topic Hi, The main problem here are in Network Security

unable to ping outside interface of ASA

mudasir05 — Tue, 12 Mar 2019 04:55:59 GMT

Hello All,

I build a small GNS lab,all my internal devices are pinging well on the same subnet,however when i try to reach another subnet via ASA its giving me unreachable icmp mesg.

as per the attached topology iam unable to reach outside interface of ASA from R1.

Any help would be appreciated.

Hi, Which side of the ASA is

Jouni Forss — Wed, 15 Oct 2014 12:12:56 GMT

Hi,

Which side of the ASA is the "outside" ? Which ASA interfaces IP address are you trying to ping?

Notice that the users/device has to be behind the interface which it tries to ping to be able to get a reply. You can not ping the ASA interface IP address if you are doing the ping from behind a different ASA interface.

So in your case if for example the "outside" interface is the "e1" then you can not ping it from R1. Only from R5 as its behind that ASA interface.

If the device is behind the correct interface then by default the ASA should reply to the ICMP to my understanding. You can always add the command

icmp permit any outside

This would allow all ICMP on the interface. In an actual network environment the above command would probably not be ideal to use.

Also you should make sure that the ASA and all the Routers in between have the necesary routing information so that the ICMP can go through.

Hope this helps 🙂

PS. Did you manage the solve problems related to ASDM in your other post?

Thanks Jouni for the reply

mudasir05 — Wed, 15 Oct 2014 12:34:04 GMT

Thanks Jouni for the reply,

yes e1 is the outside interface of the ASA.

In my topology R1 is a user PC which is trying to reach the outside network i.e R5.

How can i allow R1 to reach R5 if as per you its not possible.

p.s well for the asdm issue i have to go to my other office....will definitely let u know

Thanks for ur help

Hi, Ok, if "e1" is the

Jouni Forss — Wed, 15 Oct 2014 12:53:21 GMT

Hi,

Ok, if "e1" is the "outside" then no device behind the "e0" interface will be able to ping the "outside" interface. The only limiting factor here is simply the thing I mentioned. The device/host doing the ping must be located behind the interface that its trying to ping.

To allow ICMP from R1 to R5 should not require much (if any) configurations on the ASA other than the normal interface settings.

Its hard for me to say that the problem might be if you cannot ICMP from the R1 to R5 without seeing the configurations. I would suggest checking routing first. Make sure that R1 has a route for the IP address on R5 that you are trying to ping. This might use default route unless your lab simply uses specific static routes. Similiarly you should check on R5 that it has the route towards the R1 address where the ping is coming from. Notice that the devices use the closest interface towards the destination IP address as the source for the ping so that is the address for which you should check routes in between and at the destination device.

After going through the routing then there is naturally the big question with the ASA configurations.

Does it use interface ACLs that could block the traffic? If no ACLs are in use on the ASA interfaces then the "security-level" determines which direction connections can be initiated. Users behind the interface with the higher "security-level" interface can connect to any destination behind any lower "security-level" interface. As I said, if ACLs are in use on the interfaces then the "security-level" does not matter but traffic has to be allowed in the interface ACL instead.

Is the ASA doing NAT between its interfaces as this could affect the possibility to connect between the Routers. If there is any Dynamic PAT configurations between the ASA interfaces then it means that connections can be initiated only from one end. (As Dynamic translations dont enable bidirectional connection initiation)

Do you have "inspect icmp" and "inspect icmp error" configured under the "policy-map" configurations?

You can use the following command to check if those are enabled

show run policy-map

If you can not see the "inspect icmp" configurations there you should add them there. Go to the right configuration mode (under which the existing "inspect" commands are located) and enter the commands.

Above are some things to check.

Hope I made any sense and hope it helps 🙂

- Jouni

Thanks for your help,In my

mudasir05 — Wed, 15 Oct 2014 13:42:53 GMT

Thanks for your help,

In my scenario R1 is a PC with no ip routing configured and iam considering R5 as the ISP router on which i have only assigned ip address on the interface facing towards the ASA,assuming iam not having no privelige on R5.What iam trying to achieve is how a user at R1 reaches the isp router.

I have static routing configured on every device.

Kindly find the ASA config below,

ciscoasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.252
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list 101 extended permit icmp any host 10.10.10.2 echo
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
static (inside,outside) 10.10.10.2 192.168.2.10 netmask 255.255.255.255
access-group 101 in interface outside
route inside 0.0.0.0 0.0.0.0 192.168.1.2 1
route outside 10.10.10.2 255.255.255.255 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:840e8d7a27f16c9094388b697a7894fb
: end

Let me know if you need any other device config.

Thanks

Hi, You seem to have the ICMP

Jouni Forss — Thu, 16 Oct 2014 07:06:03 GMT

Hi,

You seem to have the ICMP Inspection configured so thats fine.

I am not sure what this "route" configurations purpose is

route outside 10.10.10.2 255.255.255.255 192.168.1.1 1

You can remove this from the configuration

You seem to have configured a Static NAT for some internal host. Is this Static NAT for the R1?

static (inside,outside) 10.10.10.2 192.168.2.10 netmask 255.255.255.255

This does a NAT for some internal IP address and uses a NAT IP address that belongs to the "outside" interface subnet. This should mean that atleast this internal host should be able to reach the ISP Router R5 IP address without needing any additional routing configurations on the ISP Router.

So is the IP address 192.168.2.10 the IP address of the R1? Or as you say the PCs.

- Jouni

Thanks Jouni for the reply

mudasir05 — Thu, 16 Oct 2014 08:13:55 GMT

Thanks Jouni for the reply,though ur every reply is correct I clicked the correct answer too early,anyways,

as per your suggestion I removed the route outside command.

you are right 192.168.2.10 is the ip address of R1 (pc) and the static nat purpose was to allow this host to reach the isp router i.e R5.

iam still not able to reach R5,

R1#ping 10.10.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

Thanks

Hi, Seems to me to be a

Jouni Forss — Thu, 16 Oct 2014 08:20:56 GMT

Hi,

Seems to me to be a routing problem still. As I suggested before go through the all the devices and on each device make sure that there is always a route for the source address of the ping and the destination address of the ping.

Seems like you are missing a route somewhere. Make sure that there are no typos in the static routes for example.

- Jouni

plz find the routing table

mudasir05 — Thu, 16 Oct 2014 08:40:38 GMT

plz find the routing table of each device:

L3 switch:

===

L3switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.2.1 to network 0.0.0.0

C 192.168.2.0/24 is directly connected, Vlan2
S* 0.0.0.0/0 [1/0] via 192.168.2.1

R4 Router:

===

R4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets
S 10.10.10.0 [1/0] via 192.168.1.1
C 192.168.1.0/24 is directly connected, Ethernet1/0
C 192.168.2.0/24 is directly connected, FastEthernet0/0

ASA:

====

ciscoasa# SH ROUte

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 192.168.1.2 to network 0.0.0.0

C 10.10.10.0 255.255.255.252 is directly connected, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.2, inside

====

As i told u earlier that i have not done any sort of configuration on the ISP Router (R5),let me know if something needs to be done on that as well.

Thanks

Hi, ASA has the requires

Jouni Forss — Thu, 16 Oct 2014 08:51:47 GMT

Hi,

ASA has the required routes, even though the default route pointing to internal network is not typical but then again this is a lab network.

R4 connected to ASA seems to have the routes also and it has the subnet 192.168.2.0/24 directly connected.

Now my confusion is with the fact that the topology picture lists 2x L3 switches. Are we missing one L3 switches configuration? Is the missing device also missing the required routing information?

It seems to me that the R4 is already directly connected to the subnet 192.168.2.0/24 and therefore there should not be devices routing between R1 and R4. I mean that there should be a L2 link between R4 and R1 atleast with regards to the connection from R4 port FastEthernet0/0. On the switch it seems to be Vlan ID 2? So that should go all the way from the port connected to the R4 F0/0 to R2 port F1/0

- Jouni

EDIT: So many typos

yes ur right the other L3

mudasir05 — Thu, 16 Oct 2014 09:18:34 GMT

yes ur right the other L3 switch which u see in the topology has been used as an L2 switch only to bypass the Vlan information.

Your observation is right.

Now iam wondering since R1 is able to reach ASA but not beyond that so do we need to configure any static route which would allow 192.168.2.0/24 network to reach R5 on ASA.

Thanks

Hi, I just now noticed that

Jouni Forss — Thu, 16 Oct 2014 09:30:07 GMT

Hi,

I just now noticed that you tried to ping the IP address 10.10.10.2 from the R1. You are pinging the NAT IP address of the host where you are pinging from.

What is the IP address on the ISP R5? You should be pinging that IP address. Though considering that your subnet mask is /30 on the link between ASA and R5 there does not really seem to be many free IP addresses. Could you maybe reconfigure the network mask on ASA and R5 for their link?

- Jouni

yes 10.10.10.2 is the nat

mudasir05 — Thu, 16 Oct 2014 09:41:09 GMT

yes 10.10.10.2 is the nat address as well as the ip address of the R5 link connected to the ASA.

I reconfigured the subnet mask both on ASA and R5 and changed to /24.

iam still not able to ping:now i notice packet drops instead of unreachable icmp mesgg.

R1#ping 10.10.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Hi, What I meant with the

Jouni Forss — Thu, 16 Oct 2014 09:47:42 GMT

Hi,

What I meant with the thing is that the pinging to the NAT IP address of the R1 makes no sense.

You said you were trying to ping the R5 so in that case the IP address 10.10.10.2 has nothing to do with R5 as its not configured there or atleast should not be since its configured on the ASA.

The IP address 10.10.10.2 is the IP address with which the R1 is visible to the ISP Router R5. So what is the IP address configured on the R5 that you should be pinging?

- Jouni

Now iam confued,10.10.10.2

mudasir05 — Thu, 16 Oct 2014 09:52:57 GMT

Now iam confued,

10.10.10.2 is the ip address configured on R5 and 10.10.10.1 is configured on outside interface of ASA.

Now iam not sure whether the static Nat command which i have configured is correct or not.

R5#sh ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 10.10.10.2 YES manual up up

======

ciscoasa# sh int ip bri
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.1.1 YES manual up up
Ethernet0/1 10.10.10.1 YES manual up up

iam trying to ping from R1 to ethernet0/0 of R5.

Thanks

Hi, The main problem here are

Jouni Forss — Thu, 16 Oct 2014 11:46:40 GMT

Hi,

The main problem here are these things

You have configured the subnet 10.10.10.0/30 between the ASA and the ISP R5. This means the subnet contains addresses between 10.10.10.0 - 10.10.10.3. Of these addresses 10.10.10.0 and 10.10.10.3 are not used as they are subnet and broadcast address. IP address 10.10.10.1 is configured on ASA interface and IP address 10.10.10.2 is configured on the ISP R5.

On the ASA you have configured the following Static NAT

static (inside,outside) 10.10.10.2 192.168.2.10 netmask 255.255.255.255

This basically tells the ASA to translate the internal IP address 192.168.2.10 to external IP address 10.10.10.2. This does not make sense as IP address 10.10.10.2 is configured on the ISP R5. The IP address is used both on ASA and on ISP R5 and this naturally can not work.

I would therefore suggest that you change the subnet mask on the ASA and ISP R5 to /24 (255.255.255.0) and remove the existing Static NAT and replace it with this for example

static (inside,outside) 10.10.10.10 192.168.2.10 netmask 255.255.255.255

Then you could try to ping 10.10.10.2 from R1

- Jouni

Excellent I did the same and

mudasir05 — Thu, 16 Oct 2014 12:11:46 GMT

Excellent I did the same and it works,thanks for ur help.

R1#ping 10.10.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/64 ms

========

Now plz let me know if i want R5 to reach R1(192.168.2.10) what I need to do on ASA....

Thanks

Hi, Well there is not much

Jouni Forss — Thu, 16 Oct 2014 12:17:11 GMT

Hi,

Well there is not much you have to do

You already have an ACL configured on the ASA that you can use to allow traffic from R5 to R1.

access-list 101 extended permit icmp any host 10.10.10.10 echo

The existing rule that you have for the destination IP address 10.10.10.2 is not needed.

Since you now should have this Static NAT configured

static (inside,outside) 10.10.10.10 192.168.2.10 netmask 255.255.255.255

It should mean that you can now reach R1 from R5 by pinging the IP address 10.10.10.10. (Unless something on the R1 blocks the traffic for some reason)

Hope this helps 🙂

- Jouni

Hi,Did u mean that i should

mudasir05 — Thu, 16 Oct 2014 12:27:25 GMT

Hi,

Did u mean that i should remove access-list 101 extended permit icmp any host 10.10.10.10 echo from ASA.

I did that but didn't worked,

since now iam able to ping 10.10.10.2 from R1,however i want to reach 192.168.2.10 from R5

Thanks

Hi, No, you could not have

Jouni Forss — Thu, 16 Oct 2014 12:30:37 GMT

Hi,

No, you could not have removed it since it was not configured. I meant you should add the ACL line mentioned. I simply meant that the ACL rule that you have there already is not needed as it has the wrong IP address in the rule.

I also mentioned that since you are NATing 192.168.2.10 to 10.10.10.10 towards ISP R5 that means you will have to ping the IP address 10.10.10.10 from ISP R5 if you want to ping R1 (as its visible to the R5 with that NAT IP address)

- Jouni