cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
381
Views
0
Helpful
4
Replies

ASA ping issue

isdollsm1
Level 1
Level 1

 I am having trouble pinging from one zone to another

Zone - Management can not ping Zone-Inside and visa versa. At first I was able to ping the managment pc but couldnt ping the inside pc. I have played around with the service policy and ACL but no luck. Any help would be apprectiated

hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif management
 security-level 100
 ip address 192.168.100.5 255.255.255.0
!
interface GigabitEthernet1
 nameif INSIDE
 security-level 100
 ip address 192.168.200.1 255.255.255.0
!
interface GigabitEthernet2
 nameif OUTSIDE
 security-level 0
 ip address 177.1.1.1 255.255.255.0
!
interface GigabitEthernet3
 nameif DMZ
 security-level 50
 ip address 172.20.20.1 255.255.255.0
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Inside-Network
 host 192.168.200.0
object network test
 host 192.168.0.0
object network ASA-Gateway
 host 177.1.1.2
object network Management-Gateway
 host 177.1.1.1
object-group icmp-type SG-ICMP
 icmp-object echo
 icmp-object echo-reply
access-list LAN-WAN-FTP extended permit tcp any any eq ftp
access-list management_access_in extended permit tcp any 177.1.1.0 255.255.255.0                                                                                         eq telnet
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
access-group management_access_in in interface management
route OUTSIDE 0.0.0.0 0.0.0.0 177.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.100.10 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
class-map global-class
 match any
!
!
policy-map global-policy
 class global-class
  inspect icmp
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD                                                                                        CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

 

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

You have applied the access-list:

access-list management_access_in extended permit tcp any 177.1.1.0 255.255.255.0 eq telnet

...on your management interface. That will prohibit other traffic from being originated on hosts connected via that interface.

You can check the flow through the ASA for a given protocol source destination address etc using packet-tracer cli utility. It will highlight what step is failing in establishing the flow. See this link for reference.

I agree with Marvin's observation about your ACL. That's the most obvious thing to change because it affects the ASA's default behavior which is to allow traffic through the ASA if it's going out an interface with a lower security level, and let the stateful return traffic back in that interface. In fact, since your ACL is allowing Telnet through to go out the outside interface (which has the lowest security level), the default behavior (no ACL required) would already allow that, and the ACL you have in place is only necessary if your intent is to restrict Telnet to only the 177.1.1.0/24 subnet and no other addresses.

Regarding your change to the service policies, I would suggest that unless you have good reason to, removing the standard inspections is probably not a good idea. They are there by default for a reason. Adding ICMP to the list is fine, and something I've done frequently, but without good reason otherwise, I would add the other default protocols back in.

Hope you're well, Marvin!

John

Thanks for the relpy

I have added the ACL, I am able to ping the managment pc 192.168.100.10 from the 192.168.200.0 network but no the other way around. I have also added an ACL for that

 

ciscoasa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list LAN-WAN-FTP; 1 elements; name hash: 0x91ef8aeb
access-list LAN-WAN-FTP line 1 extended permit tcp any any eq ftp (hitcnt=0) 0x194240d3
access-list management_access_in; 3 elements; name hash: 0x4814da18
access-list management_access_in line 1 extended permit tcp any 177.1.1.0 255.255.255.0 eq telnet (hitcnt=0) 0x22c167b0
access-list management_access_in line 2 extended permit tcp 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0 eq echo (hitcnt=0) 0x9bdc8461
access-list management_access_in line 3 extended permit tcp 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0 eq echo (hitcnt=0) 0x41a939ad
 

Even though I am able to ping that pc I dont see the number on the hit count changing

"ping" does not use tcp (or run over ip) - it uses icmp (a protocol "parallel" to ip) - so your access-list entries for tcp with the echo service are incorrect.

And hi to John - doing OK thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: