ASA need to be reloaded to flow traffic from inside interface

sezaar · ‎06-13-2012

Hello all,

I am facing issue with my ASA 5510 Ver 7.2(2) , since i lose connectivity to the public network through my LAN

When i login to firewall i can ping public network( internet) however when i try to ping the other end of my inside interface ( MY LAN ) it give me the following

FIREWALL# ping 192.168.10.1

Type escapes sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

I tried to reload the inside interface but still same result.

When i reload the ASA the traffic flow normally and i can get normal ping on my LAN side

FIREWALL# ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

This thing happened twice so far.

Is there an explanation for this behavior?

John Peterson · ‎06-13-2012

Please can you post your firewall config?

Also what has changed within your network?

When did you notice this problem occuring?

Can you also paste a show version and show local-host output please?

sezaar · ‎06-13-2012

Hi John,

nothing has been changed in my network, this setup is up and the same since 7 years

find the config below:

FIREWALL# sh run

: Saved

:

ASA Version 7.2(2)

!

hostname FIREWALL

domain-name ato.com

enable password S5Kris64iLo/jAvo encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address X.X.X.210 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.10.2 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 192.168.200.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

passwd S5Kris64iLo/jAvo encrypted

ftp mode passive

clock timezone AST 3

dns server-group DefaultDNS

domain-name ato.com

access-list ato_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0

access-list ato_splitTunnelAcl standard permit 192.168.11.0 255.255.255.0

access-list ato_splitTunnelAcl standard permit 192.168.12.0 255.255.255.0

access-list ato_splitTunnelAcl standard permit 192.168.13.0 255.255.255.0

access-list ato_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0

access-list ato_splitTunnelAcl standard permit 192.168.15.0 255.255.255.0

access-list ato_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0

access-list ato_splitTunnelAcl standard permit 192.168.30.0 255.255.255.0

access-list ato_splitTunnelAcl standard permit 192.168.31.0 255.255.255.0

access-list ato_splitTunnelAcl standard permit 192.168.40.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.14.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.31.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list outside_cryptomap_dyn_20 extended permit ip any 10.10.10.0 255.255.255.0

access-list outside_access_in extended permit tcp any host X.X.X.211 eq smtp log errors

access-list outside_access_in extended permit tcp any host X.X.X.211 eq 3389 log errors

access-list outside_access_in extended permit tcp any host X.X.X.215 eq www

access-list outside_access_in extended permit tcp any host X.X.X.216 eq www

access-list outside_access_in extended permit tcp any host X.X.X.217 eq 8000

access-list outside_access_in extended permit tcp any host X.X.X.217 eq www

access-list outside_access_in extended permit tcp any host X.X.X.218 eq www

access-list outside_access_in extended permit tcp any host X.X.X.219 eq www

access-list outside_access_in extended permit tcp any host X.X.X.220 eq www

access-list outside_access_in extended permit tcp any host X.X.X.221 eq www

access-list outside_access_in extended permit tcp any host X.X.X.222 eq www

access-list outside_access_in extended permit tcp any host X.X.X.215 eq https

access-list outside_access_in extended permit tcp any host X.X.X.216 eq https

access-list outside_access_in extended permit tcp any host X.X.X.217 eq https

access-list outside_access_in extended permit tcp any host X.X.X.218 eq https

access-list outside_access_in extended permit tcp any host X.X.X.219 eq https

access-list outside_access_in extended permit tcp any host X.X.X.220 eq https

access-list outside_access_in extended permit tcp any host X.X.X.221 eq https

access-list outside_access_in extended permit tcp any host X.X.X.222 eq https

access-list outside_access_in extended permit tcp any host X.X.X.211 eq https

access-list outside_access_in extended permit tcp any host X.X.X.211 eq www

access-list outside_access_in extended permit tcp any host X.X.X.211 eq pop3

access-list outside_access_in extended permit tcp any host X.X.X.211 eq imap4

access-list outside_access_in extended permit tcp any host X.X.X.212 eq www

access-list outside_access_in extended permit tcp any host X.X.X.212 eq citrix-ica

pager lines 24

logging enable

logging asdm errors

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool VPN_POOL 10.10.10.1-10.10.10.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.10.0 255.255.255.0

