cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
468
Views
0
Helpful
6
Replies

ASA connectivity issue driving me nuts

timdeadman1
Level 1
Level 1

I’m trying to set up an ASA as the main firewall for a charity organisation I volunteer for.

I have been given a /29 address by the ISP and have obscured it just for security, in real life only the last octet is the same. X.x.x.40/29 with the router from the ISP as .46 and my ASA is .41

When I plug in the ASA it won’t ping .46 from its own address of .41.  When I give a laptop the .41 address, and plug it directly into the ISP router, everything works and the laptop has full WWW (including DNS) access.

To try and trouble shoot I chose some spare ports in the switch  and put these ports into an unused VLAN (VLAN4) I gave VLAN 4 an address of .42.  I can ping the ASA and my VLAN interface but can’t ping .46.

Now the really weird bit, I gave my laptop the .43 address and plugged it into VLAN4 port on the switch, I can ping everything including 8.8.8.8 and I have full WWW access from the laptop.  Niether Cisco device (ASA and switch) can ping .46 and the ASA can’y ping 8.8.8.8 (or any other web address).  This is driving me nuts, I’m really good at this stuff, it’s my job but this has me stumped.

HELP

6 Replies 6

mvsheik123
Level 7
Level 7

Hi Tim,

If the issue still exists, can you share ASA configuration? ICMP inspection enabled on ASA?

Thx

MS

Thanks MS,

Here it is, I think it may be an issue with arp response....

ASA Version 8.6(1)2

!

hostname DMZ-ASA

domain-name oooooooooo.local

enable password llllllll encrypted

passwd ppppppppppp encrypted

names

!

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address xx.xx.186.41 255.255.255.248

!

interface GigabitEthernet0/1

nameif DMZ

security-level 50

ip address nn.nn.nn.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address nn.nn.140.221 255.255.255.0

management-only

!

boot system disk0:/asa861-2-smp-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name strapheals.local

same-security-traffic permit inter-interface

object network FILESRV01

host mm.mm.0.10

description Main File Server

access-list Outside_access_in remark Catch all

access-list Outside_access_in extended deny ip any any log debugging

access-list DMZ_access_in extended permit ip object FILESRV01 any log debugging

access-list DMZ_access_in remark catch all

access-list DMZ_access_in extended deny ip any any log debugging

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

access-group Outside_access_in in interface Outside

access-group DMZ_access_in in interface DMZ

route Outside 0.0.0.0 0.0.0.0 nn.nn.186.46 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

http server enable

http nn.nn.140.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet nn.nn.140.0 255.255.255.0 management

telnet timeout 5

ssh nn.nn.140.0 255.255.255.0 management

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

webvpn

username admin password nnnnnnnnnnnnnn encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:999999999999999999999

: end

Hi,

1) I don't see any inside interface, are you only using a DMZ or is your management interface the inside one ?

   if so then don't forget that the management interface by default doesn't pass data traffic.

2) your inbound ACLs on DMZ and Outside have no permit statement so how can your traffic be forwarded through your ASA ?

3) you still can't ping from Outside to modem/router ? I don't see any obvious things in the ASA config that could be the cause.Which type of modem/router is this,cable or DSL ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

You're right Alain,

That was an old config, sorry, this is the current one.

A bit more information, I have tried setting the outside to sec level 0 and the inside to sec level 100.  I would like a bit more control than that, hence the current setting of both to 50 and an access list controlling.  It also means I can set the debug feature on the rule and watch the packets on the monitor function.

STILL NOT ABLE TO PING router interface nn.nn.186.46 or 8.8.8.8 (or anything)

Tim

______________________________________________________________

ASA Version 8.6(1)2

!

hostname Main-ASA

domain-name mmmmmmmmm.local

enable password ppppppppppp encrypted

passwd ooooooooo encrypted

names

dns-guard

!

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 50

ip address n.n.186.41 255.255.255.248

!

interface GigabitEthernet0/1

nameif inside

security-level 50

ip address ppp.ppp.199.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address ppp.ppp.140.221 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

domain-name mmmmmm.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network servers

subnet nn.nn.0.0 255.255.255.0

object-group network users

network-object nn.nn.1.0 255.255.255.0

object-group network DM_INLINE_NETWORK_1

network-object nn.nn.199.0 255.255.255.0

network-object object servers

group-object users

access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any log debugging

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 n.n.186.46 1

route inside xx.xxx.0.0 255.255.255.0 nn.nn.199.254 1

route inside xx.xx.1.0 255.255.255.0 nn.nn.199.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http nn.nn.140.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sysopt noproxyarp management

sysopt noproxyarp outside

sysopt noproxyarp inside

telnet nn.nn.140.0 255.255.255.0 management

telnet timeout 5

ssh nn.nn.140.0 255.255.255.0 management

ssh timeout 5

console timeout 0

management-access management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password e8gq2.ujS/CECBVS encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b87ebe6cde5db24ba1663f298efeaedc

: end

Main-ASA# 

Main-ASA#

Main-ASA# sh ver

Cisco Adaptive Security Appliance Software Version 8.6(1)2

Device Manager Version 6.6(1)

Compiled on Fri 01-Jun-12 02:16 by builders

System image file is "disk0:/asa861-2-smp-k8.bin"

Config file at boot was "startup-config"

Main-ASA up 1 day 22 hours

Hardware:   ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)

            ASA: 4096 MB RAM, 1 CPU (1 core)

Internal ATA Compact Flash, 4096MB

BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)

                             Boot microcode        : CNPx-MC-BOOT-2.00

                             SSL/IKE microcode     : CNPx-MC-SSL-PLUS-0014

                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0014

                             Number of accelerators: 1

Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

0: Int: Internal-Data0/0    : address is 4c4e.3544.e33b, irq 11

1: Ext: GigabitEthernet0/0  : address is 4c4e.3544.e33f, irq 10

2: Ext: GigabitEthernet0/1  : address is 4c4e.3544.e33c, irq 10

3: Ext: GigabitEthernet0/2  : address is 4c4e.3544.e340, irq 5

4: Ext: GigabitEthernet0/3  : address is 4c4e.3544.e33d, irq 5

5: Ext: GigabitEthernet0/4  : address is 4c4e.3544.e341, irq 10

6: Ext: GigabitEthernet0/5  : address is 4c4e.3544.e33e, irq 10

7: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0

8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0

9: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0

10: Ext: Management0/0       : address is 4c4e.3544.e33b, irq 0

Licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 100            perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Active  perpetual

VPN-DES                           : Enabled        perpetual

VPN-3DES-AES                      : Enabled        perpetual

Security Contexts                 : 2              perpetual

GTP/GPRS                          : Disabled       perpetual

AnyConnect Premium Peers          : 2              perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 250            perpetual

Total VPN Peers                   : 250            perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

IPS Module                        : Disabled       perpetual

This platform has an ASA 5515 Security Plus license.

Serial Number: FCH1709J0RT

Running Permanent Activation Key: 0xfa2fe370 0xdcc393cd 0x616211b4 0xed48a8c0 0x4c0ecda4

Configuration register is 0x1

Configuration last modified by admin at 11:34:38.546 UTC Wed Mar 5 2014

Main-ASA#

Little bit more information:

When the ASA wants to send a packet out, it sends an arp request (who is n.n.186.46) .46 is the ISP router, the ASA is .41 .  Instead of just responding (n.n.186.46 is at """mac address""), thr ISP router sends its own arp request (who has n.n.186.41, tel 192.168.1.254).  Now the ASA has no idea who this 192 address is, has no way of getting to it so the whole negotiation falls down.  I have asked the ISP to sort this out and will report back if this solves the issue.

So for closure purposes, it is fixed.....Hooray and hussar....

I stuck a wire shark PC on the VLAN I had created and saw that there was an issue with this spurious address (192.168.1.254)  I think the router is designed for home use and as that range would suit most homes, I guess it works mostly, HOWEVER, An ASA 5515 aint no piece of home kit and is totally incompatible with this router.  What was fooling me was the fact that when I plugged in a PC with the 186.41 address, it worked.  I have now set up the ASA to be PPPoE and bypassed the router entirely.  It all sprang into life and we are good to go.

Thanks everyone for your suggestions, and as I have cleared this issue myself, I will be awarding me 3 gold stars (or whatever the rating system is now.)

Cheers Guys

Tim

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: