Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
802
Views
0
Helpful
5
Replies

ASA 5520 translation problem

hisham.khreisat
Level 1
Level 1

‎04-05-2011 04:01 AM - edited ‎03-11-2019 01:16 PM

I have the following in my deployment:

Server --- ACE 4710 --- ASA 5520 -- Router

from the server I can ping the inside ASA.but can't ping outside ASA or inside Router.

from the ASA I can ping Outside Router, Server, and The Virual IP Address of ACE.

the following configuration for ASA 5520:

hostname MOI-Elec

domain-name default.domain.invalid

enable password qagxmUWZehLHpnt3 encrypted

passwd qagxmUWZehLHpnt3 encrypted

names

dns-guard

!

interface GigabitEthernet0/0

description --- To GW_1 ---

nameif outside1

security-level 0

ip address 172.20.1.240 255.255.255.0

!

interface GigabitEthernet0/1

description --- To GW_2 ---

nameif outside2

security-level 0

no ip address

!

interface GigabitEthernet0/2

description --- SERVER DMZ ---

nameif SERVER-DMZ

security-level 100

ip address 192.168.20.10 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

nameif asd

security-level 100

no ip address

!

interface Management0/0

nameif mngmt-asdm

security-level 100

ip address 10.10.10.10 255.255.255.0

!

ftp mode passive

access-list temp extended permit icmp any any

access-list temp extended permit ip any any

access-list cap1 extended permit ip any host 172.20.1.240

access-list cap1 extended permit ip host 172.20.1.240 any

pager lines 24

logging enable

logging buffered errors

mtu outside1 1500

mtu outside2 1500

mtu SERVER-DMZ 1500

mtu asd 1500

mtu mngmt-asdm 1500

no failover

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

static (SERVER-DMZ,outside1) 192.168.20.20 192.168.20.20 netmask 255.255.255.255

access-group temp in interface outside1

access-group temp in interface outside2

access-group temp in interface SERVER-DMZ

route outside1 0.0.0.0 0.0.0.0 172.20.1.251 1

route SERVER-DMZ 172.20.0.0 255.255.0.0 192.168.20.30 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username admin password LLO/MKcU/To/3BlR encrypted

http server enable

http 0.0.0.0 0.0.0.0 SERVER-DMZ

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 15

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

Cryptochecksum:ac69173ace9b8f69bfff97c28a9f35d5

: end

----------------------------------------------------------------

The following Configuration on ACE 4710:

Generating configuration....

resource-class rc1

  limit-resource all minimum 10.00 maximum unlimited

  limit-resource sticky minimum 10.00 maximum unlimited

boot system image:c4710ace-mz.A3_2_0.bin

peer hostname moi-lb

hostname moi-lb2

interface gigabitEthernet 1/1

  description ace-outside to ASA G0/0

  switchport access vlan 3

  no shutdown

interface gigabitEthernet 1/2

  description ace-inside to DMZ-SW G1/1

  switchport access vlan 2

  no shutdown

interface gigabitEthernet 1/3

  switchport access vlan 1000

  no shutdown

interface gigabitEthernet 1/4

  ft-port vlan 10

  no shutdown

clock timezone Jor 0 0

context Admin

  member rc1

access-list all line 8 extended permit ip any any

access-list all line 16 extended permit icmp any any

probe tcp tcp-7777

  port 7777

  interval 15

  passdetect interval 60

  open 1

rserver host app-205

  ip address 172.20.100.205

  inservice

serverfarm host app-servers

  predictor leastconns

  probe tcp-7777

  fail-on-all

  rserver app-205

    inservice

sticky ip-netmask 255.255.255.255 address source group1

  timeout 15

  replicate sticky

  serverfarm app-servers

class-map type management match-any REMOTE_ACCESS

  description Remote access traffic match 2

  2 match protocol telnet any

  3 match protocol ssh any

  4 match protocol icmp any

  5 match protocol https any

class-map match-all vip-app

  2 match virtual-address 192.168.20.20 tcp eq 7777

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

  class REMOTE_ACCESS

    permit

policy-map type loadbalance first-match vip-lb

  class class-default

    sticky-serverfarm group1

policy-map multi-match lb-vip-policy

  class vip-app

    loadbalance vip inservice

    loadbalance policy vip-lb

    loadbalance vip icmp-reply

interface vlan 2

  description ace-inside to DMZ-SW G1/1

  ip address 172.20.0.251 255.255.0.0

  no icmp-guard

  access-group input all

  service-policy input REMOTE_MGMT_ALLOW_POLICY

  no shutdown

interface vlan 3

  description ace-outside to ASA G0/0

  ip address 192.168.20.30 255.255.0.0

  no icmp-guard

  access-group input all

  service-policy input lb-vip-policy

  service-policy input REMOTE_MGMT_ALLOW_POLICY

  no shutdown

interface vlan 1000

  description ---management vlan---

  ip address 172.26.255.2 255.255.255.0

  peer ip address 172.26.255.1 255.255.255.0

  service-policy input REMOTE_MGMT_ALLOW_POLICY

  no shutdown

ft interface vlan 10

  ip address 10.0.0.11 255.255.255.0

  peer ip address 10.0.0.10 255.255.255.0

  no shutdown

ft peer 1

  heartbeat interval 100

  heartbeat count 20

  ft-interface vlan 10

ft group 1

  peer 1

  associate-context Admin

  inservice

ft track interface track-vlan2

  track-interface vlan 2

  peer track-interface vlan 2

  priority 25

  peer priority 25

ft track interface track-vlan3

  track-interface vlan 3

  peer track-interface vlan 3

  priority 30

  peer priority 30

ip route 0.0.0.0 0.0.0.0 192.168.20.10

---------------------------------------------------------------------

anyone have any Idea about why the ASA 5520 doen't permit to go out side of my inside server network to outside.

please help

Labels:
0 Helpful
5 Replies 5

Shrikant Sundaresh
Cisco Employee
Cisco Employee

‎04-05-2011 04:38 AM

Hi Hisham,

You cannot ping the ASA interfaces which are not directly facing your device.

So if you are on the inside, you can only ping the inside interface.

Now coming to the router, I see that there is no nat configured on the ASA. So unless you have a route configured on the router, with a route back to the server subnet, the router will not be able to reply to the icmp packet.

Run "debug icmp trace 1" command on the ASA, and check if you see icmp request going from the server to the router, but no replies coming back.

This would indicate an issue with the routing on the router.

Also, please check if nat-control is enabled (show run all | in nat-control)

IF it is enabled, then you need to disable it (no nat-control) or configure a nat rule for traffic going from inside to outside.

Hope this helps.

-Shrikant

P.S.: Please mark the question resolved if it has been answered. Do rate helpful posts. Thanks

0 Helpful

hisham.khreisat
Level 1
Level 1
In response to Shrikant Sundaresh

‎04-05-2011 04:45 AM

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.04.05 13:21:12 =~=~=~=~=~=~=~=~=~=~=~=

internal#sh run

Building configuration...

Current configuration : 1276 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname internal

!

boot-start-marker

boot-end-marker

!

!card type command needed for slot 1

card type e1 2

!card type command needed for slot 3

!card type command needed for slot 4

enable secret 5 $1$mV65$5mOlGHjWThTljxYFF2OUb/

!

no aaa new-model

!

resource policy

!

no network-clock-participate slot 2

!

!

ip cef

!

!

!

!

voice-card 0

no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

controller E1 2/0

framing NO-CRC4

channel-group 0 timeslots 1-31

!

controller E1 2/1

!

!

!

!

!

!

interface GigabitEthernet0/0

ip address 172.20.1.251 255.255.255.0

duplex auto

speed auto

media-type rj45

!

interface GigabitEthernet0/1

no ip address

shutdown

duplex auto

speed auto

media-type rj45

!

interface Serial2/0:0

description E1 LINK TO MUHAFDA

ip address 172.19.8.249 255.255.255.252

!

ip route 0.0.0.0 0.0.0.0 Serial2/0:0

ip route 172.0.0.0 255.0.0.0 GigabitEthernet0/0

i

!

ip http server

no ip http secure-server

!

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

!

line con 0

password cisco

login

line aux 0

line vty 0 4

password cisco

login

!

scheduler allocate 20000 1000

!

end

This is the router configuration

0 Helpful

Shrikant Sundaresh
Cisco Employee
Cisco Employee
In response to hisham.khreisat

‎04-05-2011 04:54 AM

Hi Hisham,

Could you also please attach the output of the following command on the ASA

packet-tracer input icmp 8 0 detail

This shows the packet flow of the icmp request through the ASA.

-Shrikant

0 Helpful

hisham.khreisat
Level 1
Level 1
In response to Shrikant Sundaresh

‎04-05-2011 11:41 AM

Hello There,

I'll do what asked from me tomorrow morning, but I would like to mention that I have already did a capture, as the following

Server (172.20.100.205/16) ---- (Inside: 172.20.0.251/16) ACE (outside: 192.168.20.30/24) --- (inside:192.168.20.30/24)ASA(outside:172.20.1.240/24) ---- (172.20.1.251/24)Router.

I did the ping from the server to inside router (172.20.1.251)

access-list cap extended permit ip host 172.20.100.205 host 172.20.1.251

access-list cap extended permit ip host 172.20.1.251 host 172.20.100.205

capture test access-list cap interface inside-ASA

sh capture gave me

0 packets !!!! no results appear. !!!!

If you please any one can review the configuration carefully and tell me, If there is any wrong configuration ACE,ASA,Router.

I hope you can find any way to get out of this problem !!!!!

Thank you all,

Hisham Khreisat

0 Helpful

Shrikant Sundaresh
Cisco Employee
Cisco Employee
In response to hisham.khreisat

‎04-05-2011 04:03 PM

Hi Hisham,

I have never really worked with an ACE before, so I am not sure about its configs. Though trying to judge the config based on what i know about routers and ASA, it seems ok except for if you can apply "service policy" multiple policy's on an interface or not. You would need to verify that, but most probably it must be correct.

Secondly, an anomaly i see, is in the subnet mask of the outside interface of the ACE. You have given a /16 subnet mask, while a /24 subnet mask on the corresponding ASA interface. I am not sure if that would impact packet flow, but you could correct it and check again.

Lastly, and most importantly, if the capture showed no packets on the ASA, means it is a fault on the ACE because no packets reached the ASA.

Thus output of the packet-tracer command would be no use at all, since it shows the packet trace after the packet reaches the ASA.

So we need to concentrate on the link between ACE and ASA, and figure out why the ACE is not sending traffic to the ASA.

-Shrikant

P.S.: Please mark the question resolved, if it has been answered. Do rate helpful posts. Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card