CISCO ASA 5506-x ping issues

jacobhampton729737713 · ‎03-03-2020

I am having an issue pinging through my ASA. I am able to ping from my outside interface on the ASA to the internet and from my client pc (on the inside network) to the (inside) port on the ASA, but can not go through.

ISP gateway - 192.168.1.254 /24

ASA (Outside) - 192.168.1.231 /24

ASA (Inside) - 172.16.1.1 /24

Router (Inside) - 172.16.1.2 /24

Router (Inside LAN) - 172.16.10.1 /24

Client PC (Inside LAN) - 172.16.10.10 /24

I used eigrp routing to get between the networks but the 192.168.1.0 network will not populate in the routing table. i do have a static route configured.

I simulated my network in packet tracer using loopbacks as my "ISP"

hostname ciscoasa

names

!

interface GigabitEthernet1/1

description Connection to inside

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

!

interface GigabitEthernet1/2

description Connection to ISP

nameif outside

security-level 0

ip address 192.168.1.231 255.255.255.0

!

interface GigabitEthernet1/3

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/4

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/5

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/6

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/7

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/8

no nameif

no security-level

no ip address

shutdown

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

!

object network IN-OUT

subnet 172.16.1.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 192.168.1.0 1

!

access-list INSIDE-OUT extended permit icmp 172.16.0.0 255.255.0.0 any echo-reply

!

access-group INSIDE-OUT in interface inside

access-group INSIDE-OUT out interface outside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect icmp

!

service-policy global_policy global

!

telnet timeout 5

ssh timeout 5

!

router eigrp 1

network 8.8.8.8 0.0.0.0

network 8.8.8.1 0.0.0.0

network 172.16.1 0.0.0.255

network 192.168.1.0

Muhammad Awais Khan · ‎03-03-2020

Hi,

why you apply this on inside interface ? you done need to apply it on inside.

no access-group INSIDE-OUT in interface inside

and modify your ACL to below:

access-list INSIDE-OUT extended permit icmp any 172.16.0.0 255.255.0.0 echo-reply

after doing above, ICMP should start working fine

jacobhampton729737713 · ‎03-03-2020

This still did not resolve. Would it be an issue with eigrp? Ospf a better option?

Muhammad Awais Khan · ‎03-04-2020

you are using eigrp between ASA and Internet edge ? both interfaces are on same subnet where you are running protocol between two ?

Sheraz.Salim · ‎03-04-2020

PROBLEM

!

interface GigabitEthernet1/1

description Connection to inside

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

!

Change the nameif

!

interface GigabitEthernet1/2
description Connection to ISP
nameif inside -- change to outside
security-level 0
ip address 192.168.1.231 255.255.255.0
!
access-list INSIDE-OUT extended permit icmp any 172.16.0.0 255.255.0.0 echo-reply
access-group INSIDE-OUT out interface outside
!
packet-tracer input outside icmp 8.8.8.8 8 0 172.16.1.x

if you see your configuration you define nameif inside twice and than you match the access-group with interface outside

(or)

give a command fixup protocol icmp AND fixup protocol icmp-error

please do not forget to rate.

jacobhampton729737713 · ‎03-04-2020

I fixed that problem. Still cannot ping. Here are my new configs:

interface GigabitEthernet1/1

description Connection to inside

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

interface GigabitEthernet1/2

description Connection to ISP

nameif outside

security-level 0

ip address 192.168.1.231 255.255.255.0

object network IN-OUT

subnet 172.16.1.0 255.255.255.0

route ISP 0.0.0.0 0.0.0.0 192.168.1.254

access-list INSIDE-OUT extended permit icmp any 172.16.0.0 255.255.0.0 echo-reply

access-group INSIDE-OUT out interface outside

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

telnet timeout 5

ssh timeout 5

router eigrp 1

network 8.8.8.8 0.0.0.0

network 8.8.8.1 0.0.0.0

network 180.100.99.0 0.0.0.255

network 192.168.13.0

Potential OS issue between devices?

Sheraz.Salim · ‎03-04-2020

Is this a test lab or a production network? I noted you do not have nat rules. in order to ping or any other services you running from outside to inside need a static nat. even though you have an access-list define and also access-group define. it will always fail. as you coming from outside to inside and outside have a security level 0 and inside have security level 100. from 100 to 0 you can go no problem but from 0 to 100 you need access-list/access-group and to define nat rule (this could be identity nat or dynamic nat).

please do not forget to rate.

jacobhampton729737713 · ‎03-04-2020

Simulation of a production network. I have nat configured as such

nat (inside,outside) dynamic interface

Rob Ingram · ‎03-04-2020

I assume you are pinging from inside to outside, you need to modify the direction from out to in.

no access-group INSIDE-OUT out interface outside

access-group INSIDE-OUT in interface outside

HTH

Sheraz.Salim · ‎03-04-2020

good spot @Rob Ingram .

you doing a dynamic nat it will fail on rpf-check. you need a whole range of ip address to be ping able from outside?

if you have spare ip address as you already using RFC1918 for outside. do this for test.

object network TEST

host 172.x.x.x (inside-single-host-ip-adresss)

nat (inside,outside) static 192.168.x.x

!

access-list outside_in ex permit icmp any object TEST eq echo-reply

access-group outside_in in interface outside

please do not forget to rate.

jacobhampton729737713 · ‎03-04-2020

Making progress. Test did not work. I deleted the eigrp route to the 192.168.1.0 network on the ASA. I am now getting a reply :destination host unreachable, whereas before, nothing. I have icmp enabled on ASA going out the outside interface. New configs:

interface GigabitEthernet1/1

description Connection to inside

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

!

interface GigabitEthernet1/2

description Connection to ISP

nameif outside

security-level 0

ip address 192.168.1.231 255.255.255.0

!

object network IN-OUT

subnet 172.16.1.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 192.168.1.254 1

!

access-list INSIDE-OUT extended permit icmp 172.16.1.0 255.255.255.0 any echo-reply

!

access-group INSIDE-OUT in interface outside

object network IN-OUT

nat (inside,outside) static 192.168.1.231

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect icmp

!

service-policy global_policy global

router eigrp 1

network 172.16.1.0 255.255.255.0

Muhammad Awais Khan · ‎03-04-2020

Hi,

now all configuration looks good but still ACL have issue, you have to modify your ACL to allow the ICMP traffic destined to 172.16.1.0 network, so this network should be mention in the destination part of ACL, not on the source part

no access-list INSIDE-OUT extended permit icmp 172.16.1.0 255.255.255.0 any echo-reply

access-list INSIDE-OUT extended permit icmp any 172.16.1.0 255.255.255.0 echo-reply

jacobhampton729737713 · ‎03-04-2020

no success here. Can ping from client on inside to inside port on ASA but not through.

Muhammad Awais Khan · ‎03-04-2020

i just notice your NAT, since your are translating whole subnet to single IP address ( outside ), it should be dybamic not static.

access-group INSIDE-OUT in interface outside

object network IN-OUT

no nat (inside,outside) static 192.168.1.231

nat (inside,outside) dynamic 192.168.1.231

can you test above ?

Sheraz.Salim · ‎03-04-2020

dynamic nat is not going to work as you break the asa fundamentals. in order to reach from outside to inside network you need a nat rule with static nat.

i have just test this in lab. here is my output. change your network ip addressing accordingly.

!

object network ALL-WIRELESS (THIS IS MY WIRELESS NETOWRK WITH SECURITY-LEVEL100)
subnet 192.168.185.0 255.255.255.0
nat (wireless-house,outside) static 192.168.1.55 (I borrowed one ip address from outside subnet range)

!

access-list ALL-WIRELESS line 1 extended permit icmp any object ALL-WIRELESS echo-reply

access-group ALL-WIRELESS in interface outside

packet-tracer input outside icmp 8.8.8.8 0 8 192.168.1.55

Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map SFR-CLASS
match access-list SFR
policy-map global_policy
class SFR-CLASS
sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network ALL-WIRELESS
nat (wireless-house,outside) static 192.168.1.55
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 273112, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: wireless-house
output-status: up
output-line-status: up
Action: allow

please do not forget to rate.