cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2700
Views
0
Helpful
5
Replies

configure ASA 5515-X WITH IPS SW MODULE can't ping from one netw to another

Hi, Im new to ASA configuratins. I have started configuring ASA 5515-x for new office and need help. I have created some vlans and connected to inside(

gi0/1) sub interfaces of asa. Gi0/0 is configured as outside interface. Waiting for internet connection with 8 public IPs and need to configure NAT through outside interface later.  Now the issue is I can't ping from one network to another. For example from my vlan 6(192.168.6.0/24) network Im not able to ping to any other network interfaces(wan-10.5.15.2, vlan2-192.168.2.1... etc). Kindly review my configuration and pls help.   Also Im not able to ping to IPS module(192.168.1.2/24) and also not able to connect to IPS from ASDM......ASA 8.6 ...ASDM 6.6

Thanks in advance

Result of the command: "SHOW RUN"

: Saved

:

ASA Version 8.6(1)2

!

hostname ciscoasa

domain-name DSS.LOCAL

enable password jZjFpOz8nMbbxEdE encrypted

passwd jZjFpOz8nMbbxEdE encrypted

names

!

interface GigabitEthernet0/0

nameif WAN

security-level 0

ip address 10.5.15.2 255.255.255.0

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.2

vlan 2

nameif DESKTOPS

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface GigabitEthernet0/1.3

vlan 3

nameif PHONES

security-level 100

ip address 192.168.3.1 255.255.255.0

!

interface GigabitEthernet0/1.4

vlan 4

nameif PRINTERS

security-level 100

ip address 192.168.4.1 255.255.255.0

!

interface GigabitEthernet0/1.5

vlan 5

nameif WIFI

security-level 50

ip address 192.168.5.1 255.255.255.0

!

interface GigabitEthernet0/1.6

vlan 6

nameif SERVERS

security-level 100

ip address 192.168.6.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns server-group DefaultDNS

domain-name DSS.LOCAL

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

pager lines 24

logging asdm informational

mtu WAN 1500

mtu DESKTOPS 1500

mtu PHONES 1500

mtu PRINTERS 1500

mtu WIFI 1500

mtu SERVERS 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

route WAN 0.0.0.0 0.0.0.0 10.5.15.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 5

ssh timeout 5

console timeout 0

management-access management

dhcpd address 192.168.1.2-192.168.1.254 management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:ca6721b38eb6d657b9a91345b165050f

: end


1 Accepted Solution

Accepted Solutions

prateeve
Level 1
Level 1

Hi Muhammad,

First of all you cannot ping far end interface ip from behind a interface, example if you are behind inside then you could only ping inside interface ip of firewall but would not be able to ping other interface ip's of firewall but you would be able to ping the network behind other interfaces, for that please configure the following command:

fixup protocol icmp

Secondly, for connecting the IPS in network you could folow the following steps:

Please follow the following steps:


  1.  Point the gateway of the IPS to a Layer 3 interface in the network other than the ASA management nameif IP. This device must support routing between both subnets; for example, 192.0.2.2/24,192.0.2.254. (192.0.2.2 is IPS ip and 192.0.2.254 is ip of vlan on switch)
  2.  Create a static route on the inside interface of the ASA to point the traffic to the layer 3 interface IP address; for example, route inside 192.0.2.2 255.255.255.255 192.51.100.254.
  3.  Make sure all ACL and NAT rules apply to the IP address of the IPS management.
In this configuration, the IPS sends requests for Global Correlation updates, License requests, and IPS signature updates to the default gateway (192.0.2.254) and is translated to the outside address. Return traffic is routed back using the inside route and is forwarded to the Layer 3 device that houses an interface in the inside and management networks.

Also please let me know the version of IPS and java which you are using.

Hope it will help.

- Prateek Verma

View solution in original post

5 Replies 5

prateeve
Level 1
Level 1

Hi Muhammad,

First of all you cannot ping far end interface ip from behind a interface, example if you are behind inside then you could only ping inside interface ip of firewall but would not be able to ping other interface ip's of firewall but you would be able to ping the network behind other interfaces, for that please configure the following command:

fixup protocol icmp

Secondly, for connecting the IPS in network you could folow the following steps:

Please follow the following steps:


  1.  Point the gateway of the IPS to a Layer 3 interface in the network other than the ASA management nameif IP. This device must support routing between both subnets; for example, 192.0.2.2/24,192.0.2.254. (192.0.2.2 is IPS ip and 192.0.2.254 is ip of vlan on switch)
  2.  Create a static route on the inside interface of the ASA to point the traffic to the layer 3 interface IP address; for example, route inside 192.0.2.2 255.255.255.255 192.51.100.254.
  3.  Make sure all ACL and NAT rules apply to the IP address of the IPS management.
In this configuration, the IPS sends requests for Global Correlation updates, License requests, and IPS signature updates to the default gateway (192.0.2.254) and is translated to the outside address. Return traffic is routed back using the inside route and is forwarded to the Layer 3 device that houses an interface in the inside and management networks.

Also please let me know the version of IPS and java which you are using.

Hope it will help.

- Prateek Verma

I have a similar problem. I can ping from the IPS, the L3 gateway (VLAN on switch) and all other networks. However, I cannot ping the IPS ip from any other device.

So my configuration is as follows:

int g0/0

nameif inside

security-level 100

ip add 10.10.10.10 255.255.255.0

!

int g0/1

nameif outside

security-level 0

ip add 77.77.77.77 255.255.255.240

!

int man0/0

nameif management

security-level 0

ip add 10.10.80.10 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 77.77.77.76

route inside 10.0.0.0 255.0.0.0 10.10.10.1

route inside 10.10.80.11 255.255.255.255 10.10.80.1 (tried with IP for both the management port VLAN and for inside VLAN)


------

IPS:

host-ip 10.10.80.11/24,10.10.80.1

--------

Switch:

int vlan 1

ip add 10.10.10.1/24

!

int vlan 80

ip add 10.10.80.1/24

!

interface g1/0/1

desc asa inside

switchport mode access

!

interface g1/0/2

des asa management

switchport mode access

sw access vlan 80

Hi,

Check ACL record on your IPS module:

1) run setup

2) enter ip of management interface and gateway( i chose my computer's ip)

3) enter ACL for the same subnet as the management interface

Example:

sensor# setup

Enter host name[myips]:
Enter IP interface[10.10.10.222/24,10.10.10.1]:
Modify current access list?[no]: yes (IMPORTANT!)
Current access list entries:
  No entries
Permit: 10.10.10.0/24

 .............omit next steps of setup menu................

At the end dont for get to save the configuration, and you can ping your IPS and get access  through the web!

[0] Go to the command prompt without saving this config.
[1] Return to setup without saving this config.
[2] Save this configuration and exit setup.
[3] Continue to Advanced setup.

Enter your selection[3]: 2
Warning: DNS or HTTP proxy is required for global correlation inspection and reputation filtering, but no DNS or proxy servers are defined.

--- Configuration Saved ---

Complete the advanced setup using CLI or IDM.
To use IDM,point your web browser at https://<sensor-ip-address>.

Good Luck!

Regards, Ayaz

Farhan Mohamed
Cisco Employee
Cisco Employee

Check ACL record on your IPS module:

1) run setup

2) enter ip of management interface and gateway( i chose my computer's ip)

3) enter ACL for the same subnet as the management interface

Example:

sensor# setup

Enter host name[myips]:
Enter IP interface[10.10.10.222/24,10.10.10.1]:
Modify current access list?[no]: yes (IMPORTANT!)
Current access list entries:
  No entries
Permit: 10.10.10.0/24

  • Nice try to copy my reply from down, Farhan. Use your own mind and dont plagiarize!!!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: