topic How did you knkow that your in Network Security

from asa not able to ping ISP edge router(hence not able to use ip SLA)

Sipl_24034 — Tue, 12 Mar 2019 06:51:37 GMT

AS we are using firewall .our link is up and working fine but we are not able to ping aur edge router beacause of that we are not able to use IP sla. basicly ip sla use icmp to ping edge router

kindly help regarding same

How did you knkow that your

saif musa — Tue, 10 Nov 2015 08:20:19 GMT

How did you know that your edge router is ???

10.227.79.129

Hi there,

Akshay Rastogi — Tue, 10 Nov 2015 08:59:07 GMT

Hi there,

From the configuration, i could see that next of the ASA is 10.153.66.2 and 10.153.67.2. Please check if icmp is allowed on your edge router 10.227.79.129. Also check if it is reachable from your next hop 10.153.66.2 ISP.

there is no icmp permit or deny configured on ASA that means it is allowed bydefault. So no issue.

Regards,

Akshay Rastogi

Akshay,

saif musa — Tue, 10 Nov 2015 09:27:41 GMT

Akshay,

First, chick if you can ping you next hop router from inside your ASA. If so, then you can use it (( 10.153.67.2 )) for sla monitoring perpouses.

Regards

Hi Saif,

Akshay Rastogi — Tue, 10 Nov 2015 09:31:34 GMT

Hi Saif,

I guess, he has mentioned that the link is up and working fine. I believe the traffic is fine but icmp might not be allowed on the edge router. That is why i had mentioned that check from the next hop(which is ISP) to check if from there he is able to ping or not. 🙂

Regards,

Akshay Rastogi

Dear Akshay,

Sipl_24034 — Wed, 11 Nov 2015 09:04:14 GMT

Dear Akshay,

Thanks for quick responce ..

As i observed i can able to ping my edge router from 10.153.66.2 .even i can able to ping edge router from my lan .

problem is that i am not able to ping router from asa ..

Hi,

Akshay Rastogi — Wed, 11 Nov 2015 09:34:01 GMT

Hi,

Please share the output of 'show run icmp'. Please add the below command and check of it works:

icmp permit 10.227.79.129 255.255.255.255 <outside-interface-nameif>

Regards,

Akshay Rastogi

dear Akshay ,

Sipl_24034 — Sun, 15 Nov 2015 06:43:23 GMT

dear Akshay ,

as you said i given icmp permit command.but i found after this commdn even i cant ping my router 10.153.66.2

icmp command output

sh run icmp

icmp unreachable rate-limit 1 burst-size 1
icmp permit host 10.227.79.129 outside1

Hi,

Akshay Rastogi — Sun, 15 Nov 2015 07:14:45 GMT

Hi,

Please remove this command. I advised to place it keeping in mind that there might be some other statements are alredy added.

Please place captures on Outside interface :

'cap capi interface outside match icmp any any'

'cap drop type asp-drop all'

After adding this, start pings from ASA to your edge routers and then take the output of 'cap capi detail' and 'cap drop detail | in icmp'

Regards,

Akshay Rastogi

Dear Akshay ,

Sipl_24034 — Sun, 15 Nov 2015 08:22:17 GMT

Dear Akshay ,

i have given both command but not recived any responce for

cap drop detail | in icmp

Hi,

Rishabh Seth — Sun, 15 Nov 2015 09:50:33 GMT

Hi,

From the output of the commands suggested by Akshay, I looks like that ICMP is being sent by the ASA but there is no reply to it.

Now to troubleshoot further you can try following:

>> As per your configuration, the next hop for all the traffic via outside1 is 10.153.66.2. Check if the next hop device has proper configuration to forward ICMP packet to 10.22.79.129.

>> The show cap capi details shows that the icmp request is forwarded to device with MAC c08c.c59f.8d51. Check if this is the correct device to which traffic should be forwarded. You can run show arp on ASA and check the MAC-IP mapping for this hardware.

>> Check if the device with 10.22.79.129 has correct reverse route for the traffic being generated by 10.153.66.1.

On ASA there is no return traffic recieved so i would suggest you to check the intermediate devices between ASA and the edge router for correct routing and access policies to permit this traffic.

Do share your findings.

Thanks,

R.S.

on router provided route for

Sipl_24034 — Sun, 15 Nov 2015 10:54:36 GMT

on router provided route for lan with next hop 10.153.66.1

and i can ping 10.227.79.129 from my lan as well as router only thing is that not able to ping this ip from ASA.

Is there any reverse route on

Rishabh Seth — Sun, 15 Nov 2015 11:23:59 GMT

Is there any reverse route on edge router for 10.153.66.0/30 subnet for replies to ASA ?

Thanks,

Rishabh Seth

Dear Rishab,

Sipl_24034 — Sun, 15 Nov 2015 12:28:13 GMT

Dear Rishab,

10.153.66.0 Nettwork advertise by relince @there and

still i tried to advertised 10.153.66.0 on my router still same problem persist .

Hi,

Akshay Rastogi — Sun, 15 Nov 2015 17:20:25 GMT

Hi,

Please configure static route on Router for destination as ASA outside interface. Advertising 66.x network would enble next hops to have that network. However it does not ensure that your edge router is having reverse route for ASA outside interface.

Please add the route on Edge router for destination IP as ASA outside interface.

Regards,

Akshay Rastogi

Try to ping the ASA ip from

Rishabh Seth — Sun, 15 Nov 2015 17:54:36 GMT

Try to ping the ASA ip from edge router and take capture on ASA as suggested by Akshay earlier, this would help in figuring out if there are correct routes configured in your network to forward traffic to ASA from edge router.

I think the problem lies outside ASA.

Share your findings.

Thanks,

Rishabh

i found while traceroute

Sipl_24034 — Mon, 16 Nov 2015 05:47:51 GMT

i found while traceroute from edge taking unusal path. escalated to isp .

i will come back after isp responce ...