Cannot ping from ASAv to VratsaASA and host on another LAN.

$monster$ — Fri, 28 Jan 2022 19:30:52 GMT

Hi guys, would appreciate a little help from you.

So my task here is to make the 2 ASA's from a different subnet to be able pinging each other and to be able pinging the end host. My final goal is the host with anyIP which has 172.16.10.100 255.255.255.0 172.16.10.100 to be able logging into the Web Server on 10.45.2.80, public ip of the Server is 45.2.3.12(which is the OUTSIDE interface of New Your ASA) and traffic needs to go from NYASA to V-ASA.

Here is the configuration of the New Your ASA:
==============================================================================================

no mac-address auto

!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 45.2.3.12 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
nameif DMZ
security-level 50
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
object network OUT-IP
host 45.2.3.12
access-list OUTSIDE extended permit icmp any object OUT-IP
access-list OUTSIDE extended permit icmp object OUT-IP any
pager lines 23
mtu OUTSIDE 1500
mtu DMZ 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
access-group OUTSIDE in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 172.16.10.0 1
route OUTSIDE 0.0.0.0 0.0.0.0 172.16.0.0 1
route OUTSIDE 0.0.0.0 0.0.0.0 45.2.4.0 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map default_policy
class inspection_default
inspect icmp
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http

==============================================================================================

Here is the configuration of the Vratsa ASA:
=============================================================================================
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 45.2.4.56 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
ip address 10.45.2.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name cisci.com
same-security-traffic permit inter-interface
object network WEB-SERVER-PORTFORWARD
host 10.45.2.80
object network DMZ
host 10.45.2.80
object network OUT-IP
host 45.2.4.56
access-list test extended permit tcp any object WEB-SERVER-PORTFORWARD eq www
access-list test extended permit tcp object WEB-SERVER-PORTFORWARD any eq www
access-list test extended permit ip any host 10.45.2.80
access-list test extended permit ip object WEB-SERVER-PORTFORWARD any
access-list test extended permit icmp object OUT-IP any
access-list test extended permit icmp any object OUT-IP
access-list dmz_inside extended permit icmp host 10.45.2.80 any
access-list dmz_inside extended permit icmp any host 10.45.2.80
access-list dmz_inside extended permit icmp host 10.45.2.1 host 10.45.2.80
pager lines 23
mtu OUTSIDE 1500
mtu DMZ 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
!
object network WEB-SERVER-PORTFORWARD
nat (DMZ,OUTSIDE) static 45.2.3.12
object network DMZ
nat (OUTSIDE,DMZ) dynamic interface
access-group test in interface OUTSIDE
access-group dmz_inside in interface DMZ
route OUTSIDE 0.0.0.0 0.0.0.0 45.2.3.0 1
route OUTSIDE 0.0.0.0 0.0.0.0 172.16.10.0 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
access-list test extended permit tcp any object WEB-SERVER-PORTFORWARD eq www
access-list test extended permit tcp object WEB-SERVER-PORTFORWARD any eq www
access-list test extended permit ip any host 10.45.2.80
access-list test extended permit ip object WEB-SERVER-PORTFORWARD any
access-list test extended permit icmp object OUT-IP any
access-list test extended permit icmp any object OUT-IP
access-list dmz_inside extended permit icmp host 10.45.2.80 any
access-list dmz_inside extended permit icmp any host 10.45.2.80
access-list dmz_inside extended permit icmp host 10.45.2.1 host 10.45.2.80
pager lines 23
mtu OUTSIDE 1500
mtu DMZ 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
!
object network WEB-SERVER-PORTFORWARD
nat (DMZ,OUTSIDE) static 45.2.3.12
object network DMZ
nat (OUTSIDE,DMZ) dynamic interface
access-group test in interface OUTSIDE
access-group dmz_inside in interface DMZ
route OUTSIDE 0.0.0.0 0.0.0.0 45.2.3.0 1
route OUTSIDE 0.0.0.0 0.0.0.0 172.16.10.0 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:2f054c8ff106a12f87782bedef444f36
: end
==============================================================================================
This has been a real pain to find a solution and do not know how to proceed, if there is any way to let me know how the communication should be done I'll really be happy.

Thank you in advance.

Re: Cannot ping from ASAv to VratsaASA and host on another LAN.

Rob Ingram — Fri, 28 Jan 2022 19:40:32 GMT

@$monster$ on the NY ASA you have 3 default routes, they all appear incorrect, remove them all.

no route OUTSIDE 0.0.0.0 0.0.0.0 172.16.10.0 1
no route OUTSIDE 0.0.0.0 0.0.0.0 172.16.0.0 1
no route OUTSIDE 0.0.0.0 0.0.0.0 45.2.4.0 1

Add the correct gateway, I assume the next hop would be 45.2.3.1?

route OUTSIDE 0.0.0.0 0.0.0.0 45.2.3.1

The Vsatsa ASA also have incorrect default routes, remove them

no route OUTSIDE 0.0.0.0 0.0.0.0 45.2.3.0 1
no route OUTSIDE 0.0.0.0 0.0.0.0 172.16.10.0 1

Add the correct next hop, I assume 45.2.4.1?

route OUTSIDE 0.0.0.0 0.0.0.0 45.2.4.1

Re: Cannot ping from ASAv to VratsaASA and host on another LAN.

$monster$ — Fri, 28 Jan 2022 19:56:07 GMT

Actually the only IP's i've added to the interfaces of the ASA are the following:
New Your ASA:
ciscoasa(config)# sh int ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 45.2.3.12 YES CONFIG up up

Vrasta ASA:

ciscoasa(config)# sh int ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 45.2.4.56 YES CONFIG up up
GigabitEthernet0/1 10.45.2.1 YES CONFIG up up
GigabitEthernet0/2 unassigned YES unset administratively down up

The Ip 10.45.2.1 is for the DMZ network.

And stil cannot ping either of the ASA, here is the result:
Sending 5, 100-byte ICMP Echos to 45.2.3.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

Re: Cannot ping from ASAv to VratsaASA and host on another LAN.

Rob Ingram — Fri, 28 Jan 2022 20:04:17 GMT

@$monster$ yes, I can see the IP addresses you've added to the outside interfaces, but the default gateways are wrong on both ASAs, they need changing. Determine the local next hop and assign that as the default route on both ASAs.

What is the "inet" cloud doing?

Re: Cannot ping from ASAv to VratsaASA and host on another LAN.

$monster$ — Fri, 28 Jan 2022 20:12:53 GMT

@Rob Ingram Thank you for your respond. Actually there is nothing in INET, the lab is made on platform eve. Even if I try to go inside the INET it would not let me.

the actual task here is the following:
=====================================================================================

The real issue is that we had a WEB server at New York DC (172.16.2.80). The NATed IP address is 45.2.3.12. Recently we moved the WEB server to Vratsa DC. The new IP address of WEB server is 10.45.2.80.

I am sending the tech support from Vratsa ASA (attached).

We want to use the same NATed IP (45.2.3.12) address to access the WEB server (from ANY sources). Is it possible and how we can accomplish this. Please advise.
=====================================================================================

The actual pic of the topology is attached

Re: Cannot ping from ASAv to VratsaASA and host on another LAN.

Rob Ingram — Fri, 28 Jan 2022 20:22:02 GMT

@$monster$ is this a lab scenario?

The outside interfaces of both ASAs are on different networks, there needs to be a router (inet) to route between these different networks and you need to sort out your default routes on the ASAs.

Why can't you change the NAT to the Vratsa ASA IP address?

topic Re: Cannot ping from ASAv to VratsaASA and host on another LAN. in Network Security

Cannot ping from ASAv to VratsaASA and host on another LAN.

Re: Cannot ping from ASAv to VratsaASA and host on another LAN.

Re: Cannot ping from ASAv to VratsaASA and host on another LAN.

Re: Cannot ping from ASAv to VratsaASA and host on another LAN.

Re: Cannot ping from ASAv to VratsaASA and host on another LAN.

Re: Cannot ping from ASAv to VratsaASA and host on another LAN.