Solved: Cisco ASA 5505 - Base License

Rrv_ricardo · ‎08-23-2013

Hello to everyone

I having this kind of config and in my network were workig flawless but in the site installed is giving me trouble.

First my conection to the site is working so i can access from the internet to the ASA, but I cant do inter-vlan routing in the ASA.

I have activated those commands and nothing i cant not ping to my vlan2 interface from my inside: I do not have a router making the L3 routing only the ASA but it could let me pass traffic because the ASA is a L3 device. alsa this licence has no trunk.

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

Well I have do many things and nothing,

policy-map global_policy

class inspection_default

inspect icmp

not results, waiting for your comments.

#################

################

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : 10

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

SSL VPN Peers : 2

Total VPN Peers : 10

Dual ISPs : Disabled

VLAN Trunk Ports : 0

Botnet Traffic Filter : Disabled

################

########################

ASA Version 8.2(5)

!

hostname ASA5505

enable password XXXXXXXXXXXXXX encrypted

passwd XXXX.XXXXXXXX encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address XX.XX.XX.174 255.255.255.248

!

ftp mode passive

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 10.0.0.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 XX.XX.XX.169 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 10.0.0.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username root password XXXXXXXXX encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:0c8a226f7c4a8d5a03e6fcd821893898

: end

#########################################

Jouni Forss · ‎08-24-2013

Hi,

If you are trying to PING / ICMP the ASA "outside" interface from a host that is located behind "inside" interface then this is not possible and no configuration will help with this fact.

Host can only send PING / ICMP to interfaces behind which they are located.

Otherwise you configuration seems pretty simple. You have the LAN directly connected to the ASA and have Dynamic PAT configured for the Internet traffic. Since you dont have any ACLs configured it means that the interface "security-level" control the traffic and therefore allow traffic from "inside" to "outside".

If you want to use ICMP from "inside" to "outside" you should and the Inspection configurations

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

- Jouni

View solution in original post

Anthony.Herman · ‎08-23-2013

Sorry not really understanding what your question is.

Harvey Ortiz · ‎08-23-2013

Hi Ricardo,

Do you have another network behind the inside interface?

Please specify where are you trying to ping?

Also please run:

Show run icmp

and let me know the outputs.

Regards,

Harvey

Rrv_ricardo · ‎08-25-2013

ASA5505# Show run icmp

icmp unreachable rate-limit 1 burst-size 1

That is the output from the file.

Jouni Forss · ‎08-24-2013

Hi,

If you are trying to PING / ICMP the ASA "outside" interface from a host that is located behind "inside" interface then this is not possible and no configuration will help with this fact.

Host can only send PING / ICMP to interfaces behind which they are located.

Otherwise you configuration seems pretty simple. You have the LAN directly connected to the ASA and have Dynamic PAT configured for the Internet traffic. Since you dont have any ACLs configured it means that the interface "security-level" control the traffic and therefore allow traffic from "inside" to "outside".

If you want to use ICMP from "inside" to "outside" you should and the Inspection configurations

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

- Jouni

Rrv_ricardo · ‎08-25-2013

I did the config for the ICMP but not results i will go and do an access-list to see if i can solve the problem.

Sorry im new to asa, and i will study more of it.

Harvey Ortiz · ‎08-30-2013

Hi Ricardo,

As Jouni said

Host can only send PING / ICMP to interfaces behind which they are located.

Can you please tell me the source IP address(host where you are run the ping) I guess it should be 10.0.0.x pinging to which IP address?

Please provide this information , then I could say if that it´s allowed or not.

Regards,

Harvey

Rrv_ricardo · ‎09-01-2013

Cisco ASA 5505 Base License - not inter-vlan-routing no internet access from inside interface

here the output from my pings

ping

Interface: inside

Target IP address: 10.0.0.1

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ASA5505# ping

Interface: outside

Target IP address: 66.XX.XX.174

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 66.XX.XX.174, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ASA5505# ping

Interface: inside

Target IP address: 66.XX.XX.174

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 66.XX.XX.174, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ASA5505# ping

Interface: outside

Target IP address: 10.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

So inter-vlan routing is not wowrking after I have to use the followings commands to see if there any change but not results

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

policy-map global_policy

class inspection_default

inspect icmp

exit

service-policy global_policy global

After all the thing i've done in CLI I logged into the ASDM and in the nat section i look that nat was not having destination.

global (outside) 10 interface

nat (inside) 10 10.0.0.0 255.255.255.0

so I decide to apply in this way

global (outside) 1 interface

nat (inside) 1 access-list inside_nat_outbound

and voila everything is working i was able to ping 4.2.2.2 to the outside, I think that the problem is with the public ip directly assigned to the ASA by iSP and not the private ip, because in my test enviorement was working perfectly and i was using 192.168.0.0 and 172.18.0.0 networks as the outside interface ip and everything was fine.

But thanks to all that help now have to start to apply security and acls configs.

Julio Carvajal · ‎09-01-2013

Hello Ricardo,

A couple of things here

As the previous engineers has state on an ASA you cannot ping the far-end interface (this means if I sit on a desktop behind the inside interface I will not be able to ping the Outside interface IP address but the inside interface)
On an ASA device when you do a ping inside 4.2.2.2 you are not letting the device know that you want to source the packet from the inside interface IP address (as a router would do) you are basically telling the ASA try to contact 4.2.2.2 via the Inside Interface and Ofcourse this will not work.

So that being said the solution you are providing does not solve the fact that the ping inside 4.2.2.2 will not work as that will never happen (unless you reach the internet via Inside)

The different between one NAT and the other is that with one you make reference to the destination address, on the other not.

So with that in mind if you have not changed anything else on the inside network I would blame the ISP.

Ricardo remember to rate all of the helpful answeres,,,

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC