12-12-2008 08:13 AM - edited 03-11-2019 07:25 AM
Hello,
I'm a newbie on ASA, I need some assistance.
I have this schema.
Host 192.168.1.0/ ---> ASA INSIDE ----->ASA OUTSIDE ------> to my interface router
From host 192.168.1.0/24 I can ping INSIDE interface from my ASA but I cannot ping interface OUTISIDE and no interface from my router at this address 172.16.0.5/252
Under my conf.
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 1I5BT/dHhpGbnQvr encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 100
ip address 172.16.0.6 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.0.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
username admin password p1ClWSkbSujddlxc encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:885202205e413b4a47e7f59d572ef3d7
: end
Solved! Go to Solution.
12-12-2008 10:31 AM
From my host 192.168.1.2 I want to ping interface of my routeur 172.16.0.5/30
From my host to ASA Inside interface = OK
From my host to ASA Outiside interface = NOK
From my router to ASA Outiside interface = OK
From my router to my Host = NOK
12-12-2008 10:33 AM
"From my host to ASA Outiside interface = NOK "
This is the default non-changeable behaviour which has no affect on your network
"From my router to my Host = NOK "
To achieve this, do the following modification
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 172.16.0.4 255.255.255.252
nat (inside) 0 access-list inside_nat0_outbound
"From my host 192.168.1.2 I want to ping interface of my routeur 172.16.0.5/30 "
You should be able to be doing this right now, check your host if it has the default gateway of 192.168.1.1. !If windows firewall is enabled, and you have an exception added for PING, keep in mind that the exceptions work only for same subnet, so you wont be able to receive ping replies from another subnet like our router's interface. So either manually enter exception for 172 subnet or temporarily disable the windows firewall for testing purposes!
12-12-2008 10:49 AM
Thank you a lot husycisco.........
Now from host I can ping my router but why from my router I cannot ping the host?
It's normal?
12-12-2008 10:52 AM
Try this,
In router, just type ping then press enter. Enter the destination address, then press enter to accept defaults for other settings untill extended options which states [n]. Press y when extended options is asked, it will ask you "source interface", type in 172.16.0.5, then press enter for all other options and see if ping is successfull
12-12-2008 12:21 PM
Pascal,
Any update?
*Please rate helpful posts
12-13-2008 02:45 AM
Hi Husycisco.
My ASA 5510 is connected behing a router 871.
ASA outside interface to F0 (switch port) from my 871
For information 871 have 4 switch port (F0 to F3) and WAN interface F4
Now from my Host I cannot ping interface F0 (172.16.0.5) maybe because F0 from router is not routing?
I have do this test if I put my laptop on ASA outside interface from the host I can ping my laptop
The problem is when I put ASA outside interface to F0 871 interface.
The F4 interface from 871 is already used, I can use only F0 to F3. an idea?
12-13-2008 03:06 AM
Pascal,
In router, run "sh interface f0/0" then post the output here, while connected to ASA
12-13-2008 03:16 AM
sh interfaces f0
FastEthernet0 is up, line protocol is up
Hardware is Fast Ethernet, address is 0021.d8e6.11b6 (bia 0021.d8e6.11b6)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
4510 packets input, 311509 bytes, 0 no buffer
Received 1 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
5092 packets output, 380877 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Routeur_ITF1#
12-13-2008 03:41 AM
Please also post the config of router.
12-13-2008 03:48 AM
Building configuration...
Current configuration : 1094 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Routeur_ITF1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 10.52.72.129 255.255.255.192
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan2
ip address 172.16.0.5 255.255.255.252
!
ip forward-protocol nd
ip route 192.168.1.0 255.255.255.0 172.16.0.6
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end
Routeur_ITF1#
12-13-2008 04:13 AM
Router config looks OK, in ASA run "sh int outside" while it is connected to router. Then in router, in user exec mode, run debug ip packet detail, then in ASA, ping router interface and see if any debugs show up at router
12-13-2008 04:50 AM
I don't know what happened but now I can ping the router at 172.16.0.5 but from the router I cannot ping the host 192.168.1.0/24 behind the ASA, why?
12-13-2008 05:04 AM
So you can ping Router from firewall right?
In router, issue this command
ip routing
In firewall, run these commands
logging on
logging console informational
Now in router, try pinging the host in 192.168.1.0/24, DOUBLE-check that there is no software firewall enabled in host. Then paste the output appeared in firewall here. Also post the firewall's config to check the recent state.
12-13-2008 05:23 AM
Pff... Things got so complicated that we jumped from one case to one case to another that I am lost... After a fresh look, here is what you have to do for pinging inside hosts form router
access-list outside_access_in permit icmp host 172.16.0.5 192.168.1.0 255.255.255.0 echo
access-group outside_access_in in interface outside
12-13-2008 05:36 AM
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.2/1398 to outside:172.16.0.6/2445
%ASA-6-302013: Built outbound TCP connection 3540 for outside:85.85.39.37/443 (85.85.39.37/443) to inside:192.168.1.2/1398 (172.16.0.6/2445)
%ASA-3-106014: Deny inbound icmp src outside:172.16.0.5 dst inside:172.16.0.6 (type 3, code 1)
%ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.1.2/1352 to outside:172.16.0.6/2406 duration 0:01:00
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.2/1399 to outside:172.16.0.6/2446
%ASA-6-302013: Built outbound TCP connection 3541 for outside:62.162.68.37/9588 (62.162.68.37/9588) to inside:192.168.1.2/1399 (172.16.0.6/2446)
%ASA-3-106014: Deny inbound icmp src outside:172.16.0.5 dst inside:172.16.0.6 (type 3, code 1)
%ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.1.2/1353 to outside:172.16.0.6/2407 duration 0:01:00
%ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.1.2/1355 to outside:172.16.0.6/2408 duration 0:01:00
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.2/1400 to outside:172.16.0.6/2447
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide