Re: Cisco ASA 5505 Firewall Configuration and Routing Problem

aoyawale · ‎02-22-2011

Hi,

Can anyone please help with the following:

1. a firewall configuration that would allow me ping both the inside & outside interfaces of the ASA 5505 firewall from PC1 and PC2 as shown in the attachment. I have tried to configure this several time but was unsuccessful.

2. Also from PC1, I'm unable to ping SW2, SW3 & PC2; what could be the problem

3. I replaced the ASA5505 with a Cisco 2800 router and still experienced the probem in (2) above.

Thanks for your kind and prompt assistance.

Regards

m.kafka · ‎02-22-2011

would you share your config you have so far?

what's the configuration of the switches and switchports?

can you ping the inside interface from PC1?

can you ping the outside interface from PC2?

do you have "inspect icmp" configured in your policy map?

what is the "route print" resp "netstat -r" output of the PCs?

do you see all necessary ARP entries on all devices?

do you see all mac addresses in the mac-address-table of the switches?

do you have a permit icmp echo-request on the access-list bound to the outside interface?

do you have the correct routing table entries on the asa?

...just a few steps for trouble shooting, shouldn't take you too long to go through these steps

best regards,

MiKa

aoyawale · ‎02-22-2011

Hi Mika,

Thanks so much for your prompt response and your suggestions. It's almost midnight at my current location so I may not have all the info you required but see my response below:

1. Firewall config is attached (mannually edited to remove sensitive info)

2. Interface config of router attached

3. SW2 & Sw3 have default configuration

4. STP is configured on SW1

5. Can ping inside interface from PC1

6. Cannot ping outside interface from PC1

7. Cannot ping outside interface from PC2

8. Cannot ping inside interface from PC2

9. All PCs on either side of the firewall can ping other PCs on thier subnet (so ARP/MAC tables seem to be ok).

Thanks once again for your help.

Tee

m.kafka · ‎02-22-2011

Hi, and you're welcome

First thing, the Router:

The Router is configured for 100/full and switch default is speed/duplex auto. Result: speed/duplex mismatch can possibly break the complete communication (I just had a similar case on a customer network, complete loss of connectivity because of fixed/auto mismatch)

Second thing, the ASA:

icmp permit host PC2 echo-reply outside
icmp permit host PC2 echo outside

will prevent PC1 from pinging the outside interface

I don't see the object PC1 defined anywhere... maybe thats the reason for PC1 not getting anywhere?

Maybe you should make an attempt to issue a packet tracer command like:

packet-tracer input outside icmp [source-ip of PC2] 8 0 [destination-ip of PC1]detailed

and a similar command in the return path

Rgds,

MiKa

aoyawale · ‎02-23-2011

Hi MiKa,

1. I've solved the router problem by clearing the ARP tables on all the devices.....thanks for your advise.

2. Still have following problems with the ASA

- PC1 can pint inside interface but cannot ping outside interface or PC2

- PC2 cannot ping inside interface, outside interface or PC1

I've attached my new firewall config file.

Thanks.

aoyawale · ‎02-23-2011

Hi MiKa,

Quick update in the ASA:

1. PC1 can ping inside interface and PC2

2. PC1 cannot ping outside interface

3. PC2 can ping outside interface and PC1

2. PC1 cannot ping inside interface

Configuration file sent earlier is still running

Sent from Cisco Technical Support iPhone App