Solved: Needs help to ping out of ASA 8.0.2

engineer_msu · ‎05-24-2013

Hi All,

I need help to ping through firewall. Please help me. I am getting this error while trying to ping outside:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (inspect-icmp-seq-num-not-matched) ICMP Inspect seq num not matched

Karsten Iwen · ‎05-24-2013

You simutale an ICMP echo-response (type 0) and not an echo-request (type 8). Try the following:

ciscoasa# packet-tracer input inside icmp 10.0.1.14 8 0 209.165.200.2

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Jouni Forss · ‎05-24-2013

Hi,

Confirm that you DONT HAVE this configuration on the firewall (DONT ISSUE THIS COMMAND)

sysopt noproxyarp outside

You can check if the above configuration is active with this command

show run sysopt

The point of this is to make sure that the ASA is answering to ARP requests from the upstream router that you are trying to PING.

- Jouni

View solution in original post

Jouni Forss · ‎05-24-2013

Hmm,

Cant see any mention of the Proxy ARP related sysopts there.

Are you pinging a Router in front of ASA or where is the destination IP address you are pinging located?

- Jouni

View solution in original post

Jouni Forss · ‎05-24-2013

Hi,

I would rather have the route in this format

ip route 0.0.0.0 0.0.0.0 x.x.x.x

Where the "x.x.x.x" is the IP address of the ASA "outside" interface.

I am kind of wondering though why the default route on the "outside" of the ASA is pointing back towards ASA?

- Jouni

View solution in original post

Jouni Forss · ‎05-24-2013

Hi,

Seems you have issued a "packet-tracer" command

Can you copy/paste the whole output for us? And also the complete command issued?

Mask/Hide public IP addresses

- Jouni

engineer_msu · ‎05-24-2013

Dear Jouni, Thanks for the reply to my concern. I am trying to ping from PC which has IP 10.0.0.14 to outside router interface. But i am not able to ping.

ciscoasa# packet-tracer input inside icmp 10.0.1.14 0 0 209.165.200.2

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 209.165.200.0 255.255.255.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group ICMPACL in interface inside

access-list ICMPACL extended permit icmp any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

static (inside,outside) 209.165.200.254 10.0.1.14 netmask 255.255.255.255

match ip inside host 10.0.1.14 outside any

static translation to 209.165.200.254

translate_hits = 2, untranslate_hits = 0

Additional Information:

Static translate 10.0.1.14/0 to 209.165.200.254/0 using netmask 255.255.255.255

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) 209.165.200.254 10.0.1.14 netmask 255.255.255.255

match ip inside host 10.0.1.14 outside any

static translation to 209.165.200.254

translate_hits = 2, untranslate_hits = 0

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 44, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (inspect-icmp-seq-num-not-matched) ICMP Inspect seq num not matched

Jouni Forss · ‎05-24-2013

Hi,

Your Type/Code used for the ICMP in the "packet-tracer" dont correspond to sending and ICMP Echo

Use this command instead

packet-tracer input inside icmp 10.0.1.14 8 0 209.165.200.2

ICMP Echo is Type 8 and Code 0, therefore we use "8 0" in the command.

- Jouni

engineer_msu · ‎05-24-2013

Yes! It gives the allow result. But I dont know why I am not able to ping from the PC 10.0.1.14 to 209.165.200.2

ciscoasa# packet-tracer input inside icmp 10.0.1.14 8 0 209.165.200.2

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 209.165.200.0 255.255.255.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group ICMPACL in interface inside

access-list ICMPACL extended permit icmp any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

static (inside,outside) 209.165.200.254 10.0.1.14 netmask 255.255.255.255

match ip inside host 10.0.1.14 outside any

static translation to 209.165.200.254

translate_hits = 3, untranslate_hits = 0

Additional Information:

Static translate 10.0.1.14/0 to 209.165.200.254/0 using netmask 255.255.255.255

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) 209.165.200.254 10.0.1.14 netmask 255.255.255.255

match ip inside host 10.0.1.14 outside any

static translation to 209.165.200.254

translate_hits = 3, untranslate_hits = 0

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 65, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

ciscoasa#

Jouni Forss · ‎05-24-2013

Hi,

Confirm that you DONT HAVE this configuration on the firewall (DONT ISSUE THIS COMMAND)

sysopt noproxyarp outside

You can check if the above configuration is active with this command

show run sysopt

The point of this is to make sure that the ASA is answering to ARP requests from the upstream router that you are trying to PING.

- Jouni

engineer_msu · ‎05-24-2013

ciscoasa# show run sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

sysopt connection permit-vpn

no sysopt connection reclassify-vpn

ciscoasa#

Jouni Forss · ‎05-24-2013

Hmm,

Cant see any mention of the Proxy ARP related sysopts there.

Are you pinging a Router in front of ASA or where is the destination IP address you are pinging located?

- Jouni

engineer_msu · ‎05-24-2013

It is a router conncted to the outside interface, I have properly configured the routing.

in router I have

ip route 0.0.0.0 0.0.0.0 f0/0 (Where f0/0 is connected to Firewall Outside)

Jouni Forss · ‎05-24-2013

Hi,

I would rather have the route in this format

ip route 0.0.0.0 0.0.0.0 x.x.x.x

Where the "x.x.x.x" is the IP address of the ASA "outside" interface.

I am kind of wondering though why the default route on the "outside" of the ASA is pointing back towards ASA?

- Jouni

Jouni Forss · ‎05-24-2013

Though I will have to say,

If you are NATing the LAN host to an IP address that is part of the link network between the ASA and the Router then even without a route on the router towards ASA, there should be no problem with routing/connectivity.

If the LAN hosts NAT IP Address is part of the connected network between the ASA and the Router then I would suggesting attempting the ICMP from the host to the router and also from the router to the host and checking on the router with command "show ip arp" if you can see the LAN host NAT IP address in the ARP table.

- Jouni

engineer_msu · ‎05-24-2013

Dear,

I am able to ping the outside Router IP in ASA Version 8.4. I just tried it, the configuration is same as I have done in 8.0.

I will try today after going home for 8.0.2 again.

I will share the result, I will provide the complete Configuration and the topology diagram with you today evening 9pm GMT+3.

Hope we will resolve this issue.

Karsten Iwen · ‎05-24-2013

You simutale an ICMP echo-response (type 0) and not an echo-request (type 8). Try the following:

ciscoasa# packet-tracer input inside icmp 10.0.1.14 8 0 209.165.200.2

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

engineer_msu · ‎05-25-2013

Dear Jouni,

It is working now, Rest of the configuration is same but I corrected the ICMP-INSPECT configuration and it is working now, below is the detailed configuration:

Router-1:

int f0/0

ip add 10.0.0.2 255.255.255.0

int f0/1

ip add 192.168.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.0.0.1 (Pointing towards Firewall)

Router-2:

int f0/0

ip add 172.16.1.2 255.255.255.0

ip route 192.168.1.0 255.255.255.0 172.16.1.1

ip route 0.0.0.0 0.0.0.0 172.16.1.1

ASA:

interface e0/0

ip address 10.0.0.1 255.255.255.0

nameif inside

security-level 100

interface e0/1

ip address 172.16.1.1 255.255.255.0

nameif outside

security-level 0

route inside 192.168.1.0 255.255.255.0 10.0.0.2

route outside 0.0.0.0 0.0.0.0 172.16.0.2

------ Above is the basic configuration to be done in ASA ----------

To allow ICMP:

1. NAT is required if the outside IP is from the public IP Range (Ex: 209.165.200.0/24) for private IP NAT is not required.

2. NAT is not required if the NAT Control is not enabled in Firewall.

3. NAT is required if NAT Control is enabled in firewall even if the outside ip is private IP.

4. No need of ACL as by default the traffic is allowed from Higher Security Level to Lower Security Level (In our case Inside-100 to Outside-0)

5. Just Configure ICMP Inspect to allow ping in our case:

ASA(config)# class-map icmp-class

ASA(config-cmap)# match default-inspection-traffic

ASA(config-cmap)# exit

ASA(config)# policy-map icmp_policy

ASA(config-pmap)# class icmp-class

ASA(config-pmap-c)# inspect icmp

ASA(config-pmap-c)# exit

ASA(config)# service-policy icmp_policy interface outside

To enable ICMP inspection for all interfaces, use the global parameter in place of interface outside.