cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6793
Views
0
Helpful
5
Replies

Cisco ASA 5505 8.2(1) ping problem

erick.hemmen
Level 1
Level 1

Hi all,

Can someone help me with a problem I'm having with a Cisco ASA 5505 IOS version 8.2(1). The problem with it is that it responds really bad on it's inside interface to ICMP-replies, although it works perfectly on the outside interface. I've been looking for the source of the problem all day yesterday, but can't find the problem. When I enable logging on the ASA with the command "debug icmp trace" I'm seeing an echo-request coming in, but no echo-reply given. And sometimes, it suddenly gives an echo-reply.

The ASA is with both Vlan's connected to a Cisco Catalyst 2960 switch. Servers in this network are connected the same way and are reacting normal on ping requests internal and external.

My config is the following (ip-addresses are fictional):

ASA Version 8.2(1)
!
hostname omega
domain-name example.nl
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.11.75 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 213.1.1.1 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
speed 100
duplex full
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
name-server 8.8.8.8

name-server 4.4.4.4
domain-name example.nl
object-group network obj_any
network-object 0.0.0.0 0.0.0.0
object-group network mylan
network-object 10.0.11.0 255.255.255.0
access-list PermitOutsideIn extended permit icmp any any echo
access-list PermitOutsideIn extended permit icmp any any echo-reply
access-list PermitOutsideIn extended permit icmp any any source-quench
access-list PermitOutsideIn extended permit icmp any any time-exceeded
access-list PermitOutsideIn extended permit tcp any object-group mylan eq ldap
access-list PermitOutsideIn extended permit tcp any object-group mylan eq ldaps
access-list PermitOutsideIn extended permit tcp any object-group mylan eq 3268
access-list PermitOutsideIn extended permit tcp any object-group mylan eq 3269
access-list PermitOutsideIn extended deny icmp any any
access-list AtoB extended permit ip 10.0.11.0 255.255.255.0 10.2.11.0 255.255.255.0 inactive
access-list 100 extended permit ip any any
access-list VPN extended permit udp any host 213.1.1.1 eq isakmp
access-list VPN extended permit esp any any
access-list NattoB extended permit ip 10.0.11.0 255.255.255.0 10.2.11.0 255.255.255.0
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NattoB
access-group inside_access_in in interface inside
access-group VPN in interface outside control-plane
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 213.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
sysopt noproxyarp outside
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map map_A2B 1 match address AtoB
crypto map map_A2B 1 set peer 81.2.2.2
crypto map map_A2B 1 set transform-set ESP-AES-128-SHA
crypto map map_A2B interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=omega.example.nl
crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto isakmp nat-traversal 100
crypto isakmp am-disable
telnet timeout 5
ssh 10.0.11.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password xxx encrypted privilege 15
tunnel-group 81.2.2.2 type ipsec-l2l
tunnel-group 81.2.2.2 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
: end

Any help will be greatly appreciated.

1 Accepted Solution

Accepted Solutions

Since you are in a lab environment - get back to basics, remove your config (take a copy) and use the below template to get the basics working. and move on from there

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.11.75 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 213.1.1.1 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

speed 100

duplex full

!

access-list acl-outside extended permit icmp any any echo

access-list acl-outside extended permit icmp any any echo-reply

access-list acl-outside extended permit icmp any any time-exceeded

access-list acl-outside extended permit icmp any any source-quench

!

access-list inside-lan extended permit ip 10.0.0.0 255.0.0.0 any

!

global (outside) 1 interface

nat (inside) 1 access-list inside-lan

!

access-group acl-outside in interface outside

!

route outside 0.0.0.0 0.0.0.0 213.1.1.1

View solution in original post

5 Replies 5

andrew.prince
Level 10
Level 10

First things that jump out at me are:-

1) You do not have a nat statement for the inside to outside traffic?

> nat (inside) 1 0.0.0.0 0.0.0.0

2) You are applying an "Allow ALL IP" on the inside interface - not required if you are allowing all, this is the default.

> no access-group inside_access_in in interface inside

JMTPW.

P.S changes should not be done during production hours.

Hi Andrew,

Thanks for your answers. Luckily the ASA is still in a test environment so I tried your options in a save controlled environment, but I'm really confused now. I added the NAT-statement and removed the access-group. After this the outside interface stopped answering to my ping requests, but the inside interface started responding.

So from the inside interface I open a SSH-session and ping an external ip-address. Now the behaviour I had on the inside interface is on the outside interface. It's sending ping requests, but it's not getting all ping replies back.

Next thing I did is removing the nat-statement, no difference in behaviour. The inside interface still responds to ping requests really good, but the outside interface doesn't reply at all. When trying to ping to an external ip-address I get a reply to just 2 or 3 out of 5 packets.

After this i did the "debug icmp trace" command again. I do see the requests on the inside interface coming in and the replies going out. On the outside interface though, I don't see any reply going out, just requests coming in. When trying to ping a ip-address on the outside interface, the requests are going out, but the replies are not all coming in.

What is it that's preventing me from getting the packets through the ASA?

Since you are in a lab environment - get back to basics, remove your config (take a copy) and use the below template to get the basics working. and move on from there

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.11.75 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 213.1.1.1 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

speed 100

duplex full

!

access-list acl-outside extended permit icmp any any echo

access-list acl-outside extended permit icmp any any echo-reply

access-list acl-outside extended permit icmp any any time-exceeded

access-list acl-outside extended permit icmp any any source-quench

!

access-list inside-lan extended permit ip 10.0.0.0 255.0.0.0 any

!

global (outside) 1 interface

nat (inside) 1 access-list inside-lan

!

access-group acl-outside in interface outside

!

route outside 0.0.0.0 0.0.0.0 213.1.1.1

Thanks again for answering my questions Andrew. As you suggested I removed the config (did a reset to factory default), added the basic config and started working from there.

All went well, I could ping inside and outside untill I tried a ping from a pc behind the inside interface of teh ASA to a server behind the other endpoint of the VPN. Something really strange happened there which was being logged as: "Deny inbound icmp src outside:10.0.11.4 dst outside:10.2.11.162 (type 8, code 0)"

After I looked up the ARP-table:

omega(config)# show arp

        inside 10.0.11.4 0000.488e.676f bbb

        outside 213.1.1.2 0000.972f.c7c0 aaa

        outside 10.0.11.4 0000.488e.676f bbb

and the route table:

omega(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is 213.1.1.2 to network 0.0.0.0

C    10.0.11.0 255.255.255.0 is directly connected, inside

C    213.11.1.3 255.255.255.248 is directly connected, outside

S*   0.0.0.0 0.0.0.0 [1/0] via 213.1.1.2, outside

Now things started to make sense. Something in the network isn't right. I guess it's a thing with the configuration of the Catalyst 2960. So that's my next point of action.

Andrew, thanks again for your help. For now this issue is solved for me!

sure no problem.

For the failed ping, it could be a nat issue ?!

Sent from Cisco Technical Support iPad App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco