Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

The outside sub-network is not accesssible

Hi,

I have ASA 5505 with Secplus - configured and  working fine but I have a lame problem.
The situation - I have LAN  Internet provider ( the IPs are for example ):
ASA IP - 1.1.1.3/27 -  default GW 1.1.1.2/27 ( Internet, IPSec working like charm )
I have  second machine ( linux router ) attached to the same LAN  network but in different location with IP 1.1.1.4/27 (same d.gw) -  again, working like charm
The issue - the linux box and the ASA are  not accessible from each other.
After several experiments - I found  working IP 1.1.1.5/27 in this subnet which is pinglable from the linux  box but not from the ASA ( icmp is allowed in my conf. )
Can somebody  help?

10 REPLIES
Silver

Re: The outside sub-network is not accesssible

Can the linux box and the ASA properly ARP each other?  For example does a ‘show arp’ on the ASA resolve the correct MAC address to the IP address of the linux box?  On the linux box does an ‘arp –a’ resolve the correct MAC address to the IP address of the ASA?

Chris


New Member

Re: The outside sub-network is not accesssible

Chris,

No, I just tried to ping the both machines from each other and the MAC addresses not appears.

On the linux box I can see:

asa-host (1.1.1.3) at on eth0

from ASA side nothings is shown in the arp table.

Silver

Re: The outside sub-network is not accesssible

Andrey,

Based on that I’d troubleshoot with your service provider as to why ARP requests/responses aren’t passing between the two sites.


Chris

New Member

Re: The outside sub-network is not accesssible

Thank you very much for this good advise - I will post any development.

New Member

Re: The outside sub-network is not accesssible

Chris,


The provider state that the problem is not in his configuration - as is expected.

Anyway..... Can I diagnose the problem in different way? What I can do from my side?

Re: The outside sub-network is not accesssible

Hi,

Try adding static arp entries in both the devices for each other

HTH

Hitesh Vinzoda

Pls rate useful posts

New Member

Re: The outside sub-network is not accesssible

Hitesh,

Actually I already tried this - no success

Silver

Re: The outside sub-network is not accesssible

Andrey,

Is this what your topology looks like?

If so has your service provider indicated they support customer hosts communicating with each other over the service provider switch fabric?  If they do support this than one thing you can do is use a packet analyzer such as wireshark to demonstrate the problem.  On the ASA you can use the built in packet capture utility.

This article has good advice on troubleshooting an ASA and covers packet capture.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807c35e7.shtml#s3


Capture a successful ARP request/response between the ASA and the Default Gateway.  Capture an unsuccessful ARP request/response between the ASA and the Linux host.  Assemble the evidence and send it to your service provider.  If you reside in a free market society and the service provider has a listening problem consider a new service provider.


Chris

New Member

Re: The outside sub-network is not accesssible

Chris,

Yes, the topology is similar - with comment from my side - I don't how many and what type of switches stays between the both hosts.

I will play with the packet capture and will see what will be the result.

In addition:

I found another working the IP in the same subnet - which is pingable from the Linux box but not from the ASA.

Do you thing that the problem can reside on the ASA side - by default ASA come with everything denied and I try to stick to this policy. The allowed services are based on my needs. Please, check my configuration below.

ASA configuration:

----------------------------------------------------

: Saved
:
ASA Version 8.2(1)
!
terminal width 160
hostname gw
domain-name karadimov.info
enable password ************************ encrypted
passwd **************************** encrypted
names
!
interface Vlan1
nameif inside
security-level 90
ip address 192.168.5.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.3 255.255.255.224
!
interface Vlan3
nameif outside_1
security-level 0
pppoe client vpdn group spnet
ip address pppoe
!
interface Vlan100
nameif internal-users
security-level 100
ip address 192.168.6.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
switchport protected
!
interface Ethernet0/1
switchport access vlan 3
switchport protected
!
interface Ethernet0/2
switchport trunk allowed vlan 1
!
interface Ethernet0/3
switchport trunk allowed vlan 1
!
interface Ethernet0/4
switchport trunk allowed vlan 1
!
interface Ethernet0/5
switchport access vlan 100
switchport protected
!
interface Ethernet0/6
switchport trunk allowed vlan 1
!
interface Ethernet0/7
switchport trunk allowed vlan 1
!
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server ?.?.?.?
name-server ?.?.?.?
name-server ?.?.?.?
domain-name karadimov.info
same-security-traffic permit intra-interface
access-list 24101 extended permit icmp any any echo
access-list 24101 extended permit icmp any any echo-reply
access-list 24101 extended permit icmp any any source-quench
access-list 24101 extended permit icmp any any unreachable
access-list 24101 extended permit icmp any any time-exceeded
access-list 24101 extended permit ah any any
access-list 24101 extended permit esp any any
access-list outside_1_access_in extended permit icmp any any echo
access-list outside_1_access_in extended permit icmp any any echo-reply
access-list outside_1_access_in extended permit icmp any any source-quench
access-list outside_1_access_in extended permit icmp any any unreachable
access-list outside_1_access_in extended permit icmp any any time-exceeded
access-list outside_1_access_in extended permit ah any any
access-list outside_1_access_in extended permit esp any any
access-list outside_cryptomap extended permit ip host 192.168.5.64 10.0.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip host 192.168.5.64 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging history critical
logging asdm warnings
logging mail critical
no logging message 106023
mtu inside 1500
mtu outside 1500
mtu outside_1 1492
mtu internal-users 1500
no failover
icmp unreachable rate-limit 10 burst-size 5
icmp permit any inside
icmp permit any internal-users
no asdm history enable
arp outside 1.1.1.99 0026.cb32.6650 alias
arp timeout 14400
global (outside) 1 interface
global (outside_1) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (internal-users) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.1.1.99 192.168.5.61 netmask 255.255.255.255
access-group 24101 in interface outside
access-group outside_1_access_in in interface outside_1
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1 track 1
route outside 10.0.0.0 255.255.255.0 85.130.93.33 1 track 2
route outside_1 0.0.0.0 0.0.0.0 2.2.2.3 2
route outside_1 10.0.0.0 255.255.255.0 2.2.2.3 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.5.0 255.255.255.0 inside
http 192.168.6.0 255.255.255.0 internal-users
sysopt noproxyarp inside
sysopt noproxyarp internal-users
sla monitor 123
type echo protocol ipIcmpEcho 1.1.1.3 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map6 1 match address outside_cryptomap
crypto map outside_map6 1 set peer ?.?.?.?
crypto map outside_map6 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map6 1 set security-association lifetime seconds 86400
crypto map outside_map6 interface outside
crypto map outside_1_map1 1 match address outside_1_cryptomap
crypto map outside_1_map1 1 set peer ?.?.?.?
crypto map outside_1_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_1_map1 1 set security-association lifetime seconds 86400
crypto map outside_1_map1 interface outside_1
crypto isakmp enable outside
crypto isakmp enable outside_1
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 inside
ssh 192.168.6.0 255.255.255.0 internal-users
ssh timeout 60
ssh version 2
console timeout 0
vpdn group spnet request dialout pppoe
vpdn group spnet localname andros
vpdn group spnet ppp authentication pap
vpdn username andros password *********

priority-queue outside
priority-queue outside_1
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group ?.?.?.? type ipsec-l2l
tunnel-group ?.?.?.? ipsec-attributes
pre-shared-key *
tunnel-group ?.?.?.?_1 type ipsec-l2l
tunnel-group ?.?.?.?_1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
smtp-server 192.168.5.253
prompt hostname context
Cryptochecksum:fdeb155f6e834b253d5f2ee8b8e035d0
: end

Silver

Re: The outside sub-network is not accesssible

Andrey,

Be sure to verify with your service provider that they support the functionally you are troubleshooting.

By default ARP works on the ASA.

I don’t see anything in your ASA config that would prevent ARP from working.  Focus on the ASA and Linux host ability to resolve IP addresses to MAC addresses.  Once ARP works as expected then pursue other possible blocking problems if they persist.   



Chris

361
Views
0
Helpful
10
Replies
CreatePlease login to create content