09-23-2013 06:34 PM - edited 03-11-2019 07:42 PM
Hi,
I am using ASA 5525 with 8.6 version, and I am trying to ping through different interfaces, However I am not able to do that. My test results are
- can PING between the outside interface and the next hop (same subnet)
- cannot PING between the inside interface and the next hop (same subnet)
- cannot PING between the DMZ interface and the next hop (same subnet)
Please see below configuration for firewall for reference.
--------------------------------------------------------------------------------
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 16.x.x.x 255.255.255.248
interface GigabitEthernet0/1
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/1.16
vlan 16
nameif inside
security-level 100
ip address 17.x.x.x 255.255.255.0
interface GigabitEthernet0/3
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/3.69
vlan 69
nameif dmz
security-level 50
ip address 18.x.x.x 255.255.255.0
2. access-list o_inside extended permit icmp any any
access-list o_inside extended permit icmp any any echo
access-list o_inside extended permit icmp 17.x.x.x (Inside interface) 255.255.0.0 18.x.x.x (DMZ interface) 255.255.255.0
access-list o_inside extended permit icmp 17.x.x.x (Inside interface) 255.255.0.0 18.x.x.x (DMZ interface) 255.255.255.0
access-list o_dmz extended permit icmp any any
access-list outside extended permit icmp any any
access-list outside extended permit icmp any any echo-reply
icmp permit any outside
icmp permit any dmz
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
3. route inside 17.x.0.0 (Whole inside interface subnet) 255.255.0.0 17.x.x.x (Internal Network) 1
route dmz 17.x.x.0 (Internal) 255.255.255.0 18.x.x.x (DMZ Nework) 1
route outside 18.x.x.0 (DMZ) 255.255.255.0 16.x.x.x (Outside Network) 1
If possible could anyone please tell me what is wrong with the configuration, and what I need to add to achive the above desired result.
Thank You,
Kind Regards
Rohit Mangotra.
Solved! Go to Solution.
09-24-2013 12:34 AM
Hi,
ASA should by default without any configurations accept ICMP on its interface to my understanding
Check the output of "show arp" and see if you can see the IP address (and the MAC address) of the host/router you are trying to ping.
- Jouni
09-24-2013 06:03 AM
Hi,
If you are saying that after you ping the internal gateway/nexthop IP address and there is no ARP for it with the "show arp" command on the ASA then it would seem you have a problem with the connection between the ASA and the nexthop device/router.
Even if nothing else worked you should see the nexthop IP address/MAC address in the ARP table of the ASA
- Jouni
10-01-2013 02:03 AM
Hi,
Were you able to solve the original problems that you posted about? Since it seemed there was some problems with the ASAs connectivity to the rest of the network?
The 4 "static" configurations you have above are pretty basic but 2 of them are Static Identity NAT configurations that you probably wont need in the new software
The below 2 configurations probably wont need any corresponding configuration in the new ASA/software since the traffic should go through wihtout NAT configurations.
static (dmz,inside) 192.168.1.85 192.168.1.85 netmask 255.255.255.255
static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
The below Static NAT configurations you can easily convert using Auto NAT / Network Object NAT. Use "object" names that describe the setup better, I will use generic "object" names.
static (dmz,outside) 200.190.70.87 192.168.1.56 netmask 255.255.255.255
static (dmz,outside) 200.190.70.85 192.168.1.85 netmask 255.255.255.255
object network STATIC-1
host 192.168.1.56
nat (dmz,outside) static 200.190.70.87
object network STATIC-2
host 192.168.1.85
nat (dmz,outside) static 200.190.70.85
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
10-02-2013 02:23 AM
Hi,
On a quick glance it would seem to me that the converted configurations would be correct.
Its harder to say without really looking into the original configurations compared to for example situations where I know the environment beforehand
I guess your best bet to find possible problems with the ASA configurations is to use the "packet-tracer" command
This would tell you if some traffic is getting blocked by ACL or if the traffic is failing because of NAT
For a connection coming from behind "outside" you can use this format of the command
packet-tracer input outside tcp
To test anything else you naturally just switch the "input
Taking the output of the following commands should help you troubleshoot possible problems
You could take "packet-tracer" command output of both of the above mentioned cases. For example testing connectivity from "outside" to the "dmz" server. And the previous problem with testing connection from "inside" to "dmz" server.
- Jouni
10-03-2013 12:33 AM
Hi,
Well your original NAT configuration is not quite how I would configure the NAT to begin with so it might be that you would need some of the above configurations.
Mainly because you were doing Dynamic PAT from "inside" to "dmz"?
If this was true and you removed the above "static" commands that refer to "(inside,dmz)" then you wouldnt be able to connect from "dmz" to those "inside" IP addresses (of those static commands). This is the main reason why I never configure Dynamic PAT between local interfaces. It causes complexity for the NAT configurations when you have to add extra NAT configurations to override the possible problems caused by the Dynamic PAT
For the "management" interface you probably need any new NAT configuration.
To be honest its a bit hard to say the exact configuration that are needed and which are not but I think the Dynamic PAT from "inside" to "dmz" means that you would need some Static Identity NAT configuration mentioned above also in the new software otherwise the ASA would drop the connection attempts.
- Jouni
10-03-2013 03:51 AM
Hi,
I think you might be fine with any of those Static Identity NAT configurations if you wouldnt use this Dynamic PAT configuration between "inside" and "dmz" interfaces
nat (inside,dmz) after-auto source dynamic inside-pat-source dmz-pat-global
Is there a particular reason that you want all traffic from "inside" to the "dmz" to be visible with an IP address beloging to "dmz"?
In general when I migrate 8.2 (or lower) firewall configurations to a newer platform and software I only have to migrate the Dynamic PAT, Static NAT, NAT0 and possible Policy NAT configurations while leaving all Static Identity NAT configurations off the new configurations.
As I have said before in this discussion. I think if you were to remove the Dynamic PAT from "inside" to "dmz" then you should be safe to remove all the Static Identity NAT configurations from the new configuration.
Even if you left the Dynamic PAT between "inside" and "dmz" then I think you could still leave out the Static Identity NAT configuration regarding other interfaces (Static Indentity NAT configurations that have interfaces OTHER THAN "inside" and "dmz" interfaces mentioned)
- Jouni
09-24-2013 12:34 AM
Hi,
ASA should by default without any configurations accept ICMP on its interface to my understanding
Check the output of "show arp" and see if you can see the IP address (and the MAC address) of the host/router you are trying to ping.
- Jouni
09-24-2013 01:29 AM
Hi Jouni,
I can not see any entry in ARP table on firewall. From ASA I can only ping outside interface and only that enrtry is there in firewall. Any ideas what I am doing wrong?
Thank You,
Kind Regards
Rohit Mangotra.
09-24-2013 06:03 AM
Hi,
If you are saying that after you ping the internal gateway/nexthop IP address and there is no ARP for it with the "show arp" command on the ASA then it would seem you have a problem with the connection between the ASA and the nexthop device/router.
Even if nothing else worked you should see the nexthop IP address/MAC address in the ARP table of the ASA
- Jouni
10-01-2013 01:51 AM
Hi Jouni,
Thanks a lot for all your help! I am a bit confused about the static nating for ASA 8.6. I will really appreciate, if you could please see how I can convert it into new ASA 5525 x version 8.6.
static (dmz,outside) 200.190.70.85 192.168.1.85 netmask 255.255.255.255
static (dmz,inside) 192.168.1.85 192.168.1.85 netmask 255.255.255.255
static (dmz,outside) 200.190.70.87 192.168.1.56 netmask 255.255.255.255
static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
Thank You,
Kind Regards
Rohit Mangotra.
10-01-2013 02:03 AM
Hi,
Were you able to solve the original problems that you posted about? Since it seemed there was some problems with the ASAs connectivity to the rest of the network?
The 4 "static" configurations you have above are pretty basic but 2 of them are Static Identity NAT configurations that you probably wont need in the new software
The below 2 configurations probably wont need any corresponding configuration in the new ASA/software since the traffic should go through wihtout NAT configurations.
static (dmz,inside) 192.168.1.85 192.168.1.85 netmask 255.255.255.255
static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
The below Static NAT configurations you can easily convert using Auto NAT / Network Object NAT. Use "object" names that describe the setup better, I will use generic "object" names.
static (dmz,outside) 200.190.70.87 192.168.1.56 netmask 255.255.255.255
static (dmz,outside) 200.190.70.85 192.168.1.85 netmask 255.255.255.255
object network STATIC-1
host 192.168.1.56
nat (dmz,outside) static 200.190.70.87
object network STATIC-2
host 192.168.1.85
nat (dmz,outside) static 200.190.70.85
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
10-01-2013 08:40 PM
Hi Jouni,
Thanks a lot for all your help. Yes, previous connection issue was resolved. Currently, we have an issue of accessing via web (http port 80) from inside network to dmz server, however I am able to do sucessful pings to dmz server.
If possible could you please have a look at my firewall code (NAT) which I changed according to your recomendation. Once again I am really thankful for all your help.
10-01-2013 08:45 PM
Hi Jouni,
One more question if its ok
How can we test outside network can access DMZ server in order to test NAT actually works?
Thank you,
Kind Regards
Rohit Mangotra.
10-02-2013 02:23 AM
Hi,
On a quick glance it would seem to me that the converted configurations would be correct.
Its harder to say without really looking into the original configurations compared to for example situations where I know the environment beforehand
I guess your best bet to find possible problems with the ASA configurations is to use the "packet-tracer" command
This would tell you if some traffic is getting blocked by ACL or if the traffic is failing because of NAT
For a connection coming from behind "outside" you can use this format of the command
packet-tracer input outside tcp
To test anything else you naturally just switch the "input
Taking the output of the following commands should help you troubleshoot possible problems
You could take "packet-tracer" command output of both of the above mentioned cases. For example testing connectivity from "outside" to the "dmz" server. And the previous problem with testing connection from "inside" to "dmz" server.
- Jouni
10-02-2013 06:51 PM
Hi Jouni,
If possible could you please confirm that the following configuration is not needed to add into new ASA 8.6? Sorry for asking too much.
static (inside,dmz) 172.16.5.131 172.16.5.131 netmask 255.255.255.255
static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
static (dmz,inside) 192.168.1.73 192.168.1.73 netmask 255.255.255.255
static (dmz,inside) 192.168.1.84 192.168.1.84 netmask 255.255.255.255
static (dmz,inside) 192.168.1.85 192.168.1.85 netmask 255.255.255.255
static (dmz,inside) 192.168.1.86 192.168.1.86 netmask 255.255.255.255
static (dmz,inside) 192.168.1.89 192.168.1.89 netmask 255.255.255.255
static (dmz,inside) 192.168.1.91 192.168.1.91 netmask 255.255.255.255
static (dmz,vpn_private) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,vpn_public) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,inside) 192.168.1.140 192.168.1.140 netmask 255.255.255.255
static (inside,vpn_private) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
static (inside,vpn_public) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
static (vpn_private,inside) 172.31.0.0 172.31.0.0 netmask 255.255.255.0
static (vpn_public,inside) 200.161.67.176 200.161.67.176 netmask 255.255.255.240
static (vpn_public,outside) 200.161.67.176 200.161.67.176 netmask 255.255.255.240
--------------------------------------------------------------------------------------
nat (management) 0 0.0.0.0 0.0.0.0
Any suggestion with this one ???
Thank You,
Kind Regards
Rohit.
10-03-2013 12:33 AM
Hi,
Well your original NAT configuration is not quite how I would configure the NAT to begin with so it might be that you would need some of the above configurations.
Mainly because you were doing Dynamic PAT from "inside" to "dmz"?
If this was true and you removed the above "static" commands that refer to "(inside,dmz)" then you wouldnt be able to connect from "dmz" to those "inside" IP addresses (of those static commands). This is the main reason why I never configure Dynamic PAT between local interfaces. It causes complexity for the NAT configurations when you have to add extra NAT configurations to override the possible problems caused by the Dynamic PAT
For the "management" interface you probably need any new NAT configuration.
To be honest its a bit hard to say the exact configuration that are needed and which are not but I think the Dynamic PAT from "inside" to "dmz" means that you would need some Static Identity NAT configuration mentioned above also in the new software otherwise the ASA would drop the connection attempts.
- Jouni
10-03-2013 02:07 AM
Hi Jouni,
Thanks for the reply. If we change the current static NAT (Version 7.1) to the new NAT(Version 8.6) will it work? Is there any potential problem in this new configuration. Could you please check the code for VPN at the end.
------ static (dmz,inside) 192.168.1.73 192.168.1.73 netmask 255.255.255.255
object network obj-192.168.1.73-dmz-inside
host 192.168.1.73
nat (dmz,inside) static 192.168.1.73
----- static (dmz,inside) 192.168.1.84 192.168.1.84 netmask 255.255.255.255
object network obj-192.168.1.84-dmz-inside
host 192.168.1.84
nat (dmz,inside) static 192.168.1.84
---- static (dmz,inside) 192.168.1.85 192.168.1.85 netmask 255.255.255.255
object network obj-192.168.1.85-dmz-inside
host 192.168.1.85
nat (dmz,inside) static 192.168.1.85
---- static (dmz,inside) 192.168.1.86 192.168.1.86 netmask 255.255.255.255
object network obj-192.168.1.86-dmz-inside
host 192.168.1.86
nat (dmz,inside) static 192.168.1.86
static (dmz,inside) 192.168.1.89 192.168.1.89 netmask 255.255.255.255
object network obj-192.168.1.89-dmz-inside
host 192.168.1.89
nat (dmz,inside) static 192.168.1.89
---- static (dmz,inside) 192.168.1.91 192.168.1.91 netmask 255.255.255.255
object network obj-192.168.1.91-dmz-inside
host 192.168.1.91
nat (dmz,inside) static 192.168.1.91
--- static (dmz,inside) 192.168.1.140 192.168.1.140 netmask 255.255.255.255
object network obj-192.168.1.140-dmz-inside
host 192.168.1.140
nat (dmz,inside) static 192.168.1.140
--- static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
object network obj-172.16.0.0-inside-dmz
subnet 172.16.0.0 255.255.0.0
nat (inside,dmz) static 172.16.0.0
--- static (inside,dmz) 172.16.5.131 172.16.5.131 netmask 255.255.255.255
object network obj-172.16.5.131-inside-dmz
host 172.16.5.131
nat (inside,dmz) static 172.16.5.131
--- static (dmz,vpn_private) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
object network obj-192.168.1.0-dmz-vpn-pri
subnet 192.168.1.0 255.255.255.0
nat (dmz,vpn_private) static 192.168.1.0
--- static (dmz,vpn_public) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
object network obj-192.168.1.0-dmz-vpn-pub
subnet 192.168.1.0 255.255.255.0
nat (dmz,vpn_public) static 192.168.1.0
--- static (vpn_private,inside) 172.31.0.0 172.31.0.0 netmask 255.255.255.0
object network obj-172.31.0.0-vpn-pri-inside
subnet 172.31.0.0 255.255.0.0
nat (inside,vpn_private) static 172.31.0.0
--- static (inside,vpn_private) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
object network obj-172.16.0.0-inside-vpn-pri
subnet 172.16.0.0 255.255.0.0
nat (inside,vpn_private) static 172.16.0.0
--- static (vpn_public,outside) 200.161.67.176 200.161.67.176 netmask 255.255.255.240
object network obj-200.161.67.176-vpn-pub-outside
subnet 200.161.67.176 255.255.255.240
nat (vpn_public,outside) static 200.161.67.176
--- static (inside,vpn_public) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
object network obj-172.16.0.0-inside-vpn-pub
subnet 172.16.0.0 255.255.0.0
nat (inside,vpn_public) static 172.16.0.0
--- static (vpn_public,inside) 200.161.67.176 200.161.67.176 netmask 255.255.255.240
object network obj-200.161.67.176-vpn-pub-inside
subnet 203.161.67.176 255.255.255.240
nat (vpn_public,inside) static 200.161.67.176
Notes: VPN private subnet = 172.31.0.0/24
VPN public subnet = 200.161.67.176/28
inside subnet = 172.16.0.0/16
dmz subnet = 192.168.1.0/24
Thanks a lot for all your help
Kind Regards
Rohit.
10-03-2013 03:51 AM
Hi,
I think you might be fine with any of those Static Identity NAT configurations if you wouldnt use this Dynamic PAT configuration between "inside" and "dmz" interfaces
nat (inside,dmz) after-auto source dynamic inside-pat-source dmz-pat-global
Is there a particular reason that you want all traffic from "inside" to the "dmz" to be visible with an IP address beloging to "dmz"?
In general when I migrate 8.2 (or lower) firewall configurations to a newer platform and software I only have to migrate the Dynamic PAT, Static NAT, NAT0 and possible Policy NAT configurations while leaving all Static Identity NAT configurations off the new configurations.
As I have said before in this discussion. I think if you were to remove the Dynamic PAT from "inside" to "dmz" then you should be safe to remove all the Static Identity NAT configurations from the new configuration.
Even if you left the Dynamic PAT between "inside" and "dmz" then I think you could still leave out the Static Identity NAT configuration regarding other interfaces (Static Indentity NAT configurations that have interfaces OTHER THAN "inside" and "dmz" interfaces mentioned)
- Jouni
10-06-2013 11:16 PM
Thanks a lot Jouni. Really appraciate your help. The code is working fine now.
10-06-2013 11:45 PM
Hi,
Glad to hear its working
Did you end up using all the converted configurations or did you leave out any of the old configurations?
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: