topic Hi. Class Maps are used to in Network Security

No connectivity with ASA HELP!

robbo79871 — Tue, 12 Mar 2019 07:04:40 GMT

Hi, i have a problem with getting PC's on the inside interface on packet tracer to ping beyond the asa default gateway interface in my topology.

I have a router on the edge with a fa 0/0 address of 172.16.30.1 and a s2/0 address of 192.168.1.3. The PC's can ping the ASA inside VLAN 30 interface from the statically configured PC's but they cant go beyond that and ping the router 172 or 192 interfaces. I have a global service policy implemented that inspects ICMP as well. The asa outside interface is 172.16.30.2 also. The asa can ping the 172.16.30.1 and 192.168.1.3 fine, just nothing from the PC's on the inside.

Any idea why this simple problem doeskin seem to be working?

Thanks

(there is a dhcp pool etc.. configured but the PC's aren't using it and the VPN isn't being used as well)

hostname ciscoasa

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

switchport access vlan 30

interface Ethernet0/2

switchport access vlan 30

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

no nameif

security-level 100

no ip address

interface Vlan2

nameif outside

security-level 0

ip address 172.16.30.2 255.255.255.0

interface Vlan30

nameif inside

security-level 100

ip address 10.30.0.1 255.255.255.0

route outside 0.0.0.0 255.255.255.255 172.16.30.1 1

access-list VPN standard permit 10.30.0.0 255.255.255.0

group-policy vpn internal

class-map inspect

match default-inspection-traffic

class-map test

policy-map global

class inspect

inspect icmp

class test

service-policy global global

telnet timeout 5

ssh timeout 5

dhcpd enable

dhcpd address 10.30.0.10-10.30.0.15 inside

dhcpd enable inside

crypto ipsec ikev1 transform-set VPN esp-aes 256 esp-sha-hmac

crypto map VPN_MAP 1 match address VPN

crypto map VPN_MAP 1 set peer 172.16.31.2

crypto map VPN_MAP 1 set security-association lifetime seconds 8600

crypto map VPN_MAP 1 set ikev1 transform-set VPN

crypto ikev1 policy 1

encr aes

authentication pre-share

group 5

lifetime 8600

tunnel-group 172.16.31.2 type ipsec-l2l

tunnel-group 172.16.31.2 ipsec-attributes

ikev1 pre-shared-key cisco

Hello.

ATAK_RUSSIA — Mon, 28 Dec 2015 13:37:47 GMT

Hello.

I think the problem could be because of this: route outside 0.0.0.0 255.255.255.255 172.16.30.1 1

Try to change it to route outside 0.0.0.0 0.0.0.0 172.16.30.1 1 (if you want to use 172.16.30.1 as default route).

Best Regards.

Does the outside router have

Marvin Rhoads — Mon, 28 Dec 2015 13:50:59 GMT

As noted, your default route is not properly formed. Also, does the outside router have a route to return traffic from 10.30.0.0/24 to the ASA outside interface?

What does packet-tracer tell you:

packet-tracer input inside icmp 10.30.0.2 8 0 172.16.30.1

Hi, thanks to both of you for

robbo79871 — Wed, 30 Dec 2015 05:48:03 GMT

Hi, thanks to both of you for the help, it was indeed the route configuration that i screwed up. All sorted now. BUT ironically i have the same problem at the other "site" i have configured but for the life of me this time i cannot see where the problem is.

All the setup on this site is identical to the other one, except for the inside Vlan is 20 and the inside addresses are 10.20.0.0/24, i will also post the config of the router on the edge to but i highly doubt there is something wrong with that because the site with Vlan 30 can ping all the way across the site, through the local ASA and through the edge router all the way through the external site router through to the external ASA's outside interface because of the static routes i have configured on both routers and both ASA's. So its baffling me how this small problem in the local site on the PC's, is not pinging the edge router interface of 172.16.20.1

ASA Version 8.4(2)

hostname ciscoasa

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

switchport access vlan 20

interface Ethernet0/2

switchport access vlan 20

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

no nameif

no security-level

no ip address

interface Vlan2

nameif outside

security-level 0

ip address 172.16.20.2 255.255.255.0

interface Vlan20

nameif inside

security-level 100

ip address 10.20.0.1 255.255.255.0

webvpn

enable

route outside 0.0.0.0 0.0.0.0 172.16.20.1 1

class-map inspect

match default-inspection-traffic

policy-map global

class inspect

service-policy global global

telnet timeout 5

ssh timeout 5

dhcpd enable

Router config

Current configuration : 1230 bytes

version 12.2

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

hostname Router2

ip cef

no ipv6 cef

interface FastEthernet0/0

ip address 172.16.20.1 255.255.255.0

duplex auto

speed auto

interface FastEthernet1/0

no ip address

duplex auto

speed auto

shutdown

interface Serial2/0

no ip address

encapsulation frame-relay

frame-relay interface-dlci 102

interface Serial2/0.201 point-to-point

ip address 192.168.0.2 255.255.255.0

frame-relay interface-dlci 201

interface Serial2/0.203 point-to-point

ip address 192.168.3.2 255.255.255.0

frame-relay interface-dlci 203

interface Serial3/0

no ip address

clock rate 2000000

shutdown

interface FastEthernet4/0

no ip address

shutdown

interface FastEthernet5/0

no ip address

shutdown

router ospf 1

router-id 2.2.2.2

log-adjacency-changes

network 192.168.0.0 0.0.255.255 area 0

network 172.16.20.0 0.0.0.255 area 0

ip classless

ip route 10.20.0.0 255.255.255.0 172.16.20.2

ip route 10.30.0.0 255.255.255.0 192.168.3.1

ip flow-export version 9

no cdp run

line con 0

line aux 0

line vty 0 4

end

Hello.

AllertGen — Wed, 30 Dec 2015 06:03:38 GMT

Hello.

If you mean that you can't get access from vlan 2 to vlan 20 then you can't get access because of the security level. For undenstanding it you can read this: https://www.shilpasys.com/articles/what-are-cisco-asa-firewall-security-levels/

Best Regards.

Hi. I noticed that you don't

Andre Neethling — Wed, 30 Dec 2015 06:14:38 GMT

Hi. I noticed that you don't have ICMP inspection enabled on this ASA, so the return ICMP traffic will not be allowed. See below excerpt from your other ASA config you posted earlier in the thread

policy-map global

class inspect

inspect icmp

Thanks for the help again

robbo79871 — Wed, 30 Dec 2015 06:49:48 GMT

Thanks for the help again with this, what you suggested worked. I have a question though, the reason why this confused me was because i createds the class map inspect with the

"default-inspection-traffic Match default inspection traffic:

ctiqbe----tcp--2748 dns-------udp--53

ftp-------tcp--21 gtp-------udp--2123,3386

h323-h225-tcp--1720 h323-ras--udp--1718-1719

http------tcp--80 icmp------icmp

ils-------tcp--389 ip-options-----rsvp

mgcp------udp--2427,2727 netbios---udp--137-138

radius-acct----udp--1646 rpc-------udp--111

rsh-------tcp--514 rtsp------tcp--554

sip-------tcp--5060 sip-------udp--5060

skinny----tcp--2000 smtp------tcp--25

sqlnet----tcp--1521 tftp------udp--69

waas------tcp--1-65535 xdmcp-----udp--177"

associated with it, ICMP is listed as part of the inspection protocols here so i applied it to the policy map global and created the global service policy. I didnt think i needed to have the inspect icmp sytax in the policy map part also, seeing as it is listed in the match traffic "default-inspection-traffic" in the class map. I was wondering if you could tell me why that is not working then?

Thanks for the help again

Hi. Class Maps are used to

Andre Neethling — Wed, 30 Dec 2015 07:00:16 GMT

Hi. Class Maps are used to match traffic. Policy maps apply an action to the mapped traffic (eg. Inspect icmp, or inspect http).

So you need to enable the inspect action in the policy map, on the traffic matched by the class map.

HTH