nat (inside) 1 192.168.11.0 255.255.255.0

nat (inside) 1 192.168.12.0 255.255.255.0

nat (inside) 1 192.168.13.0 255.255.255.0

nat (inside) 1 192.168.14.0 255.255.255.0

nat (inside) 1 192.168.15.0 255.255.255.0

nat (inside) 1 192.168.20.0 255.255.255.0

nat (inside) 1 192.168.30.0 255.255.255.0

nat (inside) 1 192.168.31.0 255.255.255.0

static (inside,outside) X.X.X.211 192.168.20.112 netmask 255.255.255.255 dns

static (inside,outside) X.X.X.215 192.168.20.105 netmask 255.255.255.255 dns

static (inside,outside) X.X.X.216 192.168.20.216 netmask 255.255.255.255 dns

static (inside,outside) X.X.X.217 192.168.20.217 netmask 255.255.255.255 dns

static (inside,outside) X.X.X.218 192.168.20.218 netmask 255.255.255.255 dns

static (inside,outside) X.X.X.219 192.168.20.219 netmask 255.255.255.255 dns

static (inside,outside) X.X.X.220 192.168.20.220 netmask 255.255.255.255 dns

static (inside,outside) X.X.X.221 192.168.20.221 netmask 255.255.255.255 dns

static (inside,outside) X.X.X.222 192.168.20.222 netmask 255.255.255.255 dns

static (inside,outside) X.X.X.212 192.168.10.98 netmask 255.255.255.255 dns

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 X.X.X.209 1

route inside 192.168.11.0 255.255.255.0 192.168.10.1 1

route inside 192.168.12.0 255.255.255.0 192.168.10.1 1

route inside 192.168.13.0 255.255.255.0 192.168.10.1 1

route inside 192.168.14.0 255.255.255.0 192.168.10.1 1

route inside 192.168.15.0 255.255.255.0 192.168.10.1 1

route inside 192.168.20.0 255.255.255.0 192.168.10.1 1

route inside 192.168.30.0 255.255.255.0 192.168.10.1 1

route inside 192.168.31.0 255.255.255.0 192.168.10.1 1

route inside 192.168.40.0 255.255.255.0 192.168.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 5

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol l2tp-ipsec

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

client-firewall none

client-access-rule none

webvpn

functions url-entry

html-content-filter none

homepage none

keep-alive-ignore 4

http-comp gzip

filter none

url-list none

customization value DfltCustomization

port-forward none

port-forward-name value Application Access

sso-server none

deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

svc none

svc keep-installer installed

svc keepalive none

svc rekey time none

svc rekey method none

svc dpd-interval client none

svc dpd-interval gateway none

svc compression deflate

group-policy ato internal

group-policy ato attributes

dns-server value 192.168.20.103 192.168.20.101

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ato_splitTunnelAcl

default-domain value ato.com

username admin password Tzg3c1PIoQmo0vOV encrypted privilege 15

username faeq password YE28Y8GGAUvB7MN/ encrypted privilege 15

username charbel password F2mjGjd6XANc/UNP encrypted privilege 15

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 20

crypto isakmp ipsec-over-tcp port 10000

tunnel-group DefaultRAGroup general-attributes

default-group-policy ato

strip-realm

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group ato type ipsec-ra

tunnel-group ato general-attributes

address-pool VPN_POOL

default-group-policy ato

tunnel-group ato ipsec-attributes

pre-shared-key *

tunnel-group-map default-group ato

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

console timeout 0

management-access inside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns MY_DNS_INSPECT_MAP

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect dns MY_DNS_INSPECT_MAP

inspect icmp

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:7543aa9330fa3d478fb64c475657a080

: end

FIREWALL#

=============================

FIREWALL# sh ver

Cisco Adaptive Security Appliance Software Version 7.2(2)
Device Manager Version 5.2(2)

Compiled on Wed 22-Nov-06 14:16 by builders
System image file is "disk0:/asa722-k8.bin"
Config file at boot was "startup-config"

FIREWALL up 11 mins 16 secs

Hardware: ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CNlite-MC-Boot-Cisco-1.2
                             SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0         : address is 001a.2f94.3274, irq 9
1: Ext: Ethernet0/1         : address is 001a.2f94.3275, irq 9
2: Ext: Ethernet0/2         : address is 001a.2f94.3276, irq 9
3: Ext: Ethernet0/3         : address is 001a.2f94.3277, irq 9
4: Ext: Management0/0       : address is 001a.2f94.3273, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs               : 50
Inside Hosts                : Unlimited
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Security Contexts           : 0
GTP/GPRS                    : Disabled
VPN Peers                   : 250
WebVPN Peers                : 2

This platform has a Base license.

Serial Number: JMX1107L110
Running Activation Key: 0x95252051 0xec74c1f5 0x28f30df4 0x992c48c8 0x880df6a3
Configuration register is 0x1
Configuration has not been modified since last system restart.