Hi.

robbo79871 · ‎12-24-2015

Hi, i'm having trouble with getting PC's to communicate in my topology with my ASA in the middle of it. Basically i have an ASA connected to a switch that connects to 2 PC's, but nothing is pinging, the ASA can ping its own VLAN interfaces but thats all. Funny thing is that it can ping the edge device which is the router on 172.16.30.1 AND the router can ping E0/0 at 172.16.30.2 even though the E0/0 is on the outside interface so i have no clue how to router is able to successfully ping it since it is coming from the outside interface.

Here is the config for the ASA

: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 30
!
interface Ethernet0/2
switchport access vlan 30
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
no nameif
security-level 100
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.30.2 255.255.255.0
!
interface Vlan30
nameif inside
security-level 100
ip address 10.30.0.1 255.255.255.0
!
!
!
access-list VPN standard permit 10.30.0.0 255.255.255.0
!
!
!
!
!
!
class-map inspect
match default-inspection-traffic
!
policy-map global
class inspect
!
service-policy global global
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
dhcpd enable
!
!
!
crypto ipsec ikev1 transform-set VPN esp-aes 256 esp-sha-hmac
!
crypto map VPN_MAP 1 match address VPN
crypto map VPN_MAP 1 set peer 172.16.31.2
crypto map VPN_MAP 1 set security-association lifetime seconds 8600
crypto map VPN_MAP 1 set ikev1 transform-set VPN
crypto ikev1 policy 1
encr aes
authentication pre-share
group 5
lifetime 8600
!
tunnel-group 172.16.30.2 type ipsec-l2l
tunnel-group 172.16.30.2 ipsec-attributes
ikev1 pre-shared-key cisco
!

When i got connectivity i planned to set up a VPN but I'm having trouble trying to grasp how to connect all these vlans and devices together when the ASA on packet tracer doesn't let you do routing protocols or assign physical interfaces addresses.
Any help would be greatly appreciated.

Thanks!

Update:
I moved one PC to directly connect it to the ASA with the default gateway the same as VLAN 30 etc... and it worked but i moved it back to the switch and it failed, so I'm thinking its something to do with the switch? I have had the link that connects the switch to the ASA as Switchport access vlan 30 and nothing and also as a trunk with the vlan allowed over the trunk but yet again nothing!

Akshay Rastogi · ‎12-24-2015

Hi,

You can ping both the interfaces from hosts behind their interface, even though you are pinging from outside. You can restrict the ping through 'icmp deny <network > <subnet> outside' command.

As you could ping the inside interface when directly connected which indicates the issue with switch. Please make sure that the port connected to host and Inside interface both are in same vlan.

Making inside interface switchport as trunk would not help as for that ASA interface should also be trunk.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

robbo79871 · ‎12-24-2015

Hi, thanks for the reply. I was wondering why as well the router that is on the OUTSIDE interface of the ASA is able to ping the ASA successfully? Shouldn't that be dropped regardless of ICMP or not?

Thank you as well! Your suggestion worked perfectly! I have a question though that now comes with it, how is it that the VLAN information is able to be sent when none of the switchports are trunks?

Thanks

Akshay Rastogi · ‎12-24-2015

Hi,

It is as per the design. Hosts behind their respective interface could ping. However it could be controlled through 'icmp' command mentioned in the last post. It is only for icmp. For SSH or Telnet, you need separate commands to enable.

It is not about vlan tag sent to ASA. You could use any other vlan value also other than 30 on switch(try configuring vlan50 on ports on switch for both the interfaces while keeping vlan 30 on ASA, it must work).

Vlan 30 configured on ASA is only significant to ASA interface configuration. It would come into picture when you have sub-interfaces for a specific physical interface and you configure trunk for that on switch.

Hope it answers your query.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

robbo79871 · ‎12-24-2015

Thanks for all your help so far, i had another question regarding the PC i am using in packet tracer. So now i can ping the outside interface of the router on 172.16.30.1 and the router cannot ping me, great! But when i go to ping the actual outside interface on the ASA it times out, the IP for that address is 172.16.30.2, the source address is 10.30.0.2. Why is this?

Also i'm going to be using a vpn setup soon to encrypt traffic going from 10.30.0.0/24 to 10.20.0.0/24 at another site, do you think from the setup above in the first message that the VPN setup is properly configured?

this is my topology

[Site] pc>>>>switch>>>ASA>>>router>>>>>>frame relay cloud>>>>>>>>>the same on the other side [Site]

the ip address of the outside interface for the asa is 172.16.30.2

the ip address of the inside interface for the asa is 10.30.0.1

the ip address of the fa 0/0 on the router is 172.16.30.1

the ip address of the s2/0 192.168.30.1

^ This is all for one sites, i'm going to configure the other site the same but with different but similar IP's, i'm just wondering if i have the tunnel group correctly configured etc...

Thanks again for your great help!

Akshay Rastogi · ‎12-24-2015

Hi,

As per the design, you could only ping the ASA interface if the host is behind that interface. That means, hosts behind Inside interface only can ping Inside interface of ASA. It can not ping ASA's Outside interface IP address. However it could ping hosts behind Outside Interface but not interface ip.

Regarding VPN, i do not have much expertise. So could not comment much. however as per my understanding, please use extended access-list with source as 10.30 and destination as 10.20. And the reverse access-list on another site(31.2 side).

Also i could see that they crytomap is not enabled on outside Interface as well.So make sure that as well. Also make sure the isakmp policy matches both side.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

robbo79871 · ‎12-24-2015

Thanks for all your help, i am looking to also see what ports are open on a device, do you know the command for this? Thanks

Akshay Rastogi · ‎12-24-2015

Hi,

Bydefault, all the ports are denied to pass through ASA. However it also depends upon from where the packet is sourced.

Traffic from Higher security zone interface to lower security zone is allowed by default. However, from lower security zone to higher, it is denied. Therefore you can say that the traffic(or ports allowed) could be controlled through Access-list on both Higher sec interface and Lower. This is for 'through-the-box traffic.

However for To- the-box traffic, only ICMP is allowed by default. Rest of the traffic(ssh, telnet) are denied. You need to separately allow them through their respective commands.

Hope it answers your query.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

robbo79871 · ‎12-24-2015

Hi, thanks for that, what about checking ports on a router to see if they're open or not?

If i want to have a DHCP server also on the network connected to the ASA, would i need to use the dhcprelay commands in order for it to work?

Thanks

Akshay Rastogi · ‎12-24-2015

Hi.

With blank configuration, all the ports are allowed for to and through traffic on Router. However, if you are looking for how exposed is your network after your required configuration, then you need to try some port scanning application used by testers.

Related to DHCP, if the host looking for DHCP IP are behind the same interface as that of DHCP server, then you do not need anything as the DHCP server and clients would be connected to a switch in same vlan and DHCP Discover packet from client would directly go to Server without traversing ASA.

However, let say if Server is on Outside and the clients are on Inside looking for DHCP IP, then ASA needs to be configured as DHCP Relay.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Connectivity trouble with ASA help!