topic This command inside ASA ?in in Network Security

ASA firewall connectivity

mohammad saeed — Tue, 12 Mar 2019 06:13:29 GMT

Hi guys,

I have this scenario (GW------ASA-------Core) I can ping between ASA+GW and ASA+core but I can't ping between Core + GW!

What is the problem?

Thanks.

Hi Mohammad,Is your ASA

Ji-Won Park — Sat, 04 Jul 2015 19:35:41 GMT

Hi Mohammad,

Is your ASA routed-mode? Do you have proper routing on the ASA? Routing is not required for connected interfaces.

Hi Ji Won, I have default

mohammad saeed — Sat, 04 Jul 2015 19:48:43 GMT

Hi Ji Won,

I have default route to the GW and Static route to the core like this:

interface GigabitEthernet0/0

description " Connection to GW"

nameif outside
security-level 0
ip address 10.60.20.1 255.255.255.0
!
interface GigabitEthernet0/1

description " Connection to Core-1"
nameif inside
security-level 100
ip address 10.60.10.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 100
ip address 10.60.30.2 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
dns server-group DefaultDNS
name-server 84.235.6.55
name-server 84.235.57.230
domain-name Saudi.net.sa
same-security-traffic permit intra-interface
object network NAT
subnet 0.0.0.0 0.0.0.0
access-list PERMIT_ALL extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu DMZ 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
access-group PERMIT_ALL global
route outside 0.0.0.0 0.0.0.0 10.60.20.2 1
route inside 10.0.0.0 255.0.0.0 10.60.10.1 1

Any issue?

Thanks,

Mohammad

Does your GW has a route to

Ji-Won Park — Sat, 04 Jul 2015 20:00:45 GMT

Does your GW has a route to the network behind the ASA?

Yes GW has static route

mohammad saeed — Sat, 04 Jul 2015 20:05:05 GMT

Yes GW has static route routed to ASA. and default route to outside.

Your GW should have a route

Ji-Won Park — Sat, 04 Jul 2015 20:11:19 GMT

try this:

packet-tracer input inside icmp "core-ip" 8 0 "GW-ip"

show me the output.

You should also confirm if

Ji-Won Park — Sat, 04 Jul 2015 20:15:42 GMT

You should also confirm if Core has route to GW inside interface through ASA.

This command inside ASA ?in

mohammad saeed — Sat, 04 Jul 2015 20:22:40 GMT

This command inside ASA ?

in core I have default route to ASA!

Yes, packet-tracer is a

Ji-Won Park — Sat, 04 Jul 2015 20:25:40 GMT

Yes, packet-tracer is a feature in ASA you can simulate packets and it will tell you where it drops the packet.

Try the command and show me the output

ciscoasa(config)# packet

mohammad saeed — Sat, 04 Jul 2015 20:28:00 GMT

ciscoasa(config)# packet-tracer input inside icmp 10.60.10.1 8 0 10.60.20.2

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.60.20.0 255.255.255.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group PERMIT_ALL global
access-list PERMIT_ALL extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Dynamic translate 10.60.10.1/0 to 10.60.20.1/31551

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 373270, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

ciscoasa(c

Add this line and let me know

Ji-Won Park — Sat, 04 Jul 2015 20:46:46 GMT

Add this line and let me know:

access-list out_in extended permit icmp any any

access-group out_in in interface outside

also, show me your default class policy-map

show run policy-map

I added that access list and

mohammad saeed — Sat, 04 Jul 2015 20:51:44 GMT

I added that access list and no success!

!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
inspect icmp
!
ciscoasa#

can you try to take out the

Ji-Won Park — Sat, 04 Jul 2015 20:52:57 GMT

can you try to take out the icmp ispection and try? What's the software version of your ASA?

Wow! Thanks, it works! after

mohammad saeed — Sun, 05 Jul 2015 03:36:54 GMT

Wow! Thanks, it works! after removed it !!! strange.

My ASA version 8.3(1)

Many thanks

It is strange. it should work

Ji-Won Park — Sun, 05 Jul 2015 10:22:11 GMT

It is strange. it should work even with default inspection. I just gave it a try as I ran into the similar issue where DNS was broken and I had to remove it from the inspection and it worked. It was a known bug in 9.1.1 code. You might want to open a case with TAC to verify the bug ID.