Solved: ASA 5510 cannot ping via route inside

William Benson · ‎03-04-2013

Hey Folks,

I would appreciate any feedback I can get on this. I recently added a business cable modem to help relieve some of the conjestion I was getting on my T1 for our MPLS network. There was an ASA 5510 collecting dust in a closet here and I thought it would be the perfect device for firewalling the traffing coming in from the Cable modem, and handling the routing of our internal MPLS traffic as well. Internet setup was cake. The test laptop I have using the ASA as it's gateway has great internet service but it cannot ping across either of our MPLS networks. I have one MPLS with AT&T and one MPLS with EarthLink. My hope was to use the cable modem as the Default route for all unspecified internet traffic and route our internal MPLS traffic to the cisco 2800 routers that are currently in place for the MPLS. I can ping across the MPLS when I telnet to the ASA, but I cannot ping across the MPLS from the client that is connected to the ASA.

Here's the topology I'm working with

Internet

|

Cable Modem

|

ASA 5510 10.52.120.23

|

LAN 10.52.120.0/24

|

Cisco 2800 10.52.120.1

|

MPLS Cloud

|

Cisco 2800 10.52.121.3 (remote gateway)

If I ping from the client here is what I get:

C:\>ping 10.52.121.3

Pinging 10.52.121.3 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.52.121.3:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

When I ping from the ASA this is what I get:

ciscoasa# ping

Interface: inside

Target IP address: 10.52.121.3

Repeat count: [5]

Datagram size: [100]

Timeout in seconds: [2]

Extended commands [n]:

Sweep range of sizes [n]:

Sending 5, 100-byte ICMP Echos to 10.52.121.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 240/254/280 ms

My first thought was that the ASA could be NAT'ing traffic from client on the inside interface, routing to a router on the inside interface, but when I tried to setup a NAT exemption for inside to inside traffic the ASA errored and told me that was not allowed. So I can only assume the ASA is smart enough to know not to NAT traffic coming in and out on the same interface. I've googled my heart out but I cannot find out what I've done wrong. The solutions I've read lead me to believe my configuration is fine, but obviously there is something I'm missing here. I would appreciate any advice or kicks in the right direction. Here's the config I'm working with at the moment. The 10.52.120.56 gateway is for the second MPLS network we connect to. If I can determine why I cannot ping 10.52.121.3 the same fix should apply for the networks connected behind the 10.52.120.56 gateway.

interface Ethernet0/0

nameif inside

security-level 100

ip address 10.52.120.23 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 10.1.10.3 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.100.1 255.255.255.0

management-only

!

enable password xxxxx encrypted

passwd xxxxx encrypted

hostname ciscoasa

domain-name default.domain.invalid

ftp mode passive

same-security-traffic permit inter-interface

pager lines 24

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

monitor-interface management

monitor-interface inside

monitor-interface outside

asdm image disk0:/asdm-502.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.52.120.0 255.255.255.0

route inside 10.52.121.0 255.255.255.0 10.52.120.1 1

route inside 10.52.127.0 255.255.255.0 10.52.120.1 1

route inside 10.52.126.0 255.255.255.0 10.52.120.56 1

route inside 10.52.125.0 255.255.255.0 10.52.120.56 1

route inside 10.52.124.0 255.255.255.0 10.52.120.56 1

route inside 10.52.123.0 255.255.255.0 10.52.120.56 1

route inside 10.52.122.0 255.255.255.0 10.52.120.1 1

route inside 172.16.0.0 255.240.0.0 10.52.120.1 1

route outside 0.0.0.0 0.0.0.0 10.1.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username wbenson password xxxxx encrypted privilege 15

aaa authentication telnet console LOCAL

http server enable

http 192.168.100.0 255.255.255.0 management

http 10.52.120.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

telnet 10.52.120.0 255.255.255.0 inside

telnet timeout 60

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

management-access inside

Cryptochecksum:fc159f3714d20305335f0db434c67de8

: end

lordbigsack · ‎03-04-2013

Hi, take a look at intr-interface config

The following example shows how to enable traffic to enter and exit the same interface:

hostname(config)# same-security-traffic permit intra-interface

taken from here

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s1.html

View solution in original post

jocamare · ‎03-04-2013

There's a little thing called Hairpinning aka U-turn.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

static (inside,inside) 10.52.121.3 10.52.121.3

global (inside) 1* interface *Assume you are using number one

same-security-traffic permit intra-interface

View solution in original post

jocamare · ‎03-04-2013

There might not be a need to enabel TCP-state bypass.

Can you enable the inspection for ICMP traffic?

Here is the command:

fixup protocol ICMP

View solution in original post

lordbigsack · ‎03-04-2013

Hi, take a look at intr-interface config

The following example shows how to enable traffic to enter and exit the same interface:

hostname(config)# same-security-traffic permit intra-interface

taken from here

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s1.html

jocamare · ‎03-04-2013

There's a little thing called Hairpinning aka U-turn.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

static (inside,inside) 10.52.121.3 10.52.121.3

global (inside) 1* interface *Assume you are using number one

same-security-traffic permit intra-interface

William Benson · ‎03-04-2013

I tried enabling just the intra inteface for same-security-traffic and I also tried setting up the inside NAT. Neither of these solutions appear to have worked. I still cannot ping across my MPLS. I also setup a second static NAT for a remote server so I could try a remote desktop connection incase it was something specifically with ping (icmp) that was causing the problem. I could not establish a remote desktop connection either. I checked the translation and I do see where it is trying to translate internal MPLS traffic to the inside interface address, but that does not seem to have corrected the problem.

Here's the config as it stands now:

interface Ethernet0/0

nameif inside

security-level 100

ip address 10.52.120.23 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 10.1.10.3 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.100.1 255.255.255.0

management-only

!

enable password xxxxx encrypted

passwd xxxxxxx encrypted

hostname ciscoasa

domain-name default.domain.invalid

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

pager lines 24

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

monitor-interface management

monitor-interface inside

monitor-interface outside

asdm image disk0:/asdm-502.bin

no asdm history enable

arp timeout 14400

global (inside) 1 interface

global (outside) 1 interface

nat (inside) 1 10.52.120.0 255.255.255.0

static (inside,inside) 10.52.121.3 10.52.121.3 netmask 255.255.255.255

static (inside,inside) 10.52.122.10 10.52.122.10 netmask 255.255.255.255

route inside 10.52.121.0 255.255.255.0 10.52.120.1 1

route inside 10.52.127.0 255.255.255.0 10.52.120.1 1

route inside 10.52.126.0 255.255.255.0 10.52.120.56 1

route inside 10.52.125.0 255.255.255.0 10.52.120.56 1

route inside 10.52.124.0 255.255.255.0 10.52.120.56 1

route inside 10.52.123.0 255.255.255.0 10.52.120.56 1

route inside 10.52.122.0 255.255.255.0 10.52.120.1 1

route inside 172.16.0.0 255.240.0.0 10.52.120.1 1

route outside 0.0.0.0 0.0.0.0 10.1.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username wbenson password xxxxxxx encrypted privilege 15

aaa authentication telnet console LOCAL

http server enable

http 192.168.100.0 255.255.255.0 management

http 10.52.120.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

telnet 10.52.120.0 255.255.255.0 inside

telnet timeout 60

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

management-access inside

Cryptochecksum:f8981027b0ffc75ae22266a3835461ae

: end

jocamare · ‎03-04-2013

There might not be a need to enabel TCP-state bypass.

Can you enable the inspection for ICMP traffic?

Here is the command:

fixup protocol ICMP

William Benson · ‎03-04-2013

I found the write-up I've been looking for I think.

It was titled "The Woes of Using an ASA as a Default Gateway"

http://www.packetu.com/2011/10/17/the-woes-of-using-an-asa-as-a-default-gateway/

In this write-up the author is describing exactly the problem I'm running into in my environment.

I'm going to have to upgrade the IOS on my ASA though. I found this one in a closet and it's running 7.2 the write-up says a new command was added in 8.2 "TCP State Bypass", this will prevent the ASA from trying to control TCP sessions.

I appreciate the feed back, hopefully I will have this thing figured out soon.

Jouni Forss · ‎03-04-2013

Hi,

Personally I have never run into a situation where I would have to use "TCP State Bypass".

But then again we have always setup the network so that this doesnt happen.

I read the above posts through quickly and I presume that the problem here is that the traffic is entering and leaving the same interface on the ASA. I would avoid these situations.

I would also look into the possibility of bringing the MPLS connections to the ASA on their own interface so you wouldnt get this situation where the ASA would have to even try forwarding the traffic back from the same interface it came from.

As it stands now the routing is assymetric as LAN hosts forward traffic to ASA but the return traffic is forwarded by the MPLS router directly to the hosts and not to the ASA.

- Jouni

Jouni Forss · ‎03-04-2013

And to further add to my above post

In most of the cases I've seen on these forums where people have added the TCP State bypass it has been to simply bypass an actual problem in the network topology and not really correcting the problem. More like bypassing an actual important operation of the firewall.

As I said, if possible, I would look into bringing the connection from the MPLS router to the ASA so your LAN host would simply have one gateway (ASA) and the ASA would have links to all the network segments needed (inside,outside,mpls and so on)

Dont know if this helps but thought I'd still comment.

- Jouni

William Benson · ‎03-04-2013

I upgraded the IOS on my ASA 5510 to 8.2 and BAM it all started working. I did not impliment the TCP Bypass recommended in the thread I read online. There must be something in the newer IOS that corrected the problem I was having. I'm pretty sure it was the intra-interface statement on the same traffic policy but I can't swear to it since I tried everyone's recommendations up to the point that I updated the IOS software. Thank you everyone for your time!