Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
476
Views
0
Helpful
4
Replies

Cant't ping the internal network of our organization

arya1
Level 1
Level 1

‎06-16-2018 10:13 AM - edited ‎02-21-2020 07:53 AM

Below is the firewall config (with all the company info removed) that I'm trying to deploy in our environment.

Firewall is in the internal 10.68.48.0/20 subnet, I cannot ping the other internal subnets of the organization - eg, 10.7.0.0/20 subnet from the firewall. Can someone please have a look at the below config and tell me what I'm misisng?

I have no experience working with firewalls and I'm not sure what I need to add further.


FW001# sh run
: Saved

:
: Hardware:   ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.4(4)17
!
terminal width 200
hostname FW001
domain-name corporate.net

names
!
interface GigabitEthernet1/1
 description *** To Internet ***
 shutdown
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.248
!
interface GigabitEthernet1/2
 description *** To Switch ***
 channel-group 1 mode active
 no nameif              
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 description *** To Switch ***
 channel-group 1 mode active
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 description *** To YP Router ***
 nameif DMZ-YP
 security-level 80
 ip address 1x.0.2.x1 255.255.255.248
!
interface GigabitEthernet1/5
 description << To 100M Internet Line >>
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 description <<Fiber_400>>
 nameif outside-2
 security-level 0
 ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
interface Port-channel1
 lacp max-bundle 8              
 no nameif
 no security-level
 no ip address
!
interface Port-channel1.100
 vlan 100
 nameif Server_LAN
 security-level 100
 ip address 10.68.54.251 255.255.255.0
!
interface Port-channel1.101
 vlan 101
 nameif User-LAN
 security-level 100
 ip address 10.68.55.251 255.255.255.0
!
interface Port-channel1.999
 vlan 999
 nameif Management
 security-level 100
 ip address 10.68.48.251 255.255.255.0
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 4.2.2.2
 domain-name corporate.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network 10.200.0.0
subnet 10.200.0.0 255.248.0.0
object network 10.208.0.0
 subnet 10.208.0.0 255.254.0.0
object network 10.0.0.0
 subnet 10.0.0.0 255.255.0.0
object network 10.21.0.0
 subnet 10.21.0.0 255.255.0.0
object network 10.31.16.0
 subnet 10.31.16.0 255.255.255.128
object network 10.40.0.0
 subnet 10.40.0.0 255.254.0.0
object network 10.7.0.0
 subnet 10.7.0.0 255.255.0.0
object network 10.8.0.0
 subnet 10.8.0.0 255.254.0.0
object network 10.20.110.0
 subnet 10.20.110.0 255.255.255.0
object network 10.64.0.0
 subnet 10.64.0.0 255.224.0.0
object network 10.204.106.0
 subnet 10.204.106.0 255.255.255.0
object service TCP-4000
 service tcp destination eq 4000
object service TCP-22
 service tcp destination eq ssh
object network INSIDE_10.68.48.0_20
 subnet 10.68.48.0 255.255.240.0
object network DMZ-YP-Subnet
 subnet 192.0.x.xx 255.255.255.248
object network YP-Remacc1
 host 1xx.1xx.167.34
object network YP-Remacc2
 host 1xx.1xx.240.3
object network YP
 host 1xx.0.x.xx
object service SSH-YP
 service tcp source eq ssh
object service SSH-YP-OUT
 service tcp source eq 4000
object-group network xxx-Remote-Subnet
 network-object object 10.0.0.0
 network-object object 10.20.110.0
 network-object object 10.200.0.0
 network-object object 10.208.0.0
 network-object object 10.21.0.0
 network-object object 10.31.16.0
 network-object object 10.40.0.0
 network-object object 10.7.0.0              
 network-object object 10.8.0.0
 network-object object 10.64.0.0
 network-object 10.66.0.0 255.254.0.0
 network-object object 10.204.106.0
object-group network YP-Remote
 network-object object YP-Remacc1
 network-object object YP-Remacc2
object-group network YPSSH
 network-object host 1xx.59.xx4.xx4
 network-object host 15x.10x.2xx.32
access-list DMZ-YP_ACCESS_IN extended permit ip object DMZ-YP-Subnet any
access-list DMZ-YP_ACCESS_IN extended permit ip object-group xkx-Remote-Subnet any
access-list DMZ-YP_ACCESS_IN extended permit icmp any any time-exceeded
access-list DMZ-YP_ACCESS_IN extended permit icmp any any unreachable
access-list DMZ-YP_ACCESS_IN extended permit icmp any any traceroute
access-list OUTSIDE-2_ACCESS_IN extended permit icmp any any
access-list OUTSIDE-2_ACCESS_IN extended permit tcp object-group YPSSH object YP eq ssh
access-list OUTSIDE-2_ACCESS_IN extended permit tcp object-group YP-Remote object YP eq ssh
pager lines 24
logging enable
logging asdm informational
logging host Management 10.202.10.232 17/1514
logging class session trap informational
mtu outside 1500
mtu DMZ-YP 1500
mtu outside-2 1500
mtu Server_LAN 1500
mtu User-LAN 1500
mtu Management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any User-LAN
icmp permit any Management
asdm image disk0:/asdm-791-151.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (DMZ-YP,outside-2) source static YP interface service SSH-YP SSH-YP-OUT
nat (DMZ-YP,outside-2) source dynamic DMZ-YP-Subnet interface
nat (Server_LAN,outside-2) source dynamic INSIDE_10.68.48.0_20 interface
nat (User-LAN,outside-2) source dynamic INSIDE_10.68.48.0_20 interface
nat (Management,outside-2) source dynamic INSIDE_10.68.48.0_20 interface
object network obj_any
 nat (any,outside-2) dynamic interface
access-group DMZ-YP_ACCESS_IN in interface DMZ-YP              
access-group OUTSIDE-2_ACCESS_IN in interface outside-2
router rip
 network 1xx.0.x.0
 version 2
!
route outside-2 0.0.0.0 0.0.0.0 x.xx.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 DMZ-YP
http 0.0.0.0 0.0.0.0 outside-2
snmp-server host DMZ-YP 10.202.10.232 community ***** version 2c
              
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh scopy enable
no ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 DMZ-YP
ssh 0.0.0.0 0.0.0.0 outside-2
ssh 10.68.54.0 255.255.255.0 Server_LAN
ssh 10.68.55.42 255.255.255.255 User-LAN
ssh 10.68.55.0 255.255.255.0 User-LAN
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access Management
dhcprelay server 10.68.54.12 Server_LAN
dhcprelay enable User-LAN       
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.202.100.1 source Management prefer
dynamic-access-policy-record DfltAccessPolicy
username Temporary password .s86pxc3Jm62lZTh encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp              
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
: end
1#                                                                                                                           



Labels:
0 Helpful
4 Replies 4

Dennis Mink
VIP Alumni
VIP Alumni

‎06-16-2018 10:58 AM

your 10.7.0.0/20 does not seem to be direct connected, so if you do a sh route, have you got a route from the FW to this subnet at all?  can you do a ping to anything in that subnet, sourcing from the inside IP of your asa?

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni

‎06-16-2018 10:59 AM

your 10.7.0.0/20 does not seem to be direct connected, so if you do a sh route, have you got a route from the FW to this subnet at all?  can you do a ping to anything in that subnet, sourcing from the inside IP of your asa?

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

arya1
Level 1
Level 1
In response to Dennis Mink

‎06-16-2018 12:01 PM

Yes, routes to that network is learnt by RIP.

0 Helpful

Florin Barhala
Level 6
Level 6
In response to arya1

‎06-18-2018 12:40 AM

Good - then just re_read last reply from Dennis and provide the output if are to solve this.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card