.217 192.168.20.217 netmask 255.255.255.255 dns
static (inside,outside) X.X.X.218 192.168.20.218 netmask 255.255.255.255 dns
static (inside,outside) X.X.X.219 192.168.20.219 netmask 255.255.255.255 dns
static (inside,outside) X.X.X.220 192.168.20.220 netmask 255.255.255.255 dns
static (inside,outside) X.X.X.221 192.168.20.221 netmask 255.255.255.255 dns
static (inside,outside) X.X.X.222 192.168.20.222 netmask 255.255.255.255 dns
static (inside,outside) X.X.X.212 192.168.10.98 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.209 1
route inside 192.168.11.0 255.255.255.0 192.168.10.1 1
route inside 192.168.12.0 255.255.255.0 192.168.10.1 1
route inside 192.168.13.0 255.255.255.0 192.168.10.1 1
route inside 192.168.14.0 255.255.255.0 192.168.10.1 1
route inside 192.168.15.0 255.255.255.0 192.168.10.1 1
route inside 192.168.20.0 255.255.255.0 192.168.10.1 1
route inside 192.168.30.0 255.255.255.0 192.168.10.1 1
route inside 192.168.31.0 255.255.255.0 192.168.10.1 1
route inside 192.168.40.0 255.255.255.0 192.168.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 5
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy ato internal
group-policy ato attributes
dns-server value 192.168.20.103 192.168.20.101
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ato_splitTunnelAcl
default-domain value ato.com
username admin password Tzg3c1PIoQmo0vOV encrypted privilege 15
username faeq password YE28Y8GGAUvB7MN/ encrypted privilege 15
username charbel password F2mjGjd6XANc/UNP encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
tunnel-group DefaultRAGroup general-attributes
default-group-policy ato
strip-realm
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group ato type ipsec-ra
tunnel-group ato general-attributes
address-pool VPN_POOL
default-group-policy ato
tunnel-group ato ipsec-attributes
pre-shared-key *
tunnel-group-map default-group ato
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns MY_DNS_INSPECT_MAP
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns MY_DNS_INSPECT_MAP
inspect icmp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7543aa9330fa3d478fb64c475657a080
: end
FIREWALL#
FIREWALL#
FIREWALL#
=============================
FIREWALL# sh ver
Cisco Adaptive Security Appliance Software Version 7.2(2)
Device Manager Version 5.2(2)
Compiled on Wed 22-Nov-06 14:16 by builders
System image file is "disk0:/asa722-k8.bin"
Config file at boot was "startup-config"
FIREWALL up 11 mins 16 secs
Hardware: ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 001a.2f94.3274, irq 9
1: Ext: Ethernet0/1 : address is 001a.2f94.3275, irq 9
2: Ext: Ethernet0/2 : address is 001a.2f94.3276, irq 9
3: Ext: Ethernet0/3 : address is 001a.2f94.3277, irq 9
4: Ext: Management0/0 : address is 001a.2f94.3273, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : 250
WebVPN Peers : 2
This platform has a Base license.
Serial Number: JMX1107L110
Running Activation Key: 0x95252051 0xec74c1f5 0x28f30df4 0x992c48c8 0x880df6a3
Configuration register is 0x1
Configuration has not been modified since last system restart.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide