Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1184
Views
0
Helpful
9
Replies

Can't ping or RDP ASA5505

JDMJeffy84
Level 1
Level 1

‎09-05-2012 01:11 PM - edited ‎03-11-2019 04:50 PM

Hi Guys,
I'm struggling with my ASA config it's driving me nuts! Can you guys tell me what I'm missing? I'm new to ASAs.

I have Vlan 100 (inside) and Vlan 65 (Outside)
I'm trying to configure RDP and ping traffic from Vlan 100 to Vlan 65 One way.

If I connect 2 PCs on E0/0 and E0/1 they can happily ping the their own VLAN ip add 192.168.100.3 and 172.16.65.1
I've copied my config, please help Cisco Gurus

ASA Version 8.4(4)1

!

names

!

object-group network A_Network

network-object 172.16.65.0 255.255.255.0

!

object-group network Internal

network-object 192.168.78.0 255.255.254.0

network-object 192.168.100.0 255.255.255.0

!

access-list inside_in remark ******

access-list inside_in remark Internal RDP to A_Network

access-list inside_in extended permit tcp any object-group A_Network eq 3389 log

access-list inside_in remark ******

access-list inside_in remark Internal PING to DEV Enviornment

access-list inside_in extended permit icmp any object-group A_Network

!

interface Ethernet0/0

description inside interface

switchport access vlan 100

!

interface Ethernet0/1

description Vlan 65 A Network

switchport access vlan 65

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan100

description INSIDE interface

nameif inside

security-level 100

ip address 192.168.100.3 255.255.255.0

!

interface Vlan665

description A_Network

nameif A_Network

security-level 0

ip address 172.16.65.1 255.255.255.128

!

route inside 0.0.0.0 0.0.0.0 192.168.100.3 1

ftp mode passive

no pager

mtu inside 1500

mtu A_Network 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

http server enable

http 192.168.100.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.100.0 255.255.255.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password xxxxx encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Labels:
0 Helpful
9 Replies 9

JDMJeffy84
Level 1
Level 1

‎09-05-2012 02:24 PM

No one knows?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to JDMJeffy84

‎09-05-2012 02:27 PM

Hello JDM,

Dude is this a typo?

Vlan665

interface Ethernet0/1

description Vlan 65 A Network

switchport access vlan 65

!

Let me know,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

JDMJeffy84
Level 1
Level 1
In response to Julio Carvajal

‎09-05-2012 02:30 PM

Hey Julio,
Yup Sorry, should be Vlan 65
Thanks

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to JDMJeffy84

‎09-05-2012 02:32 PM

Hello,

Change it and let me know,

Also add the following command:

Fixup protocol  icmp

and let me know what happens.

Rate all the helpful posts that is as importan as a thanks.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

JDMJeffy84
Level 1
Level 1
In response to Julio Carvajal

‎09-05-2012 02:39 PM

what does that command do?
I will give it a go and let you know thanks.

Just abit of background when I try to ping or RDP from vlan100 to vlan 65 I see nothing on the logging in ASDM. could it be routing?

Many Thanks

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to JDMJeffy84

‎09-05-2012 02:48 PM

Hello,

Did you already changed the vlan number??

The fixup protocol ICMP will start inspecting on a stateful way the ICMP protocol so no need for ACL to allow the returning traffic.

Please provide me the ICMP source and destination Ip's

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

JDMJeffy84
Level 1
Level 1
In response to Julio Carvajal

‎09-06-2012 12:26 AM

yes vlan changed to 65, added fixup protocol icmp

host 192.168.218.88 ping 172.16.65.100 PING:transmit failed. general failure
host 192.168.218.88 pinig 192.168.218.4 - Ping replies

host 172.16.65.100 ping 192.168.218.88 PING:transmit failed. general failure

host 172.16.65.100 ping 172.16.65.1 Ping replies

Again in logging I see no traffic hitting the firewall. I can see icmp traffic if it hits the VLAN IP Address on ASA

Many Thanks

0 Helpful

JDMJeffy84
Level 1
Level 1
In response to JDMJeffy84

‎09-06-2012 12:32 AM

Sorry my bad I do see messages in debugging level

172.16.65.100 ping 192.168.218.4 tear down icmp... etc

172.16.65.100 ping 192.168.218.88 : No translation group found for icmp src VLAN65: 172.16.65.100 dst INSIDE: 192.168.218.88 (type8, code0)

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to JDMJeffy84

‎09-06-2012 09:09 AM

Hello JDM,

Please do the following:

access-list outside_in permit icmp any any

access-group outside_in in interface outside

packet-tracer input inside icmp 192.168.218.88 8 0 172.16.65.100

packet-tracer input outside 172.16.65.100 8 0 192.168.218.88

Paste the whole output of each of them,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card