topic Re: ASA5520 ping interface in Network Security

ASA5520 ping interface

lydia.walther — Mon, 11 Mar 2019 14:24:50 GMT

Hi,

what is necessary to ping an interface of the ASA?

It is an interface (security-level 1) with a public ip address (a.b.c.d). We can't ping it from the internet and we also can't ping it from another inside network (other physical interface).

We tried "icmp permit host a.b.c.d interfacename".

We tried to create access rules for this interface: source and destination ANY, Servicee ICMP/ECHO/ECHO-REPLY.

We have no idea what the problem is.

Maybe someone can help us.

greetings

Re: ASA5520 ping interface

Collin Clark — Thu, 11 Dec 2008 17:44:16 GMT

AN ACL should suffice, here is a copy of mine.

access-list OUTSIDE_IN extended permit icmp any any echo-reply

access-list OUTSIDE_IN extended permit icmp any any source-quench

access-list OUTSIDE_IN extended permit icmp any any unreachable

access-list OUTSIDE_IN extended permit icmp any any time-exceeded

When you have this applied and you ping, what does the logs say?

Re: ASA5520 ping interface

Alan Huseyin Kayahan — Thu, 11 Dec 2008 18:04:53 GMT

Hello Lydia,

Best practise is adding inspection

policy-map global_policy

class inspection_default

inspect icmp

Regards

Re: ASA5520 ping interface

vvarakan — Thu, 11 Dec 2008 18:17:25 GMT

You cannot reach the remote interface if the traffic is sourced from a local segment.

Re: ASA5520 ping interface

lydia.walther — Fri, 12 Dec 2008 08:10:15 GMT

Hey,

it is what we have:

policy-map DEFAULT_POLICYMAP

class DEFAULT_CLASSMAP

â€¦

Inspect icmp

Inspect icmp error

Ok, I configured:

access-list OUTSIDE_IN extended permit icmp any any echo-reply

access-list OUTSIDE_IN extended permit icmp any any source-quench

access-list OUTSIDE_IN extended permit icmp any any unreachable

access-list OUTSIDE_IN extended permit icmp any any time-exceeded

but the ping says â€œtimeoutâ€. In the logging of the ASA I can see:

built inbound icmp connection; source my computer, destination the gateway of my computers subnet

then teardown icmp connection; source my computer, destination the gateway of my computers subnet

then teardown icmp connection; source my computer, destination the ip of the interface we want to ping

But there is no deny.

It is not the outside interface we want to ping. It is another one we want to use for vpn. Outside-Interface, VPN-Interface and Inside-Interface are 3 physical interfaces.

greetings Lydia

Re: ASA5520 ping interface

Alan Huseyin Kayahan — Fri, 12 Dec 2008 11:15:02 GMT

Lydia,

You can remove all access-lists, if you already have inspection in place. Make sure that this default_policymap is assigned global, not to an interface.

Second, as previously mentioned, pinging an interface from a subnet bound to another interface is not possible. The only excpetion to this is IPSec VPN Tunnels that remote end terminated at the outside interface can ping the inside interface IP IF! this interface is assigned Management interface role with the command "management-access inside"

Please describe us from which subnet connected to which interface you are trying to ping which interface. Posting the sanitized config would help, it may be a routing issue

Regards

Re: ASA5520 ping interface

lydia.walther — Fri, 12 Dec 2008 12:49:11 GMT

Hey,

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 10.76.221.249 255.255.255.248 standby 10.76.221.250

ospf cost 10

interface GigabitEthernet0/1.101 (-->it is Gateway)

vlan 101

nameif service

security-level 100

ip address 134.76.221.126 255.255.255.128 standby 134.76.221.125

ospf cost 10

interface GigabitEthernet0/2.106 (--> no Gateway, only one IP of the subnet)

vlan 106

nameif vpn

security-level 1

ip address 134.76.221.195 255.255.255.224

router ospf 1

router-id 12.12.12.12

network 10.76.221.248 255.255.255.248 area 10.76.216.0

network 134.76.221.0 255.255.255.128 area 10.76.216.0

area 10.76.216.0

log-adj-changes

class-map DEFAULT_CLASSMAP

description classmap fuer alles

match default-inspection-traffic

policy-map DEFAULT_POLICYMAP

class DEFAULT_CLASSMAP

inspect dns

inspect ftp

inspect h323 h225

inspect h323 ras

inspect http

inspect icmp

inspect icmp error

inspect netbios

inspect snmp

inspect sqlnet

inspect xdmcp

policy-map default_policymap

service-policy DEFAULT_POLICYMAP global

The private IP of our outside interface is an IP of a routing network. There is another router before our ASA making the connection to the internet. This router is also having the Gateway of the IP on interface 0/2.106.

My computer is in the subnet of interface 0/1.101. We want to ping the IP of the interface 0/2.106 and from the Internet because of VPN.

Re: ASA5520 ping interface

Alan Huseyin Kayahan — Fri, 12 Dec 2008 13:31:40 GMT

Lydia,

You can not ping the interface IP 134.76.221.195 from any host within 134.76.221.0/25 network and vice-versa. This is the default an non-changeable behaviour of ASA. Yet, being able to ping or being able to "connect" other interface's IP from a host connected to another interface is NOT! a necessity for any VPN operation. If you explain "We want to ping the IP of the interface 0/2.106 and from the Internet !because of VPN!" in details, then I will advise accordingly.

Re: ASA5520 ping interface

lydia.walther — Fri, 12 Dec 2008 13:52:55 GMT

Yes I know that it is not neccessary.

We wanted to test if the vpn-interface is reachable from the internet etc.

To test VPN we configured it for the outside interface. It worked! But like you see, it's a private IP.

So we configured another interface for VPN with 134.76.221.195.

And VPN is not working. The Cisco VPN Client says "it's not responding".

In both cases we tested the vpn connection from another network part (not saved via our ASA).

Re: ASA5520 ping interface

Alan Huseyin Kayahan — Fri, 12 Dec 2008 14:15:49 GMT

Now its much more clear, thanks for explaination.

When ASA is involved, this design is not applicable when ASA has to terminate the VPN itself.

The Applicable design would be creating a sub-interface in next-hop router for ASA, (that is the router facing ASA g0/0 in 10.76.221.248/29), assign that sub-interface an IP in 134.76.221.0/128 (or it can be the physical interface itself facing ASA), and assign ASA's g0/0 another IP in that same subnet, then configure OSPF accordingly.

Regards

Re: ASA5520 ping interface

lydia.walther — Fri, 12 Dec 2008 14:52:29 GMT

Hey,

thank you a lot for your time and your answers!

Well I think it is not the right solution for us. Our network is a little bit complicated 🙂

I think we have to read first some manuals again and think about it.

We have a new idea at the moment and I think we will test it next week.

Maybe we will write again here next week 🙂 then with a picture of the network.

Thank you very much.

Lydia