Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Basic conf ASA 5505

Hello,

I'm a newbie on ASA, I need some assistance.

I have this schema.

Host 192.168.1.0/ ---> ASA INSIDE ----->ASA OUTSIDE ------> to my interface router

From host 192.168.1.0/24 I can ping INSIDE interface from my ASA but I cannot ping interface OUTISIDE and no interface from my router at this address 172.16.0.5/252

Under my conf.

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 1I5BT/dHhpGbnQvr encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 100

ip address 172.16.0.6 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 172.16.0.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!

username admin password p1ClWSkbSujddlxc encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:885202205e413b4a47e7f59d572ef3d7

: end

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Basic conf ASA 5505

From the inside host you are not allowed to ping the outside interface (that's part of the security of the firewall). From the router you should be able to ping the outside IP though. Try adding this line-

icmp permit any outside

Try pinging and if it fails, take a look at the log show logging buff | inc ICMP and see where it's failing.

Hope that helps.

Re: Basic conf ASA 5505

Hello Pascal,

Please do the following

(Assuming that NAT for internet connection etc does not take place in router for 192.168.1.0/24 network)

nat (inside) 1 0 0

global (outside) 1 interface

interface Vlan2

security 0

no same-security-traffic permit inter-interface

no same-security-traffic permit intra-interface

no access-list inside_access_in extended permit ip any any

no access-list outside_access_in extended permit ip any any

no access-group inside_access_in in interface inside

no access-group outside_access_in in interface outside

policy-map global_policy

class inspection_default

inspect icmp

Regards

34 REPLIES

Re: Basic conf ASA 5505

From the inside host you are not allowed to ping the outside interface (that's part of the security of the firewall). From the router you should be able to ping the outside IP though. Try adding this line-

icmp permit any outside

Try pinging and if it fails, take a look at the log show logging buff | inc ICMP and see where it's failing.

Hope that helps.

Community Member

Re: Basic conf ASA 5505

Thank Collin but no change with

icmp permit any outside and icmp permit any inside

This command don't exist show logging buff | inc ICMP.

I can do only

ciscoasa# sh logging ?

asdm Show ASDM syslog buffer content

message Show enabled and disabled messages at non-default level

queue Show syslog queue

setting Show syslog setting

| Output modifiers

Re: Basic conf ASA 5505

try access-list outside_access_in extended permit icmp any any

Francisco

Re: Basic conf ASA 5505

should work.

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any source-quench

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

Re: Basic conf ASA 5505

Sorry, show logging is correct.

Community Member

Re: Basic conf ASA 5505

Always same problem with

access-list outside_access_in extended permit icmp any any

And after sh logging?

ciscoasa# sh logging

Syslog logging: disabled

Facility: 20

Timestamp logging: disabled

Standby logging: disabled

Deny Conn when Queue Full: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: disabled

Trap logging: disabled

History logging: disabled

Device ID: disabled

Mail logging: disabled

ASDM logging: level informational, 0 messages logged

Community Member

Re: Basic conf ASA 5505

Same problem with.

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any source-quench

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

Re: Basic conf ASA 5505

Hello Pascal,

Please do the following

(Assuming that NAT for internet connection etc does not take place in router for 192.168.1.0/24 network)

nat (inside) 1 0 0

global (outside) 1 interface

interface Vlan2

security 0

no same-security-traffic permit inter-interface

no same-security-traffic permit intra-interface

no access-list inside_access_in extended permit ip any any

no access-list outside_access_in extended permit ip any any

no access-group inside_access_in in interface inside

no access-group outside_access_in in interface outside

policy-map global_policy

class inspection_default

inspect icmp

Regards

Hall of Fame Super Blue

Re: Basic conf ASA 5505

nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 interface

Jon

Re: Basic conf ASA 5505

now why didnt i though of that :)

good job jon

Community Member

Re: Basic conf ASA 5505

Same problem. See my last conf

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 1I5BT/dHhpGbnQvr encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 172.16.0.6 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any source-quench

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit icmp any any time-exceeded

pager lines 24

logging asdm informational

mtu inside 1500

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 172.16.0.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!

username admin password p1ClWSkbSujddlxc encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:885202205e413b4a47e7f59d572ef3d7

: end

ciscoasa(config)#

Re: Basic conf ASA 5505

use "sh logg | inc icmp" under CLI and post outout.

Community Member

Re: Basic conf ASA 5505

When I use "sh logg | inc icmp" under CLI, nothing appears.

Re: Basic conf ASA 5505

Config looks OK, now please explain the problem in details. Please keep in mind that by default, you can NOT! ping the inside interface of ASA from your router connected to outside interface. And with this configuration, you can NOT! ping hosts in 192.168.1.0/24 on their actual IPs since they are NATed. If you describe what you exactly want to achieve, then we will advise accordingly

Community Member

Re: Basic conf ASA 5505

From my host 192.168.1.2 I want to ping interface of my routeur 172.16.0.5/30

From my host to ASA Inside interface = OK

From my host to ASA Outiside interface = NOK

From my router to ASA Outiside interface = OK

From my router to my Host = NOK

Re: Basic conf ASA 5505

"From my host to ASA Outiside interface = NOK "

This is the default non-changeable behaviour which has no affect on your network

"From my router to my Host = NOK "

To achieve this, do the following modification

access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 172.16.0.4 255.255.255.252

nat (inside) 0 access-list inside_nat0_outbound

"From my host 192.168.1.2 I want to ping interface of my routeur 172.16.0.5/30 "

You should be able to be doing this right now, check your host if it has the default gateway of 192.168.1.1. !If windows firewall is enabled, and you have an exception added for PING, keep in mind that the exceptions work only for same subnet, so you wont be able to receive ping replies from another subnet like our router's interface. So either manually enter exception for 172 subnet or temporarily disable the windows firewall for testing purposes!

Community Member

Re: Basic conf ASA 5505

Thank you a lot husycisco.........

Now from host I can ping my router but why from my router I cannot ping the host?

It's normal?

Re: Basic conf ASA 5505

Try this,

In router, just type ping then press enter. Enter the destination address, then press enter to accept defaults for other settings untill extended options which states [n]. Press y when extended options is asked, it will ask you "source interface", type in 172.16.0.5, then press enter for all other options and see if ping is successfull

Re: Basic conf ASA 5505

Pascal,

Any update?

*Please rate helpful posts

Community Member

Re: Basic conf ASA 5505

Hi Husycisco.

My ASA 5510 is connected behing a router 871.

ASA outside interface to F0 (switch port) from my 871

For information 871 have 4 switch port (F0 to F3) and WAN interface F4

Now from my Host I cannot ping interface F0 (172.16.0.5) maybe because F0 from router is not routing?

I have do this test if I put my laptop on ASA outside interface from the host I can ping my laptop

The problem is when I put ASA outside interface to F0 871 interface.

The F4 interface from 871 is already used, I can use only F0 to F3. an idea?

Re: Basic conf ASA 5505

Pascal,

In router, run "sh interface f0/0" then post the output here, while connected to ASA

Community Member

Re: Basic conf ASA 5505

sh interfaces f0

FastEthernet0 is up, line protocol is up

Hardware is Fast Ethernet, address is 0021.d8e6.11b6 (bia 0021.d8e6.11b6)

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s

ARP type: ARPA, ARP Timeout 04:00:00

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

4510 packets input, 311509 bytes, 0 no buffer

Received 1 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 input packets with dribble condition detected

5092 packets output, 380877 bytes, 0 underruns

0 output errors, 0 collisions, 2 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

Routeur_ITF1#

Re: Basic conf ASA 5505

Please also post the config of router.

Community Member

Re: Basic conf ASA 5505

Building configuration...

Current configuration : 1094 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Routeur_ITF1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

!

dot11 syslog

ip cef

!

!

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

!

!

!

archive

log config

hidekeys

!

!

!

!

!

interface FastEthernet0

switchport access vlan 2

!

interface FastEthernet1

switchport access vlan 2

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address 10.52.72.129 255.255.255.192

duplex auto

speed auto

!

interface Dot11Radio0

no ip address

shutdown

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Vlan2

ip address 172.16.0.5 255.255.255.252

!

ip forward-protocol nd

ip route 192.168.1.0 255.255.255.0 172.16.0.6

!

!

no ip http server

no ip http secure-server

!

!

!

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

!

scheduler max-task-time 5000

end

Routeur_ITF1#

Re: Basic conf ASA 5505

Router config looks OK, in ASA run "sh int outside" while it is connected to router. Then in router, in user exec mode, run debug ip packet detail, then in ASA, ping router interface and see if any debugs show up at router

Community Member

Re: Basic conf ASA 5505

I don't know what happened but now I can ping the router at 172.16.0.5 but from the router I cannot ping the host 192.168.1.0/24 behind the ASA, why?

Re: Basic conf ASA 5505

So you can ping Router from firewall right?

In router, issue this command

ip routing

In firewall, run these commands

logging on

logging console informational

Now in router, try pinging the host in 192.168.1.0/24, DOUBLE-check that there is no software firewall enabled in host. Then paste the output appeared in firewall here. Also post the firewall's config to check the recent state.

Re: Basic conf ASA 5505

Pff... Things got so complicated that we jumped from one case to one case to another that I am lost... After a fresh look, here is what you have to do for pinging inside hosts form router

access-list outside_access_in permit icmp host 172.16.0.5 192.168.1.0 255.255.255.0 echo

access-group outside_access_in in interface outside

Community Member

Re: Basic conf ASA 5505

%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.2/1398 to outside:172.16.0.6/2445

%ASA-6-302013: Built outbound TCP connection 3540 for outside:85.85.39.37/443 (85.85.39.37/443) to inside:192.168.1.2/1398 (172.16.0.6/2445)

%ASA-3-106014: Deny inbound icmp src outside:172.16.0.5 dst inside:172.16.0.6 (type 3, code 1)

%ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.1.2/1352 to outside:172.16.0.6/2406 duration 0:01:00

%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.2/1399 to outside:172.16.0.6/2446

%ASA-6-302013: Built outbound TCP connection 3541 for outside:62.162.68.37/9588 (62.162.68.37/9588) to inside:192.168.1.2/1399 (172.16.0.6/2446)

%ASA-3-106014: Deny inbound icmp src outside:172.16.0.5 dst inside:172.16.0.6 (type 3, code 1)

%ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.1.2/1353 to outside:172.16.0.6/2407 duration 0:01:00

%ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.1.2/1355 to outside:172.16.0.6/2408 duration 0:01:00

%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.2/1400 to outside:172.16.0.6/2447

429
Views
0
Helpful
34
Replies
CreatePlease to create content