Solved: Re: Basic conf ASA 5505 - Page 2

p.maillot · ‎12-12-2008

Hello,

I'm a newbie on ASA, I need some assistance.

I have this schema.

Host 192.168.1.0/ ---> ASA INSIDE ----->ASA OUTSIDE ------> to my interface router

From host 192.168.1.0/24 I can ping INSIDE interface from my ASA but I cannot ping interface OUTISIDE and no interface from my router at this address 172.16.0.5/252

Under my conf.

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 1I5BT/dHhpGbnQvr encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 100

ip address 172.16.0.6 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 172.16.0.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!

username admin password p1ClWSkbSujddlxc encrypted

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:885202205e413b4a47e7f59d572ef3d7

: end

p.maillot · ‎12-12-2008

From my host 192.168.1.2 I want to ping interface of my routeur 172.16.0.5/30

From my host to ASA Inside interface = OK

From my host to ASA Outiside interface = NOK

From my router to ASA Outiside interface = OK

From my router to my Host = NOK

husycisco · ‎12-12-2008

"From my host to ASA Outiside interface = NOK "

This is the default non-changeable behaviour which has no affect on your network

"From my router to my Host = NOK "

To achieve this, do the following modification

access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 172.16.0.4 255.255.255.252

nat (inside) 0 access-list inside_nat0_outbound

"From my host 192.168.1.2 I want to ping interface of my routeur 172.16.0.5/30 "

You should be able to be doing this right now, check your host if it has the default gateway of 192.168.1.1. !If windows firewall is enabled, and you have an exception added for PING, keep in mind that the exceptions work only for same subnet, so you wont be able to receive ping replies from another subnet like our router's interface. So either manually enter exception for 172 subnet or temporarily disable the windows firewall for testing purposes!

p.maillot · ‎12-12-2008

Thank you a lot husycisco.........

Now from host I can ping my router but why from my router I cannot ping the host?

It's normal?

husycisco · ‎12-12-2008

Try this,

In router, just type ping then press enter. Enter the destination address, then press enter to accept defaults for other settings untill extended options which states [n]. Press y when extended options is asked, it will ask you "source interface", type in 172.16.0.5, then press enter for all other options and see if ping is successfull

husycisco · ‎12-12-2008

Pascal,

Any update?

*Please rate helpful posts

p.maillot · ‎12-13-2008

Hi Husycisco.

My ASA 5510 is connected behing a router 871.

ASA outside interface to F0 (switch port) from my 871

For information 871 have 4 switch port (F0 to F3) and WAN interface F4

Now from my Host I cannot ping interface F0 (172.16.0.5) maybe because F0 from router is not routing?

I have do this test if I put my laptop on ASA outside interface from the host I can ping my laptop

The problem is when I put ASA outside interface to F0 871 interface.

The F4 interface from 871 is already used, I can use only F0 to F3. an idea?

husycisco · ‎12-13-2008

Pascal,

In router, run "sh interface f0/0" then post the output here, while connected to ASA

p.maillot · ‎12-13-2008

sh interfaces f0

FastEthernet0 is up, line protocol is up

Hardware is Fast Ethernet, address is 0021.d8e6.11b6 (bia 0021.d8e6.11b6)

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s

ARP type: ARPA, ARP Timeout 04:00:00

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

4510 packets input, 311509 bytes, 0 no buffer

Received 1 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 input packets with dribble condition detected

5092 packets output, 380877 bytes, 0 underruns

0 output errors, 0 collisions, 2 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

Routeur_ITF1#

husycisco · ‎12-13-2008

Please also post the config of router.

p.maillot · ‎12-13-2008

Building configuration...

Current configuration : 1094 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Routeur_ITF1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

dot11 syslog

ip cef

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

archive

log config

hidekeys

!

interface FastEthernet0

switchport access vlan 2

!

interface FastEthernet1

switchport access vlan 2

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address 10.52.72.129 255.255.255.192

duplex auto

speed auto

!

interface Dot11Radio0

no ip address

shutdown

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Vlan2

ip address 172.16.0.5 255.255.255.252

!

ip forward-protocol nd

ip route 192.168.1.0 255.255.255.0 172.16.0.6

!

no ip http server

no ip http secure-server

!

control-plane

!

line con 0

no modem enable

line aux 0

line vty 0 4

!

scheduler max-task-time 5000

end

Routeur_ITF1#

husycisco · ‎12-13-2008

Router config looks OK, in ASA run "sh int outside" while it is connected to router. Then in router, in user exec mode, run debug ip packet detail, then in ASA, ping router interface and see if any debugs show up at router

p.maillot · ‎12-13-2008

I don't know what happened but now I can ping the router at 172.16.0.5 but from the router I cannot ping the host 192.168.1.0/24 behind the ASA, why?

husycisco · ‎12-13-2008

So you can ping Router from firewall right?

In router, issue this command

ip routing

In firewall, run these commands

logging on

logging console informational

Now in router, try pinging the host in 192.168.1.0/24, DOUBLE-check that there is no software firewall enabled in host. Then paste the output appeared in firewall here. Also post the firewall's config to check the recent state.

husycisco · ‎12-13-2008

Pff... Things got so complicated that we jumped from one case to one case to another that I am lost... After a fresh look, here is what you have to do for pinging inside hosts form router

access-list outside_access_in permit icmp host 172.16.0.5 192.168.1.0 255.255.255.0 echo

access-group outside_access_in in interface outside

p.maillot · ‎12-13-2008

%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.2/1398 to outside:172.16.0.6/2445

%ASA-6-302013: Built outbound TCP connection 3540 for outside:85.85.39.37/443 (85.85.39.37/443) to inside:192.168.1.2/1398 (172.16.0.6/2445)

%ASA-3-106014: Deny inbound icmp src outside:172.16.0.5 dst inside:172.16.0.6 (type 3, code 1)

%ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.1.2/1352 to outside:172.16.0.6/2406 duration 0:01:00

%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.2/1399 to outside:172.16.0.6/2446

%ASA-6-302013: Built outbound TCP connection 3541 for outside:62.162.68.37/9588 (62.162.68.37/9588) to inside:192.168.1.2/1399 (172.16.0.6/2446)

%ASA-3-106014: Deny inbound icmp src outside:172.16.0.5 dst inside:172.16.0.6 (type 3, code 1)

%ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.1.2/1353 to outside:172.16.0.6/2407 duration 0:01:00

%ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.1.2/1355 to outside:172.16.0.6/2408 duration 0:01:00

%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.2/1400 to outside:172.16.0.6/2447