12-12-2012 12:01 AM - edited 03-11-2019 05:36 PM
Hi,
I am using ASA 5505.
Below are my sh run.
I am not able to ping my gatway i.e 182.73.131.89
Please help
------------------------------------------
interface Ethernet0/0
description Internet Interface
switchport access vlan 61
!
interface Ethernet0/1
description office Internet
switchport access vlan 50
<--- More --->
!
interface Ethernet0/2
description LAN Failover Interface
switchport access vlan 999
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan50
nameif office
security-level 100
ip address 10.54.9.1 255.255.255.192
!
interface Vlan61
nameif Internet
security-level 0
ip address 182.73.131.90 255.255.255.248
!
interface Vlan999
description LAN Failover Interface
!
ftp mode passive
dns server-group DefaultDNS
domain-name rcad.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network RC_NETWORK_CORPORATE
network-object WAN_MARS_Global 255.0.0.0
network-object RC_NETWORK_AIMARGUES_1 255.255.0.0
object-group network RC_NETWORK_AMERICA
network-object RC_NETWORK_AMERICA 255.255.0.0
object-group network RC_NETWORK_ASIAPAC
network-object RC_NETWORK_ASIAPAC 255.255.0.0
object-group network RC_NETWORK_INDIA-RBN
network-object INTERNAL_INDIA-RBN 255.255.255.0
access-list INDIA-RBN_EUR-DATACENTER_cryptomap extended deny ip object-group RC_NETWORK_INDIA-RBN object-group RC_NETWORK_AMERICA
access-list INDIA-RBN_EUR-DATACENTER_cryptomap extended deny ip object-group RC_NETWORK_INDIA-RBN object-group RC_NETWORK_ASIAPAC
access-list INDIA-RBN_EUR-DATACENTER_cryptomap extended permit ip object-group RC_NETWORK_INDIA-RBN object-group RC_NETWORK_CORPORATE
access-list office_nat0_outbound extended permit ip object-group RC_NETWORK_INDIA-RBN object-group RC_NETWORK_CORPORATE
access-list office_nat0_outbound extended permit ip any object-group RC_NETWORK_INDIA-RBN log
access-list office_access_in extended permit ip object-group RC_NETWORK_INDIA-RBN any log
access-list office_access_in extended permit icmp object-group RC_NETWORK_INDIA-RBN any log
access-list INDIA-RBN_ASIA-DATACENTER_cryptomap extended permit ip object-group RC_NETWORK_INDIA-RBN object-group RC_NETWORK_ASIAPAC
access-list INDIA-RBN_AMERICA-DATACENTER_cryptomap extended permit ip object-group RC_NETWORK_INDIA-RBN object-group RC_NETWORK_AMERICA
pager lines 24
logging enable
logging timestamp
logging buffer-size 65536
logging asdm-buffer-size 512
logging console notifications
logging buffered notifications
logging trap notifications
logging history notifications
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu office 1500
mtu Internet 1500
no failover
failover lan unit primary
failover lan interface FAILOVER Vlan999
failover key *****
failover interface ip FAILOVER 172.16.255.1 255.255.255.0 standby 172.16.255.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any office
icmp permit any Internet
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (Internet) 1 interface
nat (office) 0 access-list office_nat0_outbound
route Internet 0.0.0.0 0.0.0.0 182.73.131.89 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable 8443
http 83.206.102.64 255.255.255.224 Internet
http 10.24.0.0 255.255.0.0 office
http authentication-certificate outside
snmp-server host office 10.24.0.112 poll community ***** version 2c
snmp-server host office 10.24.0.249 poll community ***** version 2c
snmp-server host office 10.24.1.245 poll community ***** version 2c
snmp-server location ROYAL CANIN - Bhiwandi - India
snmp-server contact WORLDWIDE IT OPERATION (itop-network@royal-canin.fr)
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 Internet
ssh 83.206.102.64 255.255.255.224 Internet
ssh timeout 60
ssh version 2
console timeout 0
management-access office
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
RBN-ASA-01# $
12-12-2012 01:03 AM
Hi,
Are you saying that hosts from behinf ASA cant use Internet or the ASA itself?
You atleast done have any "nat" source address configurations for your "global" configurations. Only the NAT Exemption/NAT0 configuration.
If you issue "show arp" command can you see anything for the interface "Internet"?
- Jouni
12-12-2012 04:18 AM
Hi,
Below is the output of sh arp
RBN-ASA-01# sh arp
office 10.54.9.2 20aa.4b0a.acba 5394
office 10.54.9.10 0013.726d.02ef 6152
office 169.254.7.201 0013.726d.02ef 6501
Internet 182.73.131.89 0019.a99d.a2c0 202
Internet 182.73.131.92 0013.726d.02ef 790
Internet 182.73.131.93 5067.f034.639e 5241
RBN-ASA-01#
12-12-2012 05:15 AM
Hi,
To my understanding permitting the ICMP with either
"permit icmp host
or
"permit icmp
should be enough to permit ICMP so you can ping those networks and receive replys from them. Though I'm not sure should connected network ICMP work wihtout that.
Could you also issue "clear arp" and try ICMP/PING after that? Also get "show arp" output after "clear arp"
Why do you have INSIDE and OUTSIDE interface configured even though they dont have anything behind them. (Provided the above "show arp" output was complete.
Also why dont you have any NAT source address configuration for your LAN hosts behind "office"?
For example
nat (office) 1 10.54.9.0 255.255.255.192
Is this a new ASA setup or has this worked at some point already? Is there a possibility that the ISP router/core just doesnt reply to ICMP? Have you tried connections with actual LAN hosts through the ASA to the Internet?
Have you tried to ping any other known public IP address other than the default gateway of your ASA. ICMP/Trace isnt always the best way to test connections.
EDIT: Edited some typos with the commands provided
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: