Can someone help me with a problem I'm having with a Cisco ASA 5505 IOS version 8.2(1). The problem with it is that it responds really bad on it's inside interface to ICMP-replies, although it works perfectly on the outside interface. I've been looking for the source of the problem all day yesterday, but can't find the problem. When I enable logging on the ASA with the command "debug icmp trace" I'm seeing an echo-request coming in, but no echo-reply given. And sometimes, it suddenly gives an echo-reply.
The ASA is with both Vlan's connected to a Cisco Catalyst 2960 switch. Servers in this network are connected the same way and are reacting normal on ping requests internal and external.
My config is the following (ip-addresses are fictional):
ASA Version 8.2(1) ! hostname omega domain-name example.nl enable password xxx encrypted passwd xxx encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 10.0.11.75 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 22.214.171.124 255.255.255.248 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 speed 100 duplex full ! interface Ethernet0/2 speed 100 duplex full ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns server-group DefaultDNS name-server 126.96.36.199
name-server 188.8.131.52 domain-name example.nl object-group network obj_any network-object 0.0.0.0 0.0.0.0 object-group network mylan network-object 10.0.11.0 255.255.255.0 access-list PermitOutsideIn extended permit icmp any any echo access-list PermitOutsideIn extended permit icmp any any echo-reply access-list PermitOutsideIn extended permit icmp any any source-quench access-list PermitOutsideIn extended permit icmp any any time-exceeded access-list PermitOutsideIn extended permit tcp any object-group mylan eq ldap access-list PermitOutsideIn extended permit tcp any object-group mylan eq ldaps access-list PermitOutsideIn extended permit tcp any object-group mylan eq 3268 access-list PermitOutsideIn extended permit tcp any object-group mylan eq 3269 access-list PermitOutsideIn extended deny icmp any any access-list AtoB extended permit ip 10.0.11.0 255.255.255.0 10.2.11.0 255.255.255.0 inactive access-list 100 extended permit ip any any access-list VPN extended permit udp any host 184.108.40.206 eq isakmp access-list VPN extended permit esp any any access-list NattoB extended permit ip 10.0.11.0 255.255.255.0 10.2.11.0 255.255.255.0 access-list inside_access_in extended permit ip any any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list NattoB access-group inside_access_in in interface inside access-group VPN in interface outside control-plane access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 220.127.116.11 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http 10.0.11.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart sysopt noproxyarp inside sysopt noproxyarp outside crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
Thanks for your answers. Luckily the ASA is still in a test environment so I tried your options in a save controlled environment, but I'm really confused now. I added the NAT-statement and removed the access-group. After this the outside interface stopped answering to my ping requests, but the inside interface started responding.
So from the inside interface I open a SSH-session and ping an external ip-address. Now the behaviour I had on the inside interface is on the outside interface. It's sending ping requests, but it's not getting all ping replies back.
Next thing I did is removing the nat-statement, no difference in behaviour. The inside interface still responds to ping requests really good, but the outside interface doesn't reply at all. When trying to ping to an external ip-address I get a reply to just 2 or 3 out of 5 packets.
After this i did the "debug icmp trace" command again. I do see the requests on the inside interface coming in and the replies going out. On the outside interface though, I don't see any reply going out, just requests coming in. When trying to ping a ip-address on the outside interface, the requests are going out, but the replies are not all coming in.
What is it that's preventing me from getting the packets through the ASA?
Thanks again for answering my questions Andrew. As you suggested I removed the config (did a reset to factory default), added the basic config and started working from there.
All went well, I could ping inside and outside untill I tried a ping from a pc behind the inside interface of teh ASA to a server behind the other endpoint of the VPN. Something really strange happened there which was being logged as: "Deny inbound icmp src outside:10.0.11.4 dst outside:10.2.11.162 (type 8, code 0)"
After I looked up the ARP-table:
omega(config)# show arp
inside 10.0.11.4 0000.488e.676f bbb
outside 18.104.22.168 0000.972f.c7c0 aaa
outside 10.0.11.4 0000.488e.676f bbb
and the route table:
omega(config)# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 22.214.171.124 to network 0.0.0.0
C 10.0.11.0 255.255.255.0 is directly connected, inside
C 126.96.36.199 255.255.255.248 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 188.8.131.52, outside
Now things started to make sense. Something in the network isn't right. I guess it's a thing with the configuration of the Catalyst 2960. So that's my next point of action.
Andrew, thanks again for your help. For now this issue is solved for me!
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...