topic unable to ping from ASA 5505 in Network Security

unable to ping from ASA 5505

Rizwan — Tue, 12 Mar 2019 03:52:29 GMT

I have ASA 5505 configured with version 8.2 but unable to ping from ASA to 8.8.8.8 or any public ip. I have following topolgy.

Following is the logical diagram

192.168.100.1/24 192.168.100.2/24 192.168.3.1

Internet(ISP) ------------------->------------------ Router------------------------->(e0/0) ASA 5505 (8.2) eth0/4 ----- ---------- Host (192.168.3.22)

ciscoasa(config)# sh run

: Saved

ASA Version 8.2(4)

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 192.168.3.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 192.168.100.2 255.255.255.0

ftp mode passive

access-list inbound extended permit icmp any any echo-reply

access-list inbound extended permit icmp any any source-quench

access-list inbound extended permit icmp any any unreachable

access-list inbound extended permit icmp any any time-exceeded

access-list inbound extended permit icmp any any

access-list inbound extended permit ip any any

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list inside_access_out extended permit icmp any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.3.0 255.255.255.0

access-group inbound in interface outside

access-group inside_access_out out interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.3.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

service-policy global_policy global

prompt hostname context

Cryptochecksum:9dcfcccad94b39cf10398c1f67248489

: end

unable to ping from ASA 5505

Marius Gunnerud — Sun, 02 Mar 2014 13:29:18 GMT

Hi Rizwan,

Did you down-grade the ASA from 8.2? As per your other discussion you said you were able to ping the internet from the ASA, but now you are unable? Have you cleared the arp cache on the router?

Could you please post the full running configuration of the router as well.

--
Please remember to rate and select a correct answer

unable to ping from ASA 5505

Rizwan — Sun, 02 Mar 2014 13:57:20 GMT

Hi,

Yep I have downgraded ASA to version 8.2 now everything is working fine after a reload

I am configuring IPSEC tunnel on it. Please let me know if I need reverse-route injection and NAT-traversal in it ?

unable to ping from ASA 5505

Rizwan — Sun, 02 Mar 2014 14:43:54 GMT

I want to pass all my traffic from tunnel. How is it possible ?

unable to ping from ASA 5505

Marius Gunnerud — Sun, 02 Mar 2014 15:01:14 GMT

Since you have a router in front of the ASA, and I presume it is performing NAT as well, then yes you need to enable NAT-T for the IPsec tunnel.

I want to pass all my traffic from tunnel. How is it possible ?

I am assuming this is a site to site tunnel, and I also assume you mean you want to send all traffic through the IPsec tunnel? This is possible by setting the destination address in the crypto ACL as "any".

access-list crypto_ACL extended permit ip 192.168.3.0 255.255.255.0 any

crypto map VPN_MAP 1 match address crypto_ACL

nat (inside) 0 access-list crypto_ACL

--
Please remember to rate and select a correct answer

unable to ping from ASA 5505

Rizwan — Sun, 02 Mar 2014 17:47:21 GMT

Using above mentioned configuration all inside traffic will pass through tunnel without NAT with outside interface.

Is my internet will work from otherside of the tunnel? Please also check route outside command . Please also review my configuration mentioned below.

Sh Running

iscoasa(config)# sh run

: Saved

ASA Version 8.2(4)

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

shutdown

interface Ethernet0/2

shutdown

interface Ethernet0/3

shutdown

interface Ethernet0/4

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

interface Vlan1

nameif inside

security-level 100

ip address 192.168.3.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 192.168.100.2 255.255.255.0

boot system disk0:/asa824-k8.bin

ftp mode passive

access-list inbound extended permit icmp any any echo-reply

access-list inbound extended permit icmp any any source-quench

access-list inbound extended permit icmp any any unreachable

access-list inbound extended permit icmp any any time-exceeded

access-list inbound extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any

access-list l2l-tunnel extended permit ip 192.168.3.0 255.255.255.0 any

access-list noNat extended permit ip 192.168.3.0 255.255.255.0 any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list noNat

nat (inside) 1 192.168.3.0 255.255.255.0

access-group inside_access_in in interface inside

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

route outside 0.0.0.0 0.0.0.0 109.104.00.00 1 (Peer Address)

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.3.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set WFSET esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map WFmap 20 match address l2l-tunnel

crypto map WFmap 20 set peer 109.104.85.115

crypto map WFmap 20 set transform-set WFSET

crypto map WFmap 20 set reverse-route

crypto map WFmap interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

crypto isakmp policy 110

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 109.104.*.*5 type ipsec-l2l

tunnel-group 109.104.*.*5 ipsec-attributes

pre-shared-key *****

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

service-policy global_policy global

prompt hostname context

Cryptochecksum:74e0a1d562024734dfa18faac3e394a6

: end

unable to ping from ASA 5505

Marius Gunnerud — Sun, 02 Mar 2014 18:00:35 GMT

To get internet access you would need to configure hairpinning on the remote end.

as for the routing you do not need any additional routes configured other than your default route. Besides only one default route can be active on the ASA at any given time.

--
Please remember to rate and select a correct answer

unable to ping from ASA 5505

Rizwan — Sun, 02 Mar 2014 20:12:07 GMT

Can you please send me hairpinning configuration or any link contains information about it.

unable to ping from ASA 5505

Marius Gunnerud — Mon, 03 Mar 2014 08:28:49 GMT

The commands you would need to add are as follows:

same-security-traffic permit intra-interface

nat (outside) 1

You already have the global command in there so you don't need to add that.

--
Please remember to rate and select a correct answer

unable to ping from ASA 5505

Rizwan — Mon, 03 Mar 2014 11:47:53 GMT

Are these configuration are for my side firewall ?

Is there any configuration reqduired at remote end ?

unable to ping from ASA 5505

Marius Gunnerud — Mon, 03 Mar 2014 12:11:41 GMT

This would be on your ASA, the ASA where internet will be accessed.