topic Thanks for the relpyI have in Network Security

ASA ping issue

isdollsm1 — Tue, 12 Mar 2019 04:06:06 GMT

I am having trouble pinging from one zone to another

Zone - Management can not ping Zone-Inside and visa versa. At first I was able to ping the managment pc but couldnt ping the inside pc. I have played around with the service policy and ACL but no luck. Any help would be apprectiated

hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif management
security-level 100
ip address 192.168.100.5 255.255.255.0
!
interface GigabitEthernet1
nameif INSIDE
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface GigabitEthernet2
nameif OUTSIDE
security-level 0
ip address 177.1.1.1 255.255.255.0
!
interface GigabitEthernet3
nameif DMZ
security-level 50
ip address 172.20.20.1 255.255.255.0
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Inside-Network
host 192.168.200.0
object network test
host 192.168.0.0
object network ASA-Gateway
host 177.1.1.2
object network Management-Gateway
host 177.1.1.1
object-group icmp-type SG-ICMP
icmp-object echo
icmp-object echo-reply
access-list LAN-WAN-FTP extended permit tcp any any eq ftp
access-list management_access_in extended permit tcp any 177.1.1.0 255.255.255.0 eq telnet
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
access-group management_access_in in interface management
route OUTSIDE 0.0.0.0 0.0.0.0 177.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.100.10 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
class-map global-class
match any
!
!
policy-map global-policy
class global-class
inspect icmp
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

You have applied the access

Marvin Rhoads — Sat, 19 Apr 2014 13:36:29 GMT

You have applied the access-list:

access-list management_access_in extended permit tcp any 177.1.1.0 255.255.255.0 eq telnet

...on your management interface. That will prohibit other traffic from being originated on hosts connected via that interface.

You can check the flow through the ASA for a given protocol source destination address etc using packet-tracer cli utility. It will highlight what step is failing in establishing the flow. See this link for reference.

I agree with Marvin's

jmeggers — Wed, 23 Apr 2014 17:24:55 GMT

I agree with Marvin's observation about your ACL. That's the most obvious thing to change because it affects the ASA's default behavior which is to allow traffic through the ASA if it's going out an interface with a lower security level, and let the stateful return traffic back in that interface. In fact, since your ACL is allowing Telnet through to go out the outside interface (which has the lowest security level), the default behavior (no ACL required) would already allow that, and the ACL you have in place is only necessary if your intent is to restrict Telnet to only the 177.1.1.0/24 subnet and no other addresses.

Regarding your change to the service policies, I would suggest that unless you have good reason to, removing the standard inspections is probably not a good idea. They are there by default for a reason. Adding ICMP to the list is fine, and something I've done frequently, but without good reason otherwise, I would add the other default protocols back in.

Hope you're well, Marvin!

John

Thanks for the relpyI have

isdollsm1 — Wed, 23 Apr 2014 18:23:19 GMT

Thanks for the relpy

I have added the ACL, I am able to ping the managment pc 192.168.100.10 from the 192.168.200.0 network but no the other way around. I have also added an ACL for that

ciscoasa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list LAN-WAN-FTP; 1 elements; name hash: 0x91ef8aeb
access-list LAN-WAN-FTP line 1 extended permit tcp any any eq ftp (hitcnt=0) 0x194240d3
access-list management_access_in; 3 elements; name hash: 0x4814da18
access-list management_access_in line 1 extended permit tcp any 177.1.1.0 255.255.255.0 eq telnet (hitcnt=0) 0x22c167b0
access-list management_access_in line 2 extended permit tcp 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0 eq echo (hitcnt=0) 0x9bdc8461
access-list management_access_in line 3 extended permit tcp 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0 eq echo (hitcnt=0) 0x41a939ad

Even though I am able to ping that pc I dont see the number on the hit count changing

"ping" does not use tcp (or

Marvin Rhoads — Wed, 23 Apr 2014 18:38:48 GMT

"ping" does not use tcp (or run over ip) - it uses icmp (a protocol "parallel" to ip) - so your access-list entries for tcp with the echo service are incorrect.

And hi to John - doing OK thanks!