cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
470
Views
0
Helpful
10
Replies

unable to ping from ASA 5505

Rizwan
Level 1
Level 1

I have ASA 5505 configured with version 8.2 but unable to ping from ASA to 8.8.8.8 or any public ip. I have following topolgy.

Following is the logical diagram

                                      192.168.100.1/24                          192.168.100.2/24                192.168.3.1                          

  Internet(ISP) ------------------->------------------ Router------------------------->(e0/0)  ASA 5505 (8.2) eth0/4 ----- ---------- Host (192.168.3.22)

ciscoasa(config)#  sh run

: Saved

:

ASA Version 8.2(4)

!

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.3.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.100.2 255.255.255.0

!

ftp mode passive

access-list inbound extended permit icmp any any echo-reply

access-list inbound extended permit icmp any any source-quench

access-list inbound extended permit icmp any any unreachable

access-list inbound extended permit icmp any any time-exceeded

access-list inbound extended permit icmp any any

access-list inbound extended permit ip any any

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list inside_access_out extended permit icmp any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.3.0 255.255.255.0

access-group inbound in interface outside

access-group inside_access_out out interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.3.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:9dcfcccad94b39cf10398c1f67248489

: end

10 Replies 10

Hi Rizwan,

Did you down-grade the ASA from 8.2?  As per your other discussion you said you were able to ping the internet from the ASA, but now you are unable?  Have you cleared the arp cache on the router?

Could you please post the full running configuration of the router as well.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hi,

Yep I have downgraded ASA to version 8.2 now everything is working fine after a reload

I am configuring IPSEC tunnel on it. Please let me know if I need reverse-route injection and NAT-traversal in it ?

I want to pass all my traffic from tunnel. How is it possible ?

Since you have a router in front of the ASA, and I presume it is performing NAT as well, then yes you need to enable NAT-T for the IPsec tunnel.

I want to pass all my traffic from tunnel. How is it possible ?

I am assuming this is a site to site tunnel, and I also assume you mean you want to send all traffic through the IPsec tunnel?  This is possible by setting the destination address in the crypto ACL as "any".

access-list crypto_ACL extended permit ip 192.168.3.0 255.255.255.0 any

crypto map VPN_MAP 1 match address crypto_ACL

nat (inside) 0 access-list crypto_ACL

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Using above mentioned configuration all inside traffic will pass through tunnel without NAT with outside interface.

Is my internet will work from otherside of the tunnel? Please also check route outside command .   Please also review my configuration mentioned below.

Sh Running

iscoasa(config)# sh run

: Saved

:

ASA Version 8.2(4)

!

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

shutdown

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.3.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.100.2 255.255.255.0

!

boot system disk0:/asa824-k8.bin

ftp mode passive

access-list inbound extended permit icmp any any echo-reply

access-list inbound extended permit icmp any any source-quench

access-list inbound extended permit icmp any any unreachable

access-list inbound extended permit icmp any any time-exceeded

access-list inbound extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any

access-list l2l-tunnel extended permit ip 192.168.3.0 255.255.255.0 any

access-list noNat extended permit ip 192.168.3.0 255.255.255.0 any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list noNat

nat (inside) 1 192.168.3.0 255.255.255.0

access-group inside_access_in in interface inside

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

route outside 0.0.0.0 0.0.0.0 109.104.00.00 1  (Peer Address)

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.3.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set WFSET esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map WFmap 20 match address l2l-tunnel

crypto map WFmap 20 set peer 109.104.85.115

crypto map WFmap 20 set transform-set WFSET

crypto map WFmap 20 set reverse-route

crypto map WFmap interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

crypto isakmp policy 110

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 109.104.*.*5 type ipsec-l2l

tunnel-group 109.104.*.*5 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:74e0a1d562024734dfa18faac3e394a6

: end

To get internet access you would need to configure hairpinning on the remote end.

as for the routing you do not need any additional routes configured other than your default route.  Besides only one default route can be active on the ASA at any given time.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Can you please send me hairpinning configuration or any link contains information about it.

The commands you would need to add are as follows:

same-security-traffic permit intra-interface

nat (outside) 1

You already have the global command in there so you don't need to add that.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Are these configuration are for my side firewall ?

Is there any configuration reqduired at remote end ?

This would be on your ASA, the ASA where internet will be accessed.

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: