cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
947
Views
8
Helpful
14
Replies

Can not ping internal network from ASA

fgasimzade
Level 4
Level 4

I can not ping internal computer from ASA. Comp IP address 192.168.187.15, gateway is 192.168.187.14 which is ASA internal interface. I've got an IP Phone connected to the same ASA with Ip address 192.168.185.15 and internal ASA interface 192.168.185.14 and everything works fine. We are doing testing, do not be surprised of configuration.

ASA Version 8.2(1)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif ouside3

security-level 0

ip address 10.254.17.25 255.255.255.248

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 10.254.17.9 255.255.255.248

!

interface GigabitEthernet0/2

nameif Lan

security-level 100

ip address 192.168.185.14 255.255.255.0

!

interface GigabitEthernet0/3

nameif comp

security-level 50

ip address 192.168.187.14 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

no ip address

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

access-list 110 extended permit ip any any

access-list nat extended permit ip any any

access-list allow_ping extended permit icmp any any echo-reply

access-list allow_ping extended permit icmp any any source-quench

access-list allow_ping extended permit icmp any any unreachable

access-list allow_ping extended permit icmp any any time-exceeded

access-list allow_ping extended permit udp any any eq isakmp

access-list allow_ping extended permit esp any any

access-list allow_ping extended permit ah any any

access-list allow_ping extended permit gre any any

access-list nonat extended permit ip any any

access-list nat2 extended permit ip any any

access-list nonat2 extended permit ip any any

pager lines 24

logging asdm informational

mtu ouside3 1500

mtu outside 1500

mtu Lan 1500

mtu comp 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (Lan) 0 access-list nonat

nat (Lan) 1 access-list nat

nat (comp) 0 access-list nonat

nat (comp) 1 access-list nat

access-group allow_ping in interface outside

!

router eigrp 2008

neighbor 10.254.17.10 interface outside

network 10.254.17.8 255.255.255.248

network 192.168.185.0 255.255.255.0

network 192.168.187.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 10.254.17.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map mymap 10 match address 110

crypto map mymap 10 set peer 10.254.17.10

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

crypto map mymap2 20 match address 110

crypto map mymap2 20 set peer 10.254.17.18

crypto map mymap2 20 set transform-set myset

crypto map mymap2 interface comp

crypto map mymap3 30 match address 110

crypto map mymap3 30 set peer 10.254.17.26

crypto map mymap3 30 set transform-set myset

crypto map mymap3 interface ouside3

crypto isakmp identity address

crypto isakmp enable ouside3

crypto isakmp enable outside

crypto isakmp enable comp

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

priority-queue outside

threat-detection basic-threat

....

14 Replies 14

abinjola
Cisco Employee
Cisco Employee

whta about the other way round , from comp to ASA interface can you ping ?

Check if any Security Software/Antivirus may be blocking it.

No pings from computer to ASA and no firewalls installed on computer. I even replaced computer with IP phone, it didnt work either. However, when I plug the same computer to the interface to which Ip phone was connected to, computer can ping ASA

can you turn on "debug icmp trace" on ASA, also set the following captures

access-l abc permit icmp host 192.168.187.14 host 192.168.187.15

access-l abc permit icmp host 192.168.187.15 host 192.168.187.14

capture cpi access-l abc interface inside

PIng from the computer and see what do you get in debugs and show capture cpi

are the packets arriving on the interface ?

This is what I get, looks like ASA does not reply. Why?

ciscoasa# sh capture cpi

5 packets captured

1: 05:20:14.494908 192.168.187.15 > 192.168.187.14: icmp: echo request

2: 05:20:19.526935 192.168.187.15 > 192.168.187.14: icmp: echo request

3: 05:20:25.026320 192.168.187.15 > 192.168.187.14: icmp: echo request

4: 05:20:30.525699 192.168.187.15 > 192.168.187.14: icmp: echo request

5: 05:20:36.025084 192.168.187.15 > 192.168.187.14: icmp: echo request

If you do a 'show arp' on the ASA do you see the mac-address of the pc?

Also on the pc do you see the mac-address of the ASA? 'arp -a'

Regards

Farrukh

Yes, ASA knows PC's mac address, as well as PC shows ASA's mac in arp table

Then I'm sure you have a firewall on your machine, is it Windows?

Also can you post the outpout of 'show run all icmp' from the ASA?

Regards

Farrukh

Then I'm sure you have a firewall on your machine, is it Windows?

Also can you post the outpout of 'show run all icmp' from the ASA?

Regards

Farrukh

I replaced this ASA with a different one, copied configs and I can ping the same computer from that different ASA. So it is not a Firewall issue

Issue is solved, there was a cryptomap applied to that interface

I'm glad that your issue is solved now. Its never a good idea to use 'permit ip any any' in crypto ACLs, its also not recommended by Cisco (ACL 110).

Regards

Farrukh

Why? What if I have more than 20 subnets to encrypt, is it better to define all of them in access list or just define any any?

This is because 'routing/control' plane traffic falls under 'permit ip any any'. Your problem was the ideal example, your control plane/management traffic (ping) got tangled in the data traffic (VPN). The same could happen to routing protocol traffic etc. (specailly on IOS routers). In ASA the crypto functions don't affect the routing protocol traffic in the same manner.

Regards

Farrukh

Thank you

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: