Solved: Re: Cisco ASA Active Standby

SS2020 · ‎04-25-2023

Hello All,

I'm doing a lab in my GNS3 just built ASA active and standby which is no issues but when i try to access the outside ip address which is the ISP i cannot ping it from inside interface but there is no proble from outside interface.

I though in cisco asa you can reach lower interface from higher interface as long as you have a route in place but it's not working in my case. please see below configs.

Also show mac-address or show mac-address-table is not working either.

Appreciated for any help.

route outside 0.0.0.0 0.0.0.0 192.168.1.3 1

!

interface Ethernet0
description linke to outside
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
interface Ethernet1
description LAN Failover Interface
!
interface Ethernet2
description linke to inside
nameif inside
security-level 100
ip address 10.10.10.253 255.255.255.0 standby 10.10.10.254
!

Primary-ASA(config)# sh version

Cisco Adaptive Security Appliance Software Version 9.1(5)16
Device Manager Version 7.9(2)152

Rob Ingram · ‎05-01-2023

@SS2020 Windows PC 1 is on the inside of the ASA - 192.168.1.0/24 and your ACL is inbound on the outside
interface from source 192.168.1.0/24, that is incorrect. The source networks inbound on the outside interface would be 123.123.123.0/24 and 172.16.1.0/24.

Assuming the inside interface has a security level of 100 (default) and the outside interface has a security level of 0 (default), then SSH traffic from inside to outside should automatiically be permitted. You will need to enable ICMP inspection though, run fixup protocol from the CLI.

Does R2 have a route back to Windows PC1 with a route to 192.168.1.0/24 or are you NATTING behind the ASA? If neither, do one of them.

View solution in original post

Rob Ingram · ‎04-26-2023

@SS2020 you cannot be connected behind one interface (inside) and ping through the ASA to one of the ASA's other interfaces (outside). That will not work, that is by design.

For testing you should ping through the ASA to a device behind the ASA, rather than to the ASA itself. You would need an ACL to permit icmp echo-reply inbound on the outside interface or enable icmp inspection. You can enable icmp inspection using fixup protocol icmp.

SS2020 · ‎04-26-2023

Hello Rob,

Thank you for the reply.

I'm not trying to ping from one ASA to other ASA. I'm trying to ping from ASA inside to ISP which is by design should be allowed from higher level to lower level, isn't that right.?

right now i have access-list on place i can ping the ISP from the FW inside interface but not able ping the ISP from my LAN router!

I thought below access-list allow range /24 ping outside

access-list 101 extended permit icmp 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0 echo

!

Primary-ASA# ping in
Primary-ASA# ping inside 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
ICMP echo request from 10.10.10.253 to 192.168.1.3 ID=50091 seq=53754 len=72
?ICMP echo request from 10.10.10.253 to 192.168.1.3 ID=50091 seq=53754 len=72
?ICMP echo request from 10.10.10.253 to 192.168.1.3 ID=50091 seq=53754 len=72
?ICMP echo request from 10.10.10.253 to 192.168.1.3 ID=50091 seq=53754 len=72
?ICMP echo request from 10.10.10.253 to 192.168.1.3 ID=50091 seq=53754 len=72
?
Success rate is 0 percent (0/5)

===============================

From LAN Router to ISP failed

LAN#ping 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

any ideas why please/

Many thank you.

SS2020 · ‎05-01-2023

Hello Rob,

I have changed the topology as below.

and i have created ACL as below.

access-list ping_out extended permit tcp 192.168.1.0 255.255.255.0 any4 eq ssh
access-list ping_out extended permit icmp 192.168.1.0 255.255.255.0 any echo-reply

inter e1

access-group ping_out in interface outside

But when i try to either ping or ssh R2 from inside window pc it fails.

I'm so confused about it;s not working.

could help please?

Regards,

Star

MHM Cisco World · ‎05-01-2023

again did you have route in R2 for inside ????? you waste your time in this way

SS2020 · ‎05-02-2023

Hello MHM,

thank you for your support, yes I do have dynamic routing from R2 to ASA and internal network.

R2#sh ip route eigrp

Gateway of last resort is not set

D 192.168.1.0/24 [90/1075200] via 1.1.1.1, 00:47:51, Ethernet0/1
Thank you again.

Rob Ingram · ‎05-01-2023

@SS2020 Windows PC 1 is on the inside of the ASA - 192.168.1.0/24 and your ACL is inbound on the outside
interface from source 192.168.1.0/24, that is incorrect. The source networks inbound on the outside interface would be 123.123.123.0/24 and 172.16.1.0/24.

Assuming the inside interface has a security level of 100 (default) and the outside interface has a security level of 0 (default), then SSH traffic from inside to outside should automatiically be permitted. You will need to enable ICMP inspection though, run fixup protocol from the CLI.

Does R2 have a route back to Windows PC1 with a route to 192.168.1.0/24 or are you NATTING behind the ASA? If neither, do one of them.

SS2020 · ‎05-02-2023

Hello Rob,

Thank you for the info, yes the ACL was wrong and i fixed as you recommended and it's working now.

Now I'm able to telnet the outside network and ping from outside to inside.

Thank you for your support as always.

I'm learning about the ASA so i have no doubt that i will have more questions in near future.

Thank you again.

MHM Cisco World · ‎04-26-2023

Two point here if you want to ping isp router from inside

1- did you config icmp policy ?

2- are ISP know the path for inside asa subnet ? (route to inside subnet)

SS2020 · ‎04-26-2023

Hello HMH,

the ISP only can ping outside interface of the FW which is they connected directly and they are in same subnet other then that ISP doesn't know about the internal subnet. Why do you think the ISP should know about the internal Subnet pleasae?

I thought in Cisco ASA ICMP is the only protocol that is enabled by default.

And i do believe that the ICMP is enabled, please see below

Primary-ASA(config)# sh run | in icmp
access-list 101 extended permit icmp 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0 echo
icmp unreachable rate-limit 1 burst-size 1
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
inspect icmp
Primary-ASA(config)#

MHM Cisco World · ‎04-26-2023

Asa is like any router,

If the Inside is Nating then ISP no need route for inside subnet

If the inside is not nating the ISP need route for inside subnet

Icmp echo reply from ISP to inside need route in RIB to forward it.

Marius Gunnerud · ‎05-02-2023

Agree with @MHM Cisco World, verify your routing before spending time troubleshooting other possible issues.

--
Please remember to select a correct answer and rate helpful posts