Solved: Ping is not working from ASA to LAN but LAN to ASA its working

madhusudhan s · ‎01-07-2010

Hi,

Need help on the below Issue:

I am not able to ping LAN or directly Connected switch from ASA (With IPS inline) but from switch or LAn i am able to ping ASA inside IP.

Connectivity:

LAN -- L3 Switch(Gatway) -- ASA(With IPS in inline-mode)

Switch facing Firewall IP: X.X.240.1

ASA facing Switch Ip: X.X.240.5

Gatway for LAN devices:X.X.6.1(SVI on Switch)

I have pasted the ASA configuration below, just removed few line/data as per our company policy:

=====================================Configuration=====================

sh run
: Saved
:
ASA Version 7.0(8)
!
hostname XYZ
domain-name default.domain.invalid
names
dns-guard
!

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.240.240.1 255.255.255.0 standby 10.240.240.2
!
interface GigabitEthernet0/2
description STATE Failover Interface
!

!
interface Management0/0
description LAN Failover Interface
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list IPS extended permit ip any any
access-list acl_dmz extended permit ip any any
access-list acl_in extended permit ip any any
access-list acl_out extended permit tcp any host <X.X.X.X> eq smtp
access-list acl_out extended permit tcp any host <X.X.X.X> eq www
access-list acl_out extended permit tcp any host <X.X.X.X> eq domain
access-list acl_out extended permit udp any host <X.X.X.X> eq domain
access-list acl_out extended permit tcp any host <X.X.X.X> eq pop3
access-list acl_out extended deny ip any any
access-list C2S extended permit ip 10.240.0.0 255.255.0.0 10.96.57.0 255.255.255.0
pager lines 10
logging enable
logging monitor informational
logging buffered warnings
logging history informational
logging asdm informational
logging host inside <X.X.X.X>
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool testpool 10.96.XX.10-10.96.XX.250 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover Management0/0
failover polltime unit 1 holdtime 3
failover replication http
failover link state GigabitEthernet0/2
failover interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2
failover interface ip state 192.168.1.1 255.255.255.0 standby 192.168.1.2
asdm image disk0:/asdm-508.bin
asdm history enable
arp timeout 14400
global (outside) 10 <X.X.X.X> -<X.X.X.X>
global (outside) 10 <X.X.X.X>
global (dmz) 10 <X.X.X.X>

nat (inside) 0 access-list C2S
nat (inside) 10 10.0.0.0 255.0.0.0
static (dmz,outside) <X.X.X.X> <X.X.X.X> netmask 255.255.255.255 dns
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 <X.X.X.X> 1
route inside <Inside subnets> xx.xx.240.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
address-pool testpool
tunnel-group testgroup ipsec-attributes
pre-shared-key *
telnet <X.X.X.X> 255.255.255.0 inside

telnet <X.X.X.X> 255.255.255.0 inside
telnet timeout 20
ssh <X.X.X.X> 255.255.255.0 inside
ssh timeout 20
console timeout 0
!
class-map IPS
match access-list IPS
class-map inspection_default
match default-inspection-traffic
<--- More --->

!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
<--- More --->

inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp

class IPS
ips inline fail-open
!
service-policy global_policy global

===========================================

Regards

madhu

francisco_1 · ‎01-08-2010

Madhu,

I believe that Network traffic sent to and from the ASA is not sent to the IPS module for inspection. An example of traffic not sent to the IPS module includes pinging (ICMP) the ASA interfaces or Telnetting to the ASA.

I noticed that your AIP is Inline mode with your ASA. Might worth configuring it in Promiscuous mode until you rectify your problem!!

see http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml#configs

Can you try ping by selecting inside interface "ping inside [Inside IP address]. Ping something directly connected to ASA. Might be you are ping something the ASA doesnt have route to!!

Dileep,

Not sure why you suggesting to enable icmp inspect in the case!!. Icmp inspectonly allows a trusted IP address to traverse the firewall and allows replies back to the trusted address only. This way, hosts on all inside interfaces can ping hosts on the outside and the firewall allows the replies to return. This also gives the advantage of monitoring the ICMP traffic that traverses the firewall. It does not affect icmp initiated from the ASA itsef.

Also you mentioned "icmp permit source icmp-type interface" is not a valid command i have tried on my ASAs!! is this command valid on specifc version. I have V8 and also v7 on production firewalls!!

Francisco

View solution in original post

Ganesh Hariharan · ‎01-08-2010

Hi Madhu,

Configure icmp permit any inside and check are you able to ping.

Regards

Ganesh.H

Dileep Sivadas Padmini · ‎01-08-2010

Also enable ICMP inspection in your global-policy

madhusudhan s · ‎01-08-2010

Hi,

As per configure, I have two inbound access-list one applied on inside and other on outside, but there is no access-list which applied in outbound on inside interface,. it mean there is no rule which blocks pinging inside LAN ips from inside interface. plz correct me if i am wrong. also plz let me know the default behavior. if no rules is applied.

Regards

madhu

Ganesh Hariharan · ‎01-08-2010

Madhu,

The traffic coming from LAN source is applied in ACL as it is permitted as ip any any but your query states traffic source is ASA firewall inside interface so for that icmp permit any and the specifc interface .

Hope that clear your query !!

Regards

Ganesh.H

Dileep Sivadas Padmini · ‎01-08-2010

You can classify ICMP traffic as two

1. ICMP traffic orginating from ASA and ICMP traffic destined to ASA interfaces .

2. ICMP traffic passing through the ASA, destined to other endpoints.

In first class traffic is controlled by icmp permit source icmp-type interface command.

By default all ICMP traffic is allowed to ASA interfaces, until you configure a rule using the above command per interfaces.

For second class you need to create ACE to exclusively permit ICMP traffic , it is recommeded to enable ICMP inspection for this one.

In your case the traffic falls into first class and need to use icmp permit commmand.

Regards

Dileep

Dileep Sivadas Padmini · ‎01-08-2010

And also use

debug icmp trace and packet-tracer command to check your issue.

Kureli Sankar · ‎01-08-2010

Interesting... Is this the case with both the active and the standby unit?

-KS

francisco_1 · ‎01-08-2010

Madhu,

I believe that Network traffic sent to and from the ASA is not sent to the IPS module for inspection. An example of traffic not sent to the IPS module includes pinging (ICMP) the ASA interfaces or Telnetting to the ASA.

I noticed that your AIP is Inline mode with your ASA. Might worth configuring it in Promiscuous mode until you rectify your problem!!

see http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml#configs

Can you try ping by selecting inside interface "ping inside [Inside IP address]. Ping something directly connected to ASA. Might be you are ping something the ASA doesnt have route to!!

Dileep,

Not sure why you suggesting to enable icmp inspect in the case!!. Icmp inspectonly allows a trusted IP address to traverse the firewall and allows replies back to the trusted address only. This way, hosts on all inside interfaces can ping hosts on the outside and the firewall allows the replies to return. This also gives the advantage of monitoring the ICMP traffic that traverses the firewall. It does not affect icmp initiated from the ASA itsef.

Also you mentioned "icmp permit source icmp-type interface" is not a valid command i have tried on my ASAs!! is this command valid on specifc version. I have V8 and also v7 on production firewalls!!

Francisco

Dileep Sivadas Padmini · ‎01-08-2010

Hi Francisco,

Yes your correct regarding icmp inspect and but icmp inpects allows ASA to monitor ICMP traffic as well as protect from unsolicted replay messages

without any requests. As ICMP is a connection less protocol without ICMP inspect it is difficult to securely pass the ICMP traffic and your appliance may vulnerable to ICMP attacks.

Regarding icmp permit source icmp-type interface command, it is not the exact syntax I just mentioned the plain English meaning of this command.

For example if you need to enable ICMP echo and echo-reply on outside interface from any source use the following command.

icmp permit 0.0.0.0 0.0.0.0 echo outside

icmp permit 0.0.0.0 0.0.0.0 echo-reply outside

I have tried on 8.2 version and if you follow the CLI help it doest not show up the ICMP type feature.

Dileep

Dileep Sivadas Padmini · ‎01-08-2010

Yes , this behaviour is same on both Active and standby unit. I have tested on ASA 8.2.1 version.

svaish · ‎01-09-2010

Hi,

I would suggest you to collect logs at debugging level from the ASA and debug ICMP trace as well and share the output.

Please mention the source and destination ip address clearly.

You can also take captured on the ASA to check when you try to ping the lan host from the ASA is there a ICMP request going out of the inside interface if yes then you should run wireshark on the host to see if the host is receiving that request packet.

This would be a good way to troubleshoot the issue.

use this comand

access-list abc permit icmp host 10.240.240.1 host ip_of_lan_host

access-list abc permit icmp host ip_of_lan_host host 10.240.240.1

capture capin access-list abc packet 1518 buffer 200000 interface inside

after you initiate the ping , check the capture using the command

show capture capin

I donot see ASDM access enabled in the configuration so please enable ASDM access

and download the capture in pcap format using the command

https://interface_ip_address/capture/capin/pcap

and save the file as inside.pcap

and share the output .

madhusudhan s · ‎01-10-2010

Hi all,

I really thanks and appriciate your help . From my knowledge i had put the enough comands for ICMP to work for inside network. I was suspecting problem with IPS but was not sure. customer was asking mail confirmation before removing/disabling IPS , Thats the reason i post my query in netpro.

Finaly i requested to disable IPS and it worked.

Regards

Madhu