Unable to ping (or connect) across network through Router/ASA

Thomas McLean · ‎03-25-2014

Guys,

I've built a lab in gns3, one router and one ASA, the ASA has an inside, DMZ (with a small network behind it with just 1 server up and running at present) and an outside interface whilst the router has 3 interfaces on 3 subnets that connect a PC in each of the subnets using VMWare.

I have attached a screenshot of my topology so that you better understand what I have done and included the config files. https://www.dropbox.com/s/zjag2pt2dgper9p/topology.png

Basically, what I am trying to achieve is be able to connect through a pc in say the HR subnet through to the webserver in the DMZ, the webserver is LAMP, which is a pre-built VMWare appliance that runs webservices and it's mainly to just test.

I'm obviously missing out somethign simple as I can see it trying to connect through the ASDM log messages. I have changed the firewall rules to reflect this but still no avail.

I would appreciate some assistance if someone could spare 5 mins, I would really appreciate it.

Thanks

Thomas.

Mike Williams · ‎03-25-2014

Hi Thomas,

Your R1 config is incomplete, so I'm basing this entirely on the ASA config. I would remove the global_access ACL and change the inside_access_in ACL to permit ip any any. Also make sure that the webserver has a default gateway of 192.168.70.10.

Make sure that R1 has the necessary routes to get to 192.168.100.0/24 subnet.

Also keep in mind that I've seen strange behavior with the ASA in GNS3. It sometimes won't pass traffic like it's supposed to.

Regards,

Mike

Thomas McLean · ‎03-26-2014

Thanks for the reply Mike, I had put static routes from R1 pointing to the ASA and to the correct subnet...I will update the config later, but I am getting deny messages from the ASA basically saying it cannot see the route, as if it's trying to go out the outside interface...I believe it is something that I am doing wrong rather than GNS3.

I will try your suggestion tonight as I did notice last night that GNS3 wouldn't let me launch ASDM until the ASA was reloaded.

Thanks again,

Thomas.

Thomas McLean · ‎03-26-2014

Here is an update, I'm still confused to what I could be doing wrong:

I am chucking everything from the router over to the ASA with the static route below

R1#sh run | in ip route
ip route 0.0.0.0 0.0.0.0 192.168.100.1

Below is the interfaces on the ASA.

interface GigabitEthernet0
nameif outside
security-level 100
ip address 192.168.0.100 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.252
!
interface GigabitEthernet2
nameif DMZ
security-level 100
ip address 192.168.70.10 255.255.255.0

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group global_access global

Static routes pointing over to the subnet via the DMZ gateway IP (I've also tried 192.168.70.1 with same issues)

route inside 192.168.10.0 255.255.255.0 192.168.70.10 1
route inside 192.168.20.0 255.255.255.0 192.168.70.10 1
route inside 192.168.30.0 255.255.255.0 192.168.70.10 1

I can ping the correct places directly from the ASA CLI without issues but when I try it from the ASDM on any interface it returns the dreaded ?????

ciscoasa# ping 192.168.70.128
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.70.128, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

R1#ping 192.168.70.128

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.70.128, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

And here is the pictures to ASDM, I have configured the ACL's in that way to prove that all interfaces allow EVERYTHING, I have also tried many other ACL methods but still no luck.

https://www.dropbox.com/s/feacsynralx68ok/ASAIssues.png

Thanks for all the help so far everyone but if anyone else can assist I would really appreciate it.

Thanks,

Thomas.