Hi. Class Maps are used to

robbo79871 · ‎12-28-2015

Hi, i have a problem with getting PC's on the inside interface on packet tracer to ping beyond the asa default gateway interface in my topology.

I have a router on the edge with a fa 0/0 address of 172.16.30.1 and a s2/0 address of 192.168.1.3. The PC's can ping the ASA inside VLAN 30 interface from the statically configured PC's but they cant go beyond that and ping the router 172 or 192 interfaces. I have a global service policy implemented that inspects ICMP as well. The asa outside interface is 172.16.30.2 also. The asa can ping the 172.16.30.1 and 192.168.1.3 fine, just nothing from the PC's on the inside.

Any idea why this simple problem doeskin seem to be working?

Thanks

(there is a dhcp pool etc.. configured but the PC's aren't using it and the VPN isn't being used as well)

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 30

!

interface Ethernet0/2

switchport access vlan 30

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

no nameif

security-level 100

no ip address

!

interface Vlan2

nameif outside

security-level 0

ip address 172.16.30.2 255.255.255.0

!

interface Vlan30

nameif inside

security-level 100

ip address 10.30.0.1 255.255.255.0

!

route outside 0.0.0.0 255.255.255.255 172.16.30.1 1

!

access-list VPN standard permit 10.30.0.0 255.255.255.0

!

group-policy vpn internal

!

class-map inspect

match default-inspection-traffic

class-map test

!

policy-map global

class inspect

inspect icmp

class test

!

service-policy global global

!

telnet timeout 5

ssh timeout 5

!

dhcpd enable

!

dhcpd address 10.30.0.10-10.30.0.15 inside

dhcpd enable inside

!

crypto ipsec ikev1 transform-set VPN esp-aes 256 esp-sha-hmac

!

crypto map VPN_MAP 1 match address VPN

crypto map VPN_MAP 1 set peer 172.16.31.2

crypto map VPN_MAP 1 set security-association lifetime seconds 8600

crypto map VPN_MAP 1 set ikev1 transform-set VPN

crypto ikev1 policy 1

encr aes

authentication pre-share

group 5

lifetime 8600

!

tunnel-group 172.16.31.2 type ipsec-l2l

tunnel-group 172.16.31.2 ipsec-attributes

ikev1 pre-shared-key cisco

!

ATAK_RUSSIA · ‎12-28-2015

Hello.

I think the problem could be because of this: route outside 0.0.0.0 255.255.255.255 172.16.30.1 1

Try to change it to route outside 0.0.0.0 0.0.0.0 172.16.30.1 1 (if you want to use 172.16.30.1 as default route).

Best Regards.

robbo79871 · ‎12-29-2015

Hi, thanks to both of you for the help, it was indeed the route configuration that i screwed up. All sorted now. BUT ironically i have the same problem at the other "site" i have configured but for the life of me this time i cannot see where the problem is.

All the setup on this site is identical to the other one, except for the inside Vlan is 20 and the inside addresses are 10.20.0.0/24, i will also post the config of the router on the edge to but i highly doubt there is something wrong with that because the site with Vlan 30 can ping all the way across the site, through the local ASA and through the edge router all the way through the external site router through to the external ASA's outside interface because of the static routes i have configured on both routers and both ASA's. So its baffling me how this small problem in the local site on the PC's, is not pinging the edge router interface of 172.16.20.1

ASA Version 8.4(2)

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 20

!

interface Ethernet0/2

switchport access vlan 20

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan2

nameif outside

security-level 0

ip address 172.16.20.2 255.255.255.0

!

interface Vlan20

nameif inside

security-level 100

ip address 10.20.0.1 255.255.255.0

!

webvpn

enable

!

route outside 0.0.0.0 0.0.0.0 172.16.20.1 1

!

class-map inspect

match default-inspection-traffic

!

policy-map global

class inspect

!

service-policy global global

!

telnet timeout 5

ssh timeout 5

!

dhcpd enable

!

Router config

Current configuration : 1230 bytes

!

version 12.2

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router2

!

ip cef

no ipv6 cef

!

interface FastEthernet0/0

ip address 172.16.20.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet1/0

no ip address

duplex auto

speed auto

shutdown

!

interface Serial2/0

no ip address

encapsulation frame-relay

frame-relay interface-dlci 102

!

interface Serial2/0.201 point-to-point

ip address 192.168.0.2 255.255.255.0

frame-relay interface-dlci 201

!

interface Serial2/0.203 point-to-point

ip address 192.168.3.2 255.255.255.0

frame-relay interface-dlci 203

!

interface Serial3/0

no ip address

clock rate 2000000

shutdown

!

interface FastEthernet4/0

no ip address

shutdown

!

interface FastEthernet5/0

no ip address

shutdown

!

router ospf 1

router-id 2.2.2.2

log-adjacency-changes

network 192.168.0.0 0.0.255.255 area 0

network 172.16.20.0 0.0.0.255 area 0

!

ip classless

ip route 10.20.0.0 255.255.255.0 172.16.20.2

ip route 10.30.0.0 255.255.255.0 192.168.3.1

!

ip flow-export version 9

!

no cdp run

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

AllertGen · ‎12-29-2015

Hello.

If you mean that you can't get access from vlan 2 to vlan 20 then you can't get access because of the security level. For undenstanding it you can read this: https://www.shilpasys.com/articles/what-are-cisco-asa-firewall-security-levels/

Best Regards.

robbo79871 · ‎12-29-2015

Thanks for the help again with this, what you suggested worked. I have a question though, the reason why this confused me was because i createds the class map inspect with the

"default-inspection-traffic Match default inspection traffic:

ctiqbe----tcp--2748 dns-------udp--53

ftp-------tcp--21 gtp-------udp--2123,3386

h323-h225-tcp--1720 h323-ras--udp--1718-1719

http------tcp--80 icmp------icmp

ils-------tcp--389 ip-options-----rsvp

mgcp------udp--2427,2727 netbios---udp--137-138

radius-acct----udp--1646 rpc-------udp--111

rsh-------tcp--514 rtsp------tcp--554

sip-------tcp--5060 sip-------udp--5060

skinny----tcp--2000 smtp------tcp--25

sqlnet----tcp--1521 tftp------udp--69

waas------tcp--1-65535 xdmcp-----udp--177"

associated with it, ICMP is listed as part of the inspection protocols here so i applied it to the policy map global and created the global service policy. I didnt think i needed to have the inspect icmp sytax in the policy map part also, seeing as it is listed in the match traffic "default-inspection-traffic" in the class map. I was wondering if you could tell me why that is not working then?

Thanks for the help again

Andre Neethling · ‎12-29-2015

Hi. Class Maps are used to match traffic. Policy maps apply an action to the mapped traffic (eg. Inspect icmp, or inspect http).

So you need to enable the inspect action in the policy map, on the traffic matched by the class map.

HTH

Andre Neethling · ‎12-29-2015

Hi. I noticed that you don't have ICMP inspection enabled on this ASA, so the return ICMP traffic will not be allowed. See below excerpt from your other ASA config you posted earlier in the thread

policy-map global

class inspect

inspect icmp

Marvin Rhoads · ‎12-28-2015

As noted, your default route is not properly formed. Also, does the outside router have a route to return traffic from 10.30.0.0/24 to the ASA outside interface?

What does packet-tracer tell you:

packet-tracer input inside icmp 10.30.0.2 8 0 172.16.30.1

No connectivity with ASA HELP!