can't ping ASA 5510 from other subnet

Azaleos12 · ‎12-10-2012

Background: I have a couple of ASA 5510's I'm going to put in our lab environment. I have restored them to default config and set up the m0/0 interface with an ip/mask and started the http server. My lab environment is on the 10.45 subnet and my .com corporate environment is on the 10.40 subnet. I've also setup DNS and, from the ASA, can ping anything in the 10.45 subnet.

The problem, is that from the ASA, I can not ping the internet or my 10.40 subnet. And vice versa, I cannot ping the ASA from my 10.40 subnet. When I bring up a regular server, there is no special configuration I need to do as those subnets talk to each other and nothing is restricted.

Is there something special I need to do go get it to work? I tried adding a access list to allow icmp, but that didn't seem to work.

Oh, and I'm getting to the ASA by RDPing into a lab server (on 10.45) then putty to the ASA.

Any thoughts or suggestions are appreciated.

Thanks

necxzcisco · ‎12-10-2012

Can you post your config ?

Azaleos12 · ‎12-11-2012

Sure thing...oh and how do I remove the extra http lines?

LAB-ASA2(config)# show config
: Saved
: Written by enable_15 at 20:57:08.953 UTC Mon Dec 10 2012
!
ASA Version 8.0(3)
!
hostname LAB-ASA2
domain-name azdev.local
enable password Oa3q1NIIlGy4tuwv encrypted
names
dns-guard
!
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
<--- More --->

no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description Mgmt Interface 10.45.100.31
nameif MGMT
security-level 100
ip address 10.45.100.31 255.255.0.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa803-k8.bin
boot system disk0:/asdm506.bin
boot system disk0:/clear
boot system disk0:/
boot config disk0:/disk0
ftp mode passive
dns domain-lookup MGMT
<--- More --->

dns server-group DefaultDNS
name-server 10.45.20.2
name-server 10.45.20.5
domain-name azdev.local
access-list ICMP_ALLOW extended permit icmp any host 10.0.0.0 echo-reply
pager lines 24
mtu MGMT 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 MGMT
http 10.0.0.0 255.0.0.0 MGMT
http 10.45.0.0 255.255.0.0 MGMT
http redirect MGMT 80
no snmp-server location
<--- More --->

no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 MGMT
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:32f61c055ddfac405650599400069515

LAB-ASA2(config)#

Jouni Forss · ‎12-11-2012

Hi,

I cant see any of the usual interface configured. Only the management?

There is also no route through the management interface for networks belonging to range 10.40.x.x/yy

The management interfaces network range also doesnt include networks 10.40.x.x/yy

EDIT: You can remove the "http" configuration lines with command "no" and the configuration line you want to remove.

- Jouni

Azaleos12 · ‎12-11-2012

Correct, I only reset it to default and am only getting the mgmt interface up.

How do I make the route and other correction?

Thanks

Jouni Forss · ‎12-11-2012

Hi,

Basic configuration format for routes is

route

Where

interface nameif = Interface name configured with the "nameif"
network address = Network address of the remote network you are making route for
network mask = Network mask of the remote network you are making route for
gateway address = The next hop IP address behind which the network is found
- Since the network in question isnt connected directly to the ASA there must be some router (gateway) behind which the network is found.

- Jouni

Azaleos12 · ‎12-11-2012

I think it worked, but I'm unable to check right now since I am remote. I could test if I also enable ipv6 to run in conjunction with 4v. Any advice on how to get that setup?

Thanks

Jouni Forss · ‎12-11-2012

Hi,

Sorry, still not that familiar with ipv6