Solved: ASA 5506x not forwarding traffic

tborkowski · ‎01-20-2018

I have a very simple topology set up. I have a PC directly connected to the ASA5506x on port 1/2. The ASA connects to a switch with an SVI acting as the "outside". From the PC I can ping the ASA inside interface. From the switch I can ping the ASA outside interface. The ASA can ping both devices. But the PC cannot get out to the switch and vice versa. I've configured NAT as well as allowed ICMP to be inspected. Below are the details and configuration that I'm running.

PC- 172.25.1.5 255.255.255.0, GW 172.25.1.1

Switch- int vlan192 using 192.168.2.1

ASA configuration:

ASA Version 9.5(2)
!
hostname TestASA
domain-name test
enable password XejxZFfyt2wxqfff encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet1/1
nameif OUTSIDE
security-level 0
ip address 192.168.2.2 255.255.255.0
!
interface GigabitEthernet1/2
nameif INSIDE
security-level 100
ip address 172.25.1.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address

...............................

!
interface Management1/1
management-only
nameif management
security-level 0
ip address 172.16.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name test
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
access-list OUTSIDE_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host 192.168.2.1 any
pager lines 24
mtu management 1500
mtu INSIDE 1500
mtu OUTSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
access-group OUTSIDE_access_in in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 172.25.1.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

.....................................

telnet 172.25.1.0 255.255.255.0 INSIDE
telnet timeout 5
ssh stricthostkeycheck
ssh 172.25.1.0 255.255.255.0 INSIDE
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username tborkowski password 1RqpHZ5H.3/Vxqor encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4e7bdcee8136833ed7d4594134105ef0
: end

TestASA# ping 172.25.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.25.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
TestASA# ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

C:\Users\Survey>ping 192.168.2.1

Pinging 192.168.2.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Francesco Molino · ‎01-20-2018

Hi

The config looks like correct.

Can you share the config on your switch (port facing ASA) and your SVI?

Can you run a debug ip icmp in the switch ping from your PC and share the output?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎01-20-2018

Hi

The config looks like correct.

Can you share the config on your switch (port facing ASA) and your SVI?

Can you run a debug ip icmp in the switch ping from your PC and share the output?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Richard Burts · ‎01-20-2018

In addition to what Francesco asks I would suggest that you check the switch and verify if it has a route to reach the ASA inside subnet. If the switch is a layer 2 switch then it would probably be configuration of a default-gateway. If the switch is operating as a layer 3 switch then it would probably be configuration of a default route (though it might also be a route for the IP subnet or a host specific route).

HTH

Rick

HTH

Rick

tborkowski · ‎01-20-2018

Thank you for your help. I checked the configs and rebooted everything. For whatever reason it seems to be working now. Problem I think was an IP conflict on my home network on my WLC. ust need to modify the inbound access rules to allow the switch to initiate ICMP.

3550#sho run int vlan192
Building configuration...

Current configuration : 63 bytes
!
interface Vlan192
ip address 192.168.2.1 255.255.255.0
end

3550#sho run int fa0/15
Building configuration...

Current configuration : 86 bytes
!
interface FastEthernet0/15
switchport access vlan 192
switchport mode access
end

3550#sho ip route
Default gateway is 192.168.2.2

ICMP packet debugging is on
3550#
3550#
3550#
3550#
*Mar 1 11:54:47.881: ICMP: echo reply sent, src 192.168.2.1, dst 192.168.2.2
*Mar 1 11:54:48.893: ICMP: echo reply sent, src 192.168.2.1, dst 192.168.2.2
*Mar 1 11:54:49.913: ICMP: echo reply sent, src 192.168.2.1, dst 192.168.2.2
*Mar 1 11:54:50.941: ICMP: echo reply sent, src 192.168.2.1, dst 192.168.2.2
3550#

Richard Burts · ‎01-20-2018

Thanks for the additional information. It is good to see that the vlan interface appears to be correctly configured and that a default gateway has been configured. Glad to know that after a reboot that it seems to be working now.

HTH

Rick

HTH

Rick

Francesco Molino · ‎01-20-2018

Happy that a reboot solved your issue!

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question