03-10-2017 12:42 AM - edited 03-12-2019 02:02 AM
Hi Team,
I have been having a problem with loading ASDM on to my ASA in GNS3 (v1.5.3). The connection is an ASA to the switch which is then connected to the Cloud (with loopback interface) as shown below. I cannot ping the Cloud from the ASA and vice versa, even after configuring ACLs to permit icmp traffic, with below configs. Kindly assist, as the aim is to load the ASDM to the ASA.
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.110.1 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list 77 extended permit icmp any host 192.168.110.1 echo
access-list 77 extended permit icmp any host 192.168.110.1 echo-reply
access-list 77 extended permit icmp any host 192.168.110.1 time-exceeded
access-list 77 extended permit icmp any host 192.168.110.1
pager lines 23
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group 77 in interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
03-10-2017 01:17 AM
You don't need the access-list since you are initiating traffic from the ASA.
You do need (and don't have) a default route if your destination address in anywhere other than on the connected 192.168.110.0/24 subnet.
The setup is a bit odd (even though it is a lab) in that you have inside interface connected towrads the cloud. That aside, it should work wit a default route added.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide