07-23-2015 12:55 AM - edited 03-11-2019 11:19 PM
Peace,
I have asa 5520 with sub interfaces inside, i can ping hosts on the inside networks but i can't ping the inside interfaces themselves from an attached nexus switch. it would make troubleshooting a lot easier if i can ping the gateway. So is there a way to enable pings to the inside interfaces from different vlans?
07-23-2015 01:14 AM
Have a look at this:
https://supportforums.cisco.com/discussion/10347521/asa-5505-icmp-not-responding
You can only ping the ASA's ip address from a network that is behind that specific interface (meaning you can't ping the outside IP addres from an inside host for example); additionally you have to specify which sources you allow - the command is:
"To configure access rules for ICMP traffic that terminates at a adaptive security appliance interface, use the icmp command. To remove the configuration, use the no form of this command.
icmp {permit | deny} ip_address net_mask [icmp_type] if_name "
Traian
07-23-2015 01:55 AM
i am not trying to ping an outside address. i noticed that from inside network i can ping the inside interface.
from the link you gave, it stated:
"Put more generally, you cannot ping the firewall's ip addresses, unless you are on the interface you are pinging."
from this i understand that pinging another inside subinterface is not possible from a different vlan. i guess i asked for too much.
07-23-2015 02:25 AM
Hi Majed,
To troubleshoot you can check following:
>> ARP on the ASA for the host from where you are doing the ping test.
show arp
>> Check if ASA is receiving traffic:
cap capi interface inside match icmp any any
show cap capi
>> In case the traffic is reaching asa and it is getting dropped there then:
cap asp type asp-drop all
show cap asp.
Please attach above mentioned data and also attach the show run interface output.
Thanks,
R.Seth
07-23-2015 02:59 AM
It was just an example...
You can ping an inside interface from a different vlan as long as the packet is not traversing the ASA.
something like
vlan1 \
\ --- Router --- ASA
Vlan2 /
You can enable icmp from either vlan 1 or vlan 2
icmp permit any inside
If you have a different scenario than the above plese let me know...
Another usefull command "packet-tracer" - it will tell you wether the packet i allowed or not and the reason for that:
packet-tracer input inside icmp "source_ip" 0 8 "destination_ip"
Hope this clarifies,
Traian
07-23-2015 03:59 AM
thanks for the arp tip,
about the
icmp permit any inside
i have 9 inside subinterfaces on different vlans. i did icmp permit any (all inside interfaces)
but still from nexus i can only ping the management vlan in the vrf management because it's on the same vlan and subnet.
where is the mistake?
07-23-2015 04:27 AM
Hi Majed,
From ASA's perspective, you have 9 different interfaces with different names(nameif).
So if you try to ping the IP address configured on one sub-interface from a device whose traffic hits the firewall on a different sub-interface, will be dropped by the firewall.
For better understanding of the issue please attach the output of show run interface , so that we can understand the configuration. Also let us know if you were able to capture traffic on the ASA (steps mentioned in my previous reply).
Thanks,
R.Seth
07-23-2015 06:37 AM
i did a capture for the drop and for the interface, neither showed expected results. i then opened sdm and went to monitoring and put the nexus as source ip filter and sure enough it showed packets passed and dropped when ping was launched.
i can't traceroute from nexus perhaps because there is only a management vrf. even the management interface that i can ping can't be tracerouted.
07-23-2015 07:15 AM
Hi Majed,
Now from your update I understand that you tried capturing traffic on ASA and you did not receive any packets. If this is the case then you should check if the routing is correct.
Also if possible share the interface config, packet tracer output and capture output.
Thanks,
R.Seth
07-23-2015 11:08 PM
here is the config of the interfaces in question:
the management interface:
interface GigabitEthernet0/1.11
vlan 11
nameif Management_LAN
security-level 99
ip address 10.0.11.1 255.255.255.0
the new interface:
interface GigabitEthernet0/1.17
vlan 17
nameif skko_test
security-level 71
ip address 10.0.180.1 255.255.255.0
from nexus i ping:
ping 10.0.181.1 vrf management
PING 10.0.181.1 (10.0.181.1): 56 data bytes
Request 0 timed out
Request 1 timed out
Request 2 timed out
Request 3 timed out
Request 4 timed out
ping 10.0.11.1 vrf management
PING 10.0.11.1 (10.0.11.1): 56 data bytes
64 bytes from 10.0.11.1: icmp_seq=0 ttl=254 time=3.809 ms
64 bytes from 10.0.11.1: icmp_seq=1 ttl=254 time=1.305 ms
64 bytes from 10.0.11.1: icmp_seq=2 ttl=254 time=1.972 ms
64 bytes from 10.0.11.1: icmp_seq=3 ttl=254 time=1.92 ms
64 bytes from 10.0.11.1: icmp_seq=4 ttl=254 time=1.931 ms
on asa:
cap test interface skko_test match icmp any any
sh cap test
0 packet captured
0 packet shown
the nexus is connected to a switch and then to asa. i added the new vlan to the trunks in both switches.
i rechecked the cap test:
sh cap test
1 packet captured
1: 08:55:53.186681 802.1Q vlan#17 P0 10.0.11.6 > 10.0.180.1: icmp: echo request
1 packet shown
put it's not the result of pings from the nexus as when i make new pings the packet capture does not increase although 10.0.11.6 is the nexus.
in packet tracer the packet is allowed.
07-23-2015 11:23 PM
Who is doing the routing for Nexus (sh ip ro vrf management)? Can you also post a show route on ASA?
From what you posted, most likely the packets will first reach the Management_LAN and then traverse the ASA to the skko_test interface which would not be allowed - see previous posts.
Even if you would have a specific route for the Nexus to reach directly the skko_test interface route, most probably the return route would be through the Management_LAN which would break the URPf rule on ASA.
Traian
07-23-2015 11:59 PM
nexus#
sh ip ro vrf management
IP Route Table for VRF "management"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
0.0.0.0/0, ubest/mbest: 1/0
*via 10.0.11.1, [1/0], 3w6d, static
10.0.11.0/24, ubest/mbest: 1/0, attached
*via 10.0.11.6, mgmt0, [0/0], 3w6d, direct
10.0.11.6/32, ubest/mbest: 1/0, attached
*via 10.0.11.6, mgmt0, [0/0], 3w6d, local
on asa:
D EX 172.17.32.0 255.255.224.0 [170/3072] via 172.16.1.1, 602:28:50, outside
D EX 172.17.0.0 255.255.224.0 [170/3072] via 172.16.1.1, 602:28:50, outside
D EX 172.16.0.0 255.255.255.0 [170/3072] via 172.16.1.1, 602:28:50, outside
C 172.16.1.0 255.255.255.240 is directly connected, outside
D EX 172.18.2.192 255.255.255.192
[170/3328] via 172.16.1.1, 602:28:50, outside
D EX 172.18.2.0 255.255.255.0 [170/3072] via 172.16.1.1, 602:28:50, outside
D EX 172.18.3.0 255.255.255.0 [170/3328] via 172.16.1.1, 602:28:50, outside
C 192.168.201.0 255.255.255.0 is directly connected, IP-Telefon
C 10.0.10.0 255.255.255.0 is directly connected, Admin
C 10.0.11.0 255.255.255.0 is directly connected, Management_LAN
D EX 10.0.12.0 255.255.255.0 [170/3072] via 172.16.1.1, 602:28:50, outside
D EX 10.96.99.0 255.255.255.0 [170/3072] via 172.16.1.1, 602:28:50, outside
C 10.0.0.0 255.255.255.0 is directly connected, FW-Servers
D 10.1.32.32 255.255.255.240 [90/3328] via 172.16.1.3, 602:28:53, outside
[90/3328] via 172.16.1.1, 602:28:53, outside
D 10.1.32.48 255.255.255.240 [90/3072] via 172.16.1.3, 602:28:53, outside
[90/3072] via 172.16.1.1, 602:28:53, outside
D 10.1.32.3 255.255.255.255 [90/130816] via 172.16.1.3, 602:28:53, outside
C 10.0.126.0 255.255.255.0 is directly connected, FW-KMC
D EX 10.16.99.0 255.255.255.0 [170/3072] via 172.16.1.1, 602:28:53, outside
C 10.0.130.0 255.255.255.0 is directly connected, FW-Appl
C 10.0.128.0 255.255.255.0 is directly connected, FW-Face
C 10.0.132.0 255.255.255.0 is directly connected, FW-DB
C 10.0.180.0 255.255.255.0 is directly connected, skko_test
S* 0.0.0.0 0.0.0.0 [1/0] via 172.16.1.1, outside
i don't know what is urpf rule but sounds like it is broken?
07-24-2015 12:07 AM
Hi Majed,
From the DATA provided i think this is your setup:
[Nexus]------(Management_LAN)[ASA](skko_test)-----------------[10.0.181.1]
>> Now for this setup chcek the routing on ASA.
>> ACLs on ASA.
>> Output of command:
packet in Management_LAN icmp nexus_ip 8 0 10.0.181.1
Share some details about how the traffic is going to flow from ASA and what is the route that you have on ASA for 10.0.181.1
Thanks,
R.Seth
07-24-2015 12:34 AM
there is no command that starts with packet there is packet-tracer..
the acl is permit ip any any
the setup is as follows: vsphere nexus (vrf management) the cisco switch the the asa.
the servers in the 10.0.180.0/24 subnet are supposed to reach the asa and from there either to the outside or to other vlans.
07-27-2015 12:59 AM
Hi Majed,
Please attach the output of packet tracer output, use below mentioned command.
ASA will auto complete all the keywords.
packet in Management_LAN icmp nexus_ip 8 0 10.0.181.1
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide