02-02-2022 11:07 AM
So I have a few issues I've been slamming my head against and it might have to do with my topology, but I don't think so.
I am sitting behind R1 R2 and R3 and then there is the ASA at 10.10.129.4. I can reach anything on 10.10.129.0 that isn't using the ASA as its DG, so routing is in tact. The ASA has internet access and can resolve by name but that is not necessary as this is all in my core.
One is I can not ping or traceroute my ASA, from behind R1 or even on same subnet. I have read through forum after forum and referenced all of my other ASA's in the wild and can't figure out why this one is acting differently. I have ICMP inspect on, I've tried adding extended ACL's, changing TTL settings, etc but cannot get it to respond.
Second is I cannot access anything behind ASA. Again, we have several ASA's out there and this should not be an issue. Log viewer shows my session hitting firewall but Deny TCP (no connection) on each attempt. It also shows my ICMP build inbound and teardown but I am not getting a response. Below is my relevant config
ASA Version 9.15(1)1
!
hostname fw001-den1
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 204.11.41.213 255.255.255.240
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.10.129.4 255.255.255.0
!
boot system disk0:/asdm-openjre-7161-150.bin
boot system disk0:/asa9-15-1-1-1fbff-k8.SPA
boot system disk0:/asa9-15-1-1-lfbff-k8.SPA
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 204.11.40.4 outside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network LAN-10.10.129.0
subnet 10.10.129.0 255.255.255.0
object network OBJ-NAT-ALL-Mgmt
subnet 0.0.0.0 0.0.0.0
object network BearCorp
host 204.11.43.114
object service vmware
service tcp source eq 5480 destination eq 5480
access-list global_access_1 extended permit ip object BearCorp any
access-list Mgmt_Internet_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in_1 extended permit ip any any
access-list outside_access_in_1 extended permit icmp any any echo-reply
access-list outside_access_in_1 extended permit icmp any any echo
access-list outside_access_in_1 extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Mgmt_Internet 1500
icmp unreachable rate-limit 50 burst-size 6
icmp permit any echo inside
icmp permit any echo-reply inside
asdm image disk0:/asdm-openjre-7161-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
nat (inside,outside) after-auto source dynamic LAN-10.10.129.0 interface
access-group outside_access_in_1 in interface outside
access-group inside_access_in in interface inside
access-group global_access_1 global
route outside 0.0.0.0 0.0.0.0 204.11.41.209 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
!
class-map inspect_default
match default-inspection-traffic
!
policy-map global_policy
class inspect_default
inspect snmp
inspect icmp
class class-default
set connection decrement-ttl
!
service-policy global_policy global
02-02-2022 06:52 PM
It's not clear why you have the global access-list applied.
It's also not clear what the topology is including all of the routers you mention.
If you try a packet-tracer on the icmp traffic in question what does the ASA tell you?
02-03-2022 01:09 AM
Would be good to see a network diagram.
So when you say that you are able to reach everything on the 10.10.129.0/24 network that is not using the ASA as the default gateway, I am assuming you are sitting on a network that is not part of the 10.10.129.0/24 subnet. Is this correct? If yes, then you have a routing problem on the ASA as you only have a default route which looks to be pointing to the internet
route outside 0.0.0.0 0.0.0.0 204.11.41.209 1
Meaning that the ASA doesn't know about any other networks in your local LAN.
If my assumption is not correct we would need more information about your setup, where you are testing from, and how R1, R2, and R3 are connected in relation to your ASA and test PC.
02-03-2022 07:37 AM - edited 02-03-2022 07:38 AM
I removed the global ACL, was just trying to get traffic from my subnet 192.168.75.0 to hit 10.10.129.0.
The route outside is getting the ASA to the core R3. Below is packet tracer and topology. I am on 192.168.75.0 and can ping anything on the 10.10.129.0 subnet using the 172.16.41.2 route except ASA or hosts behind ASA. Packet tracer shows the packet was allowed.. Thank you so much for the help and input.
fw001-den1# packet-tracer input inside icmp 192.168.75.106 8 0 10.10.129.25 Phase: 1 Type: ROUTE-LOOKUP Subtype: No ECMP load balancing Result: ALLOW Config: Additional Information: Destination is locally connected. No ECMP load balancing. Found next-hop 10.10.129.25 using egress ifc inside Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_access_in in interface inside access-list inside_access_in extended permit ip any any Additional Information: Phase: 3 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection decrement-ttl service-policy global_policy global Additional Information: Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspect_default match default-inspection-traffic policy-map global_policy class inspect_default inspect icmp service-policy global_policy global Additional Information: Phase: 7 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 8 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 9 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 10 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 13044, packet dispatched to next module Phase: 11 Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP Subtype: Resolve Preferred Egress interface Result: ALLOW Config: Additional Information: Found next-hop 10.10.129.25 using egress ifc inside Phase: 12 Type: ADJACENCY-LOOKUP Subtype: Resolve Nexthop IP address to MAC Result: ALLOW Config: Additional Information: Found adjacency entry for Next-hop 10.10.129.25 on interface inside Adjacency :Active MAC address 000c.29f2.d617 hits 0 reference 1 Result: input-interface: inside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: allow
02-04-2022 01:16 AM
Are you hair-pinning the traffic on the ASA? Assuming that all routing is correct on the routers and / or switches, you are running into asynchronous routing which will be dropped by default.
packet-tracer input inside icmp 192.168.75.106 8 0 10.10.129.25
Result:
input-interface: inside <---
input-status: up
input-line-status: up
output-interface: inside <---
output-status: up
output-line-status: up
Action: allow
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide