Solved: Re: ASA Ping Problem

saeedaraghi · ‎09-03-2011

Hi dears

I have a problem with Cisco ASA.

I have 2 Cisco ASA that are connected to each other with outside interfaces, The IP range between these is 50.50.50.0 and the outside IP ranges are 10.10.10.0 and 20.20.20.0.

In ASA-1: I have ping to outside and inside interfaces but There is no ping to inside interface of ASA-2.

In ASA-2: I have ping to outside and inside interfaces but There is no ping to inside interface of ASA-1.

The Device`s in inside interface ASA-1 cannot ping the device`s in inside interface ASA-2.

The ASA configure is shown below:

hostname ASA-1

interface g0/0

nameif Outside

security-level 100

ip address 50.50.50.1 255.255.255.0

NO SHUT

exit

interface g0/3

nameif Inside

security-level 100

ip address 20.20.20.1 255.255.255.0

NO SHUT

exit

access-list 100 extended permit ip any any

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any source-quench

access-list 100 extended permit icmp any any unreachable

access-list 100 extended permit icmp any any time-exceeded

access-list 100 extended permit icmp any any echo

access-list 100 extended permit icmp any any

access-list 100 extended permit tcp any any

access-list 100 extended permit udp any any

access-group 100 in interface Outside

access-group 100 out interface Outside

access-group 100 in interface Inside

access-group 100 out interface Inside

route Outside 10.10.10.0 255.255.255.0 50.50.50.2 1

-----------------------------------------------------------------------------------------------------------------------------------------------

hostname ASA-2

interface g0/0

nameif Outside

security-level 100

ip address 50.50.50.2 255.255.255.0

NO SHUT

exit

interface g0/3

nameif Inside

security-level 100

ip address 10.10.10.1 255.255.255.0

NO SHUT

exit

access-list 100 extended permit ip any any

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any source-quench

access-list 100 extended permit icmp any any unreachable

access-list 100 extended permit icmp any any time-exceeded

access-list 100 extended permit icmp any any echo

access-list 100 extended permit icmp any any

access-list 100 extended permit tcp any any

access-list 100 extended permit udp any any

access-group 100 in interface Outside

access-group 100 out interface Outside

access-group 100 in interface Inside

access-group 100 out interface Inside

route Outside 20.20.20.0 255.255.255.0 50.50.50.1 1

--------------------------------------------------------------------------------------------------------------------------------------

I use these commands that was recommended in Cisco Doc too:

policy-map global_policy

class inspection_default

inspect icmp

exit

but nothing changes!

Regards

Julio Carvajal · ‎09-03-2011

Hello Saeed,

First of all by design you cannot ping the IP of an interface from a distant Network

Let me explain you this with this:

20.20.20.0------ASA------50.50.50.0

So you can ping from the 20.20.20.0 /24 network to the inside interface of the ASA (20.20.20.1) but you cannot ping the outside interface ( 50.50.50.1) from the inside network this as a Security design.

Now second this the host are not being able to ping because you are missing this command:

- Same-security-traffic permit inter-interface

Please let me know if this help you, If not I would be more than glad to keep troubleshooting this.

Best Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

troullier00 · ‎09-03-2011

I believe you are looking for the ICMP command. This command let's you specify which host or networks are allowed to ping the ASA box.

Sent from Cisco Technical Support iPhone App

Julio Carvajal · ‎09-03-2011

Hello Saeed,

First of all by design you cannot ping the IP of an interface from a distant Network

Let me explain you this with this:

20.20.20.0------ASA------50.50.50.0

So you can ping from the 20.20.20.0 /24 network to the inside interface of the ASA (20.20.20.1) but you cannot ping the outside interface ( 50.50.50.1) from the inside network this as a Security design.

Now second this the host are not being able to ping because you are missing this command:

- Same-security-traffic permit inter-interface

Please let me know if this help you, If not I would be more than glad to keep troubleshooting this.

Best Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

saeedaraghi · ‎09-03-2011

Hello dear Jcarvaja

Thank you very much for your answer, this command works well!

But the original solution is this:

20.20.20.0/24 ------ (ASA-1) ------ X.X.X.100 ------- (internet) ------ Y.Y.Y.101 ------ (ASA-2) -----10.10.10.0/24

And I need a tunnel between ASA-1 and ASA-2 on the Internet, and now my problem is:

In ASA-1: I have ping to outside and inside interfaces but There is no ping to inside interface of ASA-2.

In ASA-2: I have ping to outside and inside interfaces but There is no ping to inside interface of ASA-1.

The Device`s in inside interface ASA-1 cannot ping the device`s in inside interface ASA-2.

The ASA configure is shown below:

hostname ASA-1

interface g0/0

nameif Outside

security-level 0

ip address X.X.X.100 255.255.255.224

NO SHUT

exit

interface g0/3

nameif Inside

security-level 100

ip address 20.20.20.1 255.255.255.0

NO SHUT

exit

access-list Inside_nat0_Outside extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list Outside_1_Cryptomap extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list 100 extended permit ip any any

access-list 100 extended permit icmp any any

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_Outside

nat (Inside) 1 20.20.20.0 255.255.255.0

access-group 100 in interface Outside

route Outside 0.0.0.0 0.0.0.0 X.X.X.99 1

Same-security-traffic permit inter-interface

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map Outside_map 1 match address Outside_1_Cryptomap

crypto map Outside_map 1 set peer Y.Y.Y.101

crypto map Outside_map 1 set transform-set ESP-DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

tunnel-group Y.Y.Y.101 type ipsec-l2l

tunnel-group Y.Y.Y.101 ipsec-attributes

pre-shared-key 1234

-----------------------------------------------------------------------------------------------------

hostname ASA-2

interface g0/0

nameif Outside

security-level 0

ip address Y.Y.Y.101 255.255.255.224

NO SHUT

exit

interface g0/3

nameif Inside

security-level 100

ip address 10.10.10.1 255.255.255.0

NO SHUT

exit

access-list Inside_nat0_Outside extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

access-list Outside_1_Cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list 100 extended permit ip any any

access-list 100 extended permit icmp any any

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_Outside

nat (Inside) 1 10.10.10.0 255.255.255.0

access-group 100 in interface Outside

route Outside 0.0.0.0 0.0.0.0 Y.Y.Y.50 1

Same-security-traffic permit inter-interface

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map Outside_map 1 match address Outside_1_Cryptomap

crypto map Outside_map 1 set peer X.X.X.100

crypto map Outside_map 1 set transform-set ESP-DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

tunnel-group X.X.X.100 type ipsec-l2l

tunnel-group X.X.X.100 ipsec-attributes

pre-shared-key 1234

Julio Carvajal · ‎09-04-2011

Hello Saeed,

You dont have to thank me , It is a pleasure to be able to help you.

On ASA 2, Would yo change this Access list.

access-list Outside_1_Cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0

to this one

access-list Outside_1_Cryptomap extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

With this we are allowing as interesting traffic over the VPN tunnel all the IP traffic comming from 10.10.10.0 to 20.20.20.0.

Also You got to have this command on both ASAs :

management-access Inside

Please let me know if this works

Best Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

saeedaraghi · ‎09-04-2011

Hello jcarvaja again

Thank you for your help, I did things that you said but nothing changed, I have no ping and no active tunnel.

•1. I fixed this:

access-list Outside_1_Cryptomap

On ASA-2

•2. And I add this command:

Management-access inside

On both ASA

----------------------------------------------------------------------------------------------------------------------------------------------------------

I have one server with IP: 20.20.20.20 on ASA-1and one PC with IP: 10.10.10.10 on ASA-2.

There is no ping from inside ASA-1 to inside ASA-2 but the outside ASA-1 can ping outside ASA-2 and

ASA-1 can ping 20.20.20.1-20 and ASA-2 can ping 10.10.10.1-10

I think the problem is about my tunnel,

Global IKE Statistics

Active Tunnels: 0

Previous Tunnels: 0

IPsec Global Statistics

Active tunnels: 0

Previous tunnels: 0

show crypto ipsec sa

There are no ipsec sas

show crypto isakmp sa

There are no isakmp sas

-----------------------------------------------------------------------------------------------------------------------------------------------------------

hostname ASA-1

interface g0/0

nameif Outside

security-level 0

ip address X.X.X.100 255.255.255.224

NO SHUT

exit

interface g0/3

nameif Inside

security-level 100

ip address 20.20.20.1 255.255.255.0

NO SHUT

exit

access-list Inside_nat0_Outside extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list Outside_1_Cryptomap extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_Outside

nat (Inside) 1 20.20.20.0 255.255.255.0

route Outside 0.0.0.0 0.0.0.0 X.X.X.99 1 ---------> to gateway

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map Outside_map 1 match address Outside_1_Cryptomap

crypto map Outside_map 1 set peer Y.Y.Y.101

crypto map Outside_map 1 set transform-set ESP-DES-SHA

crypto map Outside_map 1 set security-association lifetime kilobytes 10000

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

tunnel-group Y.Y.Y.101 type ipsec-l2l

tunnel-group Y.Y.Y.101 ipsec-attributes

pre-shared-key 1234

management-access inside

-----------------------------------------------------------------------------------------------------

hostname ASA-2

interface g0/0

nameif Outside

security-level 0

ip address Y.Y.Y.101 255.255.255.224

NO SHUT

exit

interface g0/3

nameif Inside

security-level 100

ip address 10.10.10.1 255.255.255.0

NO SHUT

exit

access-list Inside_nat0_Outside extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

access-list Outside_1_Cryptomap extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_Outside

nat (Inside) 1 10.10.10.0 255.255.255.0

route Outside 0.0.0.0 0.0.0.0 Y.Y.Y.50 1 ---------> to gateway

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map Outside_map 1 match address Outside_1_Cryptomap

crypto map Outside_map 1 set peer X.X.X.100

crypto map Outside_map 1 set transform-set ESP-DES-SHA

crypto map Outside_map 1 set security-association lifetime kilobytes 10000

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

tunnel-group X.X.X.100 type ipsec-l2l

tunnel-group X.X.X.100 ipsec-attributes

pre-shared-key 1234

management-access inside

Regards

Julio Carvajal · ‎09-05-2011

Hello Saeed,

Actually the configuration seems to be the required one.

This might be a routing issue.

Would you mind to try this packet tracer on ASA 1

Packet-tracer input inside icmp 20.20.20.3 8 0 10.10.10.3

Please let me know the input of this command.

Best Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC