topic Unable to ping inside address of ASAv from core switch in Network Security

Unable to ping inside address of ASAv from core switch

NetworkMonkey101 — Mon, 17 Apr 2023 10:15:22 GMT

Hi,

I have setup a home lab and I am unable to ping the inside address of my ASAv from the connection core switch. I think it is being blocked by the implicit rule but my attempts to add the correct ACL is not working..

Switch#show ip int brief

Vlan500 10.1.1.3 YES NVRAM up up

interface Vlan500
ip address 10.1.1.3 255.255.255.0

interface GigabitEthernet0/0
description ACCESS > CORE
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
negotiation auto
end

GigabitEthernet0/0 is up, line protocol is up (connected)
Hardware is iGbE, address is 0cba.ac0a.0000 (bia 0cba.ac0a.0000)
Description: ACCESS > CORE
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto Duplex, Auto Speed, link type is auto, media type is unknown media type
output flow-control is unsupported, input flow-control is unsupported
Full-duplex, Auto-speed, link type is auto, media type is RJ45
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:08, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 1000 bits/sec, 2 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
23167 packets input, 1538396 bytes, 0 no buffer
Received 23157 broadcasts (23157 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 23157 multicast, 0 pause input
422 packets output, 69915 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
Switch#

-----------------------------------------------------------------------

ciscoasa# show ip

GigabitEthernet0/1 INSIDE 10.1.1.1 255.255.255.0 CONFIG

interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 10.1.1.1 255.255.255.0

ciscoasa# packet-tracer input INSIDE icmp 10.1.1.1 1 8 10.1.1.2 detailed

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fc20d4b4970, priority=13, domain=capture, deny=false
hits=19, user_data=0x7fc20d4916c0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=INSIDE, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fc20d5fe610, priority=1, domain=permit, deny=false
hits=9, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=INSIDE, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 10.1.1.2 using egress ifc INSIDE

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fc20d2b6190, priority=501, domain=permit, deny=true
hits=10, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.1.1.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=INSIDE, output_ifc=any

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000555c6a55cae6 flow (NA)/NA

What is recommended ACL to allow this traffic?

Re: Unable to ping inside address of ASAv from core switch

Marius Gunnerud — Mon, 17 Apr 2023 12:16:57 GMT

First of all, packet-tracer is for use when simulating a packet passing through the ASA and not to the ASA itself. So this will show as a drop no matter what.

As for ping being unsuccessful, you have configured the switch port to be a trunk port while the ASA interace is a regular routed interface. You need to do one of the following

configure the ASA interface as a sub-interface and specify the INSIDE interface to be in vlan 500

Configure the switch port to be an access port and not a trunk port.

Re: Unable to ping inside address of ASAv from core switch

NetworkMonkey101 — Mon, 17 Apr 2023 12:31:47 GMT

Thanks for the reply, I have amended the Core switch to ASA port as suggested but still no icmp reply

interface GigabitEthernet0/0
description CORE > ASAv
switchport mode access
media-type rj45
negotiation auto
end

Core1#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Core1#

Re: Unable to ping inside address of ASAv from core switch

MHM Cisco World — Mon, 17 Apr 2023 12:34:58 GMT

this drop I think because you dont config icmp inspect under the policy global
add inspect and check again

Re: Unable to ping inside address of ASAv from core switch

Marius Gunnerud — Mon, 17 Apr 2023 12:53:28 GMT

You have not assigned VLAN 500 to the access port so you are sending traffic in VLAN 1 right now. Add switchport access VLAN 500 to the port then test again

Re: Unable to ping inside address of ASAv from core switch

Marvin Rhoads — Mon, 17 Apr 2023 12:53:50 GMT

No ACL is necessary. ICMP inspect is also not necessary.

You do need to fix the switchport vs. trunk port that @Marius Gunnerud mentioned

Then, for icmp traffic TO the firewall, use the "icmp" command: https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/ia-inr-commands.html#wp1366339900

Re: Unable to ping inside address of ASAv from core switch

NetworkMonkey101 — Mon, 17 Apr 2023 13:06:07 GMT

icmp inspection was not able and I have now added that, thank you. I have also changed the switch port to an access port but still unable to ping the inside address of the firewall from the core switch, please see attached both full configurations.

ASA

ciscoasa# show run
: Saved

:
: Serial Number: 9AMQNCL7QTL
: Hardware: ASAv, 2048 MB RAM, CPU Pentium II 3500 MHz, 1 CPU (2 cores)
:
ASA Version 9.16(2)
!
hostname ciscoasa
domain-name TEST.local
enable password ***** pbkdf2
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
no mac-address auto

!
interface GigabitEthernet0/0
description OUTSIDE
shutdown
nameif OUTSIDE
security-level 0
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/2
description DMZ
nameif DMZ
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
no management-only
nameif MGMT
security-level 100
ip address 10.255.1.1 255.255.255.0
!
ftp mode passive
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name TEST.local
same-security-traffic permit inter-interface
pager lines 23
logging enable
logging timestamp
logging buffer-size 99999
logging trap debugging
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu DMZ 1500
mtu MGMT 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OUTSIDE
icmp permit any INSIDE
icmp permit any DMZ
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 MGMT
http 0.0.0.0 0.0.0.0 INSIDE
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA2
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 0a0142800000014523c844b500000002
30820560 30820348 a0030201 0202100a 01428000 00014523 c844b500 00000230
0d06092a 864886f7 0d01010b 0500304a 310b3009 06035504 06130255 53311230
10060355 040a1309 4964656e 54727573 74312730 25060355 0403131e 4964656e

telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
inspect snmp
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:bff2ad5e30e164455c5fd6effaf8e9e3
: end
ciscoasa#

SWITCH

Core1#show run
Building configuration...

Current configuration : 4488 bytes
!
! Last configuration change at 13:00:15 UTC Mon Apr 17 2023
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Core1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
vtp domain TEST
vtp mode off
!
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.20.10.1 10.20.10.10
ip dhcp excluded-address 10.30.10.1 10.30.10.10
!
ip dhcp pool CLIENTS
network 10.10.10.0 255.255.255.0
dns-server 8.8.8.8
default-router 10.10.10.1
!
ip dhcp pool WIFI
network 10.20.10.0 255.255.255.0
dns-server 8.8.8.8
default-router 10.20.10.1
!
ip dhcp pool DMZ
network 10.30.10.0 255.255.255.0
dns-server 8.8.8.8
default-router 10.30.10.1
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10
name CLIENTS
!
vlan 20
name WIFI
!
vlan 30
name DMZ
!
vlan 500
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description CORE > ASA
switchport mode access
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1
description CORE > ACCESS
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
negotiation auto
!
interface GigabitEthernet0/2
media-type rj45
negotiation auto
!
interface GigabitEthernet0/3
media-type rj45
negotiation auto
!
interface GigabitEthernet1/0
media-type rj45
negotiation auto
!
interface GigabitEthernet1/1
media-type rj45
negotiation auto
!
interface GigabitEthernet1/2
media-type rj45
negotiation auto
!
interface GigabitEthernet1/3
media-type rj45
negotiation auto
!
interface GigabitEthernet2/0
media-type rj45
negotiation auto
!
interface GigabitEthernet2/1
media-type rj45
negotiation auto
!
interface GigabitEthernet2/2
media-type rj45
negotiation auto
!
interface GigabitEthernet2/3
media-type rj45
negotiation auto
!
interface GigabitEthernet3/0
media-type rj45
negotiation auto
!
interface GigabitEthernet3/1
media-type rj45
negotiation auto
!
interface GigabitEthernet3/2
media-type rj45
negotiation auto
!
interface GigabitEthernet3/3
media-type rj45
negotiation auto
!
interface Vlan10
ip address 10.10.10.1 255.255.255.0
!
interface Vlan20
ip address 10.20.10.1 255.255.255.0
!
interface Vlan30
ip address 10.30.10.1 255.255.255.0
!
interface Vlan500
ip address 10.1.1.2 255.255.255.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
logging synchronous
line aux 0
line vty 0
logging synchronous
login
line vty 1 4
login
!
!
end

Core1#

Re: Unable to ping inside address of ASAv from core switch

MHM Cisco World — Mon, 17 Apr 2023 13:10:40 GMT

share the packet tracer after you enable the icmp inspection

Re: Unable to ping inside address of ASAv from core switch

Marius Gunnerud — Mon, 17 Apr 2023 13:13:30 GMT

You are still missing VLAN configuration on the switch port connecting to the ASA

Re: Unable to ping inside address of ASAv from core switch

NetworkMonkey101 — Mon, 17 Apr 2023 13:15:43 GMT

Core1#show run int gi0/0
Building configuration...

Current configuration : 147 bytes
!
interface GigabitEthernet0/0
description CORE > ASA
switchport access vlan 500
switchport mode access
media-type rj45
negotiation auto
end

should it be this?

Re: Unable to ping inside address of ASAv from core switch

NetworkMonkey101 — Mon, 17 Apr 2023 13:16:51 GMT

ciscoasa# packet-tracer input INSIDE icmp 10.1.1.1 1 8 10.1.1.2 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb005600760, priority=1, domain=permit, deny=false
hits=0, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=INSIDE, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 10.1.1.2 using egress ifc INSIDE

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb0052b6500, priority=501, domain=permit, deny=true
hits=1, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.1.1.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=INSIDE, output_ifc=any

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000560af18feae6 flow (NA)/NA

ciscoasa#

Getting the same output

Re: Unable to ping inside address of ASAv from core switch

MHM Cisco World — Mon, 17 Apr 2023 13:25:27 GMT

there are multi VLAN in L3SW and there is one (VLAN1) connect L3SW to ASA
so I think run permit intra-interface connection

Re: Unable to ping inside address of ASAv from core switch

Marius Gunnerud — Mon, 17 Apr 2023 13:25:16 GMT

Yes that is correct, but again, packet-tracer is for simulating a packet through the ASA and not to it. So you packet-tracer you are posting will always fail.

Re: Unable to ping inside address of ASAv from core switch

Marvin Rhoads — Mon, 17 Apr 2023 13:25:21 GMT

STOP using packet-tracer. It is not for traffic TO the firewall. Only for traffic THROUGH the firewall.

Re: Unable to ping inside address of ASAv from core switch

NetworkMonkey101 — Mon, 17 Apr 2023 13:27:45 GMT

Thanks for your help it is now working