Re: can't ping interface - Cisco Community

609

Views

0

Helpful

6

Replies

I have an ASA5510 w/ v7.0(7). I'm trying to see why none of my machines can get on the network so I'm working the troubleshooting section and trying to ping the interface.

I entered:

hostname(config)# debug icmp trace

debug icmp trace enabled at level 1

I didn't do "logging monitor debug" because I'm accessing the 5510 through a serial port. And I couldn't do "logging buffer debug" like in the ASA70 troubleshooting docs, but I think the equal is "logging buffered debugging" which it accepted.

hostname(config)# logging on

Then I try to ping the interface (192.168.3.1) from a host on that interface and I get the error ...

192.16.3.22 icmp_seq_1 Destination Host Unreachable

...

Can anyone help, ideas, advice?

6 Replies 6

Did anything change in the firewall inside interface connection in relation to the vlan that connects into if any, where does the inside interface connects, check respective switchport and vlan menbership where inside connects etc.. did the firewall inside interface all of the sudden stopped responding to pings?

Can you ping the interface 192.168.3.1 from the firewall itslef when console? what is the interface status is it up/up down etc..

Rgds

Jorge

Jorge Rodriguez

I was previously using a PIX 501, and replaced it w/ the 5510 so this firewall never responded to pings (or worked). Completely new config.

outside ----> ASA5510 (inside 192.168.3.1) ---> netgear switch (home version) ---> host machine (192.168.3.22)

So nothing changed other than a new firewall. This home version of the netgear switch doesn't have a VLAN config (which is beyond my know-how at the moment anyways).

And yes, I can ping all interfaces from the CLI console of the firewall with success, but can't ping the host. All interfaces (except for management) are up.

Still trying ... can't talk from any host connected to any ASA5510 interfaces, I thought I'd post a nat policy on one of the interfaces and my config.

If something here doesn't look right, please let me know, specifically the 'No matching global'.

hostname(config)# show nat

... (other interfaces)

NAT policies on Interface development:

match ip development DEV_NET 255.255.255.0 cluster any

static translation to DEV_NET

translate_hits = 0, untranslate_hits = 0

match ip development DEV_NET 255.255.255.0 dmz any

static translation to DEV_NET

translate_hits = 0, untranslate_hits = 0

match ip development DEV_NET 255.255.255.0 dmz any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip development DEV_NET 255.255.255.0 cluster any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip development DEV_NET 255.255.255.0 outside any

dynamic translation to pool 1 (199.199.xxx.14 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

match ip development DEV_NET 255.255.255.0 development any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip development any dmz any

no translation group, implicit deny

policy_hits = 0

match ip development any cluster any

no translation group, implicit deny

policy_hits = 0

match ip development any outside any

no translation group, implicit deny

policy_hits = 0

And I've included my latest config as an attachment.

4 KB

I take back what I noted, can you please repost the config, show run copy and post.

Jorge Rodriguez

I'm configuring the 5510 through the serial console and trying to do the ping from within the 192.168.3.0 network and not from the management interface, Here it is ...

5510(config)# show run

: Saved

:

ASA Version 7.0(7)

!

hostname 5510

enable password <>

...

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 199.199.xxx.14 255.255.255.0

!

interface Ethernet0/1

nameif dmz

security-level 20

ip address 192.168.4.1 255.255.255.0

!

interface Ethernet0/2

nameif cluster

security-level 60

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/3

nameif development

security-level 80

ip address 192.168.3.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

same-security-traffic permit inter-interface

object-group protocol TCP_UDP_ICMP

protocol-object tcp

protocol-object udp

protocol-object icmp

object-group network CLUSTER_GRP

network-object host 192.168.2.10

object-group network DEVELOPMENT_GRP

network-object host 192.168.3.10

object-group network DMZ_GRP

network-object host 192.168.4.10

object-group network INSIDE_GRP

group-object DMZ_GRP

group-object CLUSTER_GRP

group-object DEVELOPMENT_GRP

access-list INSIDE_ACCESS_OUTSIDE extended permit tcp any any eq ssh

access-list OUTSIDE_ACCESS_INSIDE extended permit tcp any any eq ssh

access-list ICMPACL extended permit icmp any any

access-list WEB extended permit tcp OUTSIDE_NET 255.255.255.0 host 192.168.4.10 eq www

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu management 1500

mtu dmz 1500

mtu cluster 1500

mtu outside 1500

mtu development 1500

no failover

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (dmz) 1 DMZ_NET 255.255.255.0

nat (cluster) 1 CLUSTER_NET 255.255.255.0

nat (development) 1 DEV_NET 255.255.255.0

static (management,development) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (management,cluster) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (management,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (development,cluster) DEV_NET DEV_NET netmask 255.255.255.0

static (development,dmz) DEV_NET DEV_NET netmask 255.255.255.0

static (cluster,development) CLUSTER_NET CLUSTER_NET netmask 255.255.255.0

access-group INSIDE_ACCESS_OUTSIDE in interface dmz

access-group INSIDE_ACCESS_OUTSIDE in interface cluster

access-group OUTSIDE_ACCESS_INSIDE out interface outside

access-group INSIDE_ACCESS_OUTSIDE in interface development

route outside 0.0.0.0 0.0.0.0 199.199.xxx.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:<>

: end

I havent' been able to progress any further beyond this point (pinging the interfaces), but did receive the following from someone about ssh (which is what I'm trying to do). Is this correct?

---

"The ASA/PIX intercepts the SSH request. The only way I have gotten SSH to work through the pix is to do a port translation.

Static (inside,outside) tcp [external IP] 2222 [internal IP] 22 netmask 255.255.255.255

then allow 2222 to the external IP with the ACL."

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking products for a $25 gift card