topic i did a capture for the drop in Network Security

can't ping inside interfaces on asa from switch

Majed Zouhairy — Tue, 12 Mar 2019 06:19:16 GMT

Peace,

I have asa 5520 with sub interfaces inside, i can ping hosts on the inside networks but i can't ping the inside interfaces themselves from an attached nexus switch. it would make troubleshooting a lot easier if i can ping the gateway. So is there a way to enable pings to the inside interfaces from different vlans?

Have a look at this:https:/

Traian Bratescu — Thu, 23 Jul 2015 08:14:41 GMT

Have a look at this:

https://supportforums.cisco.com/discussion/10347521/asa-5505-icmp-not-responding

You can only ping the ASA's ip address from a network that is behind that specific interface (meaning you can't ping the outside IP addres from an inside host for example); additionally you have to specify which sources you allow - the command is:

"To configure access rules for ICMP traffic that terminates at a adaptive security appliance interface, use the icmp command. To remove the configuration, use the no form of this command.

icmp {permit | deny} ip_address net_mask [icmp_type] if_name "

Traian

i am not trying to ping an

Majed Zouhairy — Thu, 23 Jul 2015 08:55:11 GMT

i am not trying to ping an outside address. i noticed that from inside network i can ping the inside interface.

from the link you gave, it stated:

"Put more generally, you cannot ping the firewall's ip addresses, unless you are on the interface you are pinging."

from this i understand that pinging another inside subinterface is not possible from a different vlan. i guess i asked for too much.

Hi Majed, To troubleshoot you

Rishabh Seth — Thu, 23 Jul 2015 09:25:31 GMT

Hi Majed,

To troubleshoot you can check following:

>> ARP on the ASA for the host from where you are doing the ping test.

show arp

>> Check if ASA is receiving traffic:

cap capi interface inside match icmp any any

show cap capi

>> In case the traffic is reaching asa and it is getting dropped there then:

cap asp type asp-drop all

show cap asp.

Please attach above mentioned data and also attach the show run interface output.

Thanks,

R.Seth

It was just an example...You

Traian Bratescu — Thu, 23 Jul 2015 09:59:09 GMT

It was just an example...

You can ping an inside interface from a different vlan as long as the packet is not traversing the ASA.

something like

vlan1 \

\ --- Router --- ASA

Vlan2 /

You can enable icmp from either vlan 1 or vlan 2

icmp permit any inside

If you have a different scenario than the above plese let me know...

Another usefull command "packet-tracer" - it will tell you wether the packet i allowed or not and the reason for that:

packet-tracer input inside icmp "source_ip" 0 8 "destination_ip"

Hope this clarifies,

Traian

thanks for the arp tip,about

Majed Zouhairy — Thu, 23 Jul 2015 10:59:35 GMT

thanks for the arp tip,

about the

icmp permit any inside

i have 9 inside subinterfaces on different vlans. i did icmp permit any (all inside interfaces)

but still from nexus i can only ping the management vlan in the vrf management because it's on the same vlan and subnet.

where is the mistake?

Hi Majed, From ASA's

Rishabh Seth — Thu, 23 Jul 2015 11:27:08 GMT

Hi Majed,

From ASA's perspective, you have 9 different interfaces with different names(nameif).

So if you try to ping the IP address configured on one sub-interface from a device whose traffic hits the firewall on a different sub-interface, will be dropped by the firewall.

For better understanding of the issue please attach the output of show run interface , so that we can understand the configuration. Also let us know if you were able to capture traffic on the ASA (steps mentioned in my previous reply).

Thanks,

R.Seth

i would do what R.Seth

Traian Bratescu — Thu, 23 Jul 2015 11:32:29 GMT

i would do what R.Seth suggested - a capture to see wether there are any icmp packets reaching the ASA; maybe a traceroute from Nexus... just to ignore any routing issue...

i did a capture for the drop

Majed Zouhairy — Thu, 23 Jul 2015 13:37:57 GMT

i did a capture for the drop and for the interface, neither showed expected results. i then opened sdm and went to monitoring and put the nexus as source ip filter and sure enough it showed packets passed and dropped when ping was launched.

i can't traceroute from nexus perhaps because there is only a management vrf. even the management interface that i can ping can't be tracerouted.

Hi Majed, Now from your

Rishabh Seth — Thu, 23 Jul 2015 14:15:35 GMT

Hi Majed,

Now from your update I understand that you tried capturing traffic on ASA and you did not receive any packets. If this is the case then you should check if the routing is correct.

Also if possible share the interface config, packet tracer output and capture output.

Thanks,
R.Seth

here is the config of the

Majed Zouhairy — Fri, 24 Jul 2015 06:08:50 GMT

here is the config of the interfaces in question:

the management interface:

interface GigabitEthernet0/1.11
vlan 11
nameif Management_LAN
security-level 99
ip address 10.0.11.1 255.255.255.0

the new interface:

interface GigabitEthernet0/1.17
vlan 17
nameif skko_test
security-level 71
ip address 10.0.180.1 255.255.255.0

from nexus i ping:

ping 10.0.181.1 vrf management
PING 10.0.181.1 (10.0.181.1): 56 data bytes
Request 0 timed out
Request 1 timed out
Request 2 timed out
Request 3 timed out
Request 4 timed out

ping 10.0.11.1 vrf management
PING 10.0.11.1 (10.0.11.1): 56 data bytes
64 bytes from 10.0.11.1: icmp_seq=0 ttl=254 time=3.809 ms
64 bytes from 10.0.11.1: icmp_seq=1 ttl=254 time=1.305 ms
64 bytes from 10.0.11.1: icmp_seq=2 ttl=254 time=1.972 ms
64 bytes from 10.0.11.1: icmp_seq=3 ttl=254 time=1.92 ms
64 bytes from 10.0.11.1: icmp_seq=4 ttl=254 time=1.931 ms

on asa:

cap test interface skko_test match icmp any any

sh cap test

0 packet captured

0 packet shown

the nexus is connected to a switch and then to asa. i added the new vlan to the trunks in both switches.

i rechecked the cap test:

sh cap test

1 packet captured

1: 08:55:53.186681 802.1Q vlan#17 P0 10.0.11.6 > 10.0.180.1: icmp: echo request
1 packet shown

put it's not the result of pings from the nexus as when i make new pings the packet capture does not increase although 10.0.11.6 is the nexus.

in packet tracer the packet is allowed.

Who is doing the routing for

Traian Bratescu — Fri, 24 Jul 2015 06:23:33 GMT

Who is doing the routing for Nexus (sh ip ro vrf management)? Can you also post a show route on ASA?

From what you posted, most likely the packets will first reach the Management_LAN and then traverse the ASA to the skko_test interface which would not be allowed - see previous posts.

Even if you would have a specific route for the Nexus to reach directly the skko_test interface route, most probably the return route would be through the Management_LAN which would break the URPf rule on ASA.

Traian

nexus# sh ip ro vrf

Majed Zouhairy — Fri, 24 Jul 2015 06:59:14 GMT

nexus#

sh ip ro vrf management
IP Route Table for VRF "management"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]

0.0.0.0/0, ubest/mbest: 1/0
    *via 10.0.11.1, [1/0], 3w6d, static
10.0.11.0/24, ubest/mbest: 1/0, attached
    *via 10.0.11.6, mgmt0, [0/0], 3w6d, direct
10.0.11.6/32, ubest/mbest: 1/0, attached
    *via 10.0.11.6, mgmt0, [0/0], 3w6d, local

on asa:

D EX 172.17.32.0 255.255.224.0 [170/3072] via 172.16.1.1, 602:28:50, outside
D EX 172.17.0.0 255.255.224.0 [170/3072] via 172.16.1.1, 602:28:50, outside
D EX 172.16.0.0 255.255.255.0 [170/3072] via 172.16.1.1, 602:28:50, outside
C    172.16.1.0 255.255.255.240 is directly connected, outside
D EX 172.18.2.192 255.255.255.192
           [170/3328] via 172.16.1.1, 602:28:50, outside
D EX 172.18.2.0 255.255.255.0 [170/3072] via 172.16.1.1, 602:28:50, outside
D EX 172.18.3.0 255.255.255.0 [170/3328] via 172.16.1.1, 602:28:50, outside
C    192.168.201.0 255.255.255.0 is directly connected, IP-Telefon
C    10.0.10.0 255.255.255.0 is directly connected, Admin
C    10.0.11.0 255.255.255.0 is directly connected, Management_LAN
D EX 10.0.12.0 255.255.255.0 [170/3072] via 172.16.1.1, 602:28:50, outside
D EX 10.96.99.0 255.255.255.0 [170/3072] via 172.16.1.1, 602:28:50, outside
C    10.0.0.0 255.255.255.0 is directly connected, FW-Servers

D    10.1.32.32 255.255.255.240 [90/3328] via 172.16.1.3, 602:28:53, outside
                                [90/3328] via 172.16.1.1, 602:28:53, outside
D    10.1.32.48 255.255.255.240 [90/3072] via 172.16.1.3, 602:28:53, outside
                                [90/3072] via 172.16.1.1, 602:28:53, outside
D    10.1.32.3 255.255.255.255 [90/130816] via 172.16.1.3, 602:28:53, outside

C    10.0.126.0 255.255.255.0 is directly connected, FW-KMC
D EX 10.16.99.0 255.255.255.0 [170/3072] via 172.16.1.1, 602:28:53, outside
C    10.0.130.0 255.255.255.0 is directly connected, FW-Appl
C    10.0.128.0 255.255.255.0 is directly connected, FW-Face
C    10.0.132.0 255.255.255.0 is directly connected, FW-DB
C    10.0.180.0 255.255.255.0 is directly connected, skko_test
S*   0.0.0.0 0.0.0.0 [1/0] via 172.16.1.1, outside

i don't know what is urpf rule but sounds like it is broken?

Hi Majed, From the DATA

Rishabh Seth — Fri, 24 Jul 2015 07:07:22 GMT

Hi Majed,

From the DATA provided i think this is your setup:

[Nexus]------(Management_LAN)[ASA](skko_test)-----------------[10.0.181.1]

>> Now for this setup chcek the routing on ASA.
>> ACLs on ASA.
>> Output of command:
packet in Management_LAN icmp nexus_ip 8 0 10.0.181.1

Share some details about how the traffic is going to flow from ASA and what is the route that you have on ASA for 10.0.181.1

Thanks,

R.Seth

there is no command that

Majed Zouhairy — Fri, 24 Jul 2015 07:34:36 GMT

there is no command that starts with packet there is packet-tracer..

the acl is permit ip any any

the setup is as follows: vsphere nexus (vrf management) the cisco switch the the asa.

the servers in the 10.0.180.0/24 subnet are supposed to reach the asa and from there either to the outside or to other vlans.

Sorry for my previous post...

Traian Bratescu — Fri, 24 Jul 2015 07:34:43 GMT

Sorry for my previous post... I incorretly assumed that you were trying to ping the ASA's intrface Ip which doesn't seem to be the case...

uRPF is unicast reverse path forwarding which state that a packet is allowed only if there is a returning route (in ASA) through the interface that it came.

Please confirm that the setup is the one described above by R.Seth.

Traian

Hi Majed, Please attach the

Rishabh Seth — Mon, 27 Jul 2015 07:59:26 GMT

Hi Majed,

Please attach the output of packet tracer output, use below mentioned command.

ASA will auto complete all the keywords.

packet in Management_LAN icmp nexus_ip 8 0 10.0.181.1

Thanks,