11-14-2010 04:41 PM - edited 03-11-2019 12:09 PM
Scenario:
R1 ---->>> (inside interface e0/0 sec-level 100) ASA 8.02 (outside interface e0/1 sec-level 0 ) <<<---- R2
All are directly connected.No Switch between them.
ASA Configuration:
ASA1(config)# sh run access-list
access-list ICMP_OUT extended permit icmp any any
ASA1(config)# sh run access-group
access-group ICMP_OUT in interface inside
access-group ICMP_OUT out interface inside
access-group ICMP_OUT in interface outside
access-group ICMP_OUT out interface outside
!
interface Ethernet0/0
description ASA->R1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/1
description ASA->R2
nameif outside
security-level 0
ip address 20.1.1.1 255.255.255.0
!
Debug Messages When I try to Ping from R1 to R2
R1:
R1#ping 20.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:
....
*Mar 1 00:40:59.795: ICMP: echo reply rcvd, src 20.1.1.2, dst 10.1.1.2
*Mar 1 00:40:59.799: ICMP: echo reply rcvd, src 20.1.1.2, dst 10.1.1.2.
Success rate is 0 percent (0/5)
R1#
*Mar 1 00:41:02.315: ICMP: echo reply rcvd, src 20.1.1.2, dst 10.1.1.2
*Mar 1 00:41:02.367: ICMP: echo reply rcvd, src 20.1.1.2, dst 10.1.1.2
*Mar 1 00:41:02.719: ICMP: echo reply rcvd, src 20.1.1.2, dst 10.1.1.2
ASA1:
ASA1(config)# ICMP echo request from inside:10.1.1.2 to outside:20.1.1.2 ID=7 seq=0 len=72
ICMP echo request from inside:10.1.1.2 to outside:20.1.1.2 ID=7 seq=1 len=72
ICMP echo reply from outside:20.1.1.2 to inside:10.1.1.2 ID=7 seq=0 len=72
ICMP echo reply from outside:20.1.1.2 to inside:10.1.1.2 ID=7 seq=1 len=72
ICMP echo request from inside:10.1.1.2 to outside:20.1.1.2 ID=7 seq=2 len=72
ICMP echo request from inside:10.1.1.2 to outside:20.1.1.2 ID=7 seq=3 len=72
ICMP echo reply from outside:20.1.1.2 to inside:10.1.1.2 ID=7 seq=2 len=72
ICMP echo reply from outside:20.1.1.2 to inside:10.1.1.2 ID=7 seq=3 len=72
ICMP echo request from inside:10.1.1.2 to outside:20.1.1.2 ID=7 seq=4 len=72
ICMP echo reply from outside:20.1.1.2 to inside:10.1.1.2 ID=7 seq=4 len=72
R2:
R2#
*Mar 1 00:39:56.403: ICMP: echo reply sent, src 20.1.1.2, dst 10.1.1.2
*Mar 1 00:39:56.407: ICMP: echo reply sent, src 20.1.1.2, dst 10.1.1.2
R2#
*Mar 1 00:40:00.415: ICMP: echo reply sent, src 20.1.1.2, dst 10.1.1.2
*Mar 1 00:40:00.419: ICMP: echo reply sent, src 20.1.1.2, dst 10.1.1.2
R2#
*Mar 1 00:40:03.031: ICMP: echo reply sent, src 20.1.1.2, dst 10.1.1.2
R2#
From the above debugs we can see that R2 has sent the reply , ASA in permitting the reply and R1 is receiving the reply.
But R1 shows success as 0%.
Also to note that my IOS is perfect and this problem occurs when I introduce ASA Between only.
Could someone help me out ?
11-14-2010 04:47 PM
Please enable ICMP inspection on the global policy-map and test again.
11-14-2010 05:03 PM
While enabling ICMP inspection can be considered...
But a quick look at the debug messages the following can be concluded.
R1: Is getting the Ping responses.
ASA : Is receiving the request from R1 to R2 and sending the responses back to R1
R2: Is sending back the ping responses.
The problem is that R1 is showing 0% success despite it has received all the responses back.
This is my thought.Please correct me if I am wrong .
I would like to add that the following pings are successful.
R1 -> ASA Inside Interface
R2 -> ASA Outside Interface
ASA -> R1 and ASA -> R2
Message was edited by: karthikeyan M
11-14-2010 05:10 PM
Actually, yes, you are right.
Just having a look at the debug again, and R1 actually did receive the Echo Reply, but not showing it as successful ping.
I am assuming that you don't have ACL applied to R1 interface, right?
If R1 actually receives the reply, it doesn't seem to be an issue with the ASA eventhough it worked before without the ASA.
11-14-2010 06:45 PM
No Access-lists at R1's interface
11-14-2010 06:56 PM
Can you try with a different host, ie: maybe with a PC directly connected to ASA inside interface and see if ping works?
Might also try to reload the router. Don't see a reason why it won't show successful ping even though it receives the reply.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide