12-03-2013 03:46 AM - edited 03-11-2019 08:11 PM
Hello guys,
I'm having problems when trying to ping via my asa 5510.
This is the important bit of the configuraion:
interface Ethernet0/0
nameif inside
security-level 100
ip address X.X.X.X/30
!
interface Ethernet0/1
speed 100
duplex full
nameif outside
security-level 0
ip address Y.Y.Y.Y/30
access-list ACL_in extended permit ip any any log
access-list ACL_in extended permit icmp any any log
access-group ACL_in in interface inside
icmp permit any outside
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
route inside My_PC 255.255.255.255 Inside_Router 1
From the firewall itself I can ping the outside interface and the ip address of the router which is connected to the outside interface Y.Y.Y.Y+1/30 but can not ping anything from the host which is behind the inside interface.
When pinging I can see the hitcount for "access-list ACL_in extended permit ip any any log" increase but no reply coming back...
I have added both static route for my PC to the firewall configuration so the ping reply should know how to come back to me.
I can not ping ip of outside interface nor the ip of Outisde_router.
What am I missing here?
12-03-2013 05:42 AM
Hi,
You wont be able to ICMP the external interface of the ASA from behind the internal interface of the ASA. This is a known resriction related to the ASA.
With regards to the actual ICMP through the ASA for the LAN user please provide us with the "packet-tracer" output. Fill in the information needed.
packet-tracer input inside icmp
Or
packet-tracer input inside icmp
The ICMP should generally go through with just adding the ICMP Inspection to the default configuration of the ASA.
Are you sure you have NAT configuration for the source host? If not this might explain no ICMP Echo reply. This would also mean though that the host would not be able to connect with anything else either, for example HTTP.
The "packet-tracer" output should tell us what happens to the ICMP traffic with regards to the ASA configurations.
- Jouni
12-04-2013 01:16 AM
Hello there,
JouniForss thanks for your reply.
Yes it looks like the NAT configuration was incorrect. I have set static NAT with following command:
static (inside,outside) My_PC-NAT My_PC netmask 255.255.255.255
but it looks like this is the wrong direction because as soon as I change this to
static (outside,inside) My_PC My_PC-NAT netmask 255.255.255.255
the router replies for the ping requests.
You right, still I can't ping the outside router interface but that is fine, don't need to.
Also the outside connections is not actually going to the ISP, it's connected to one of our netwroks (172.X.X.X address).
The questions which I have now:
How the NAT actually works?? Why my first command didn't work?? What has to be NATed what not?
I thought when I coming from inside -> outside I should create a NAT static(inside,outside) so my inside address is NATed to the outoiside address but it looks like this is not the case.
Also I can not telnet to the router, I can only ping it.
Is that mean I need to add "inspect telnet" command to the firewall configuration as well??
Thanks,
Dom
12-04-2013 01:34 AM
Hi,
Please share the complete configuration and remove any sensitive information so we can get a clear picture of the current configurations and setup.
The first Static NAT command format seems to be right as it does a NAT from "inside" to "outside". The first IP address in the command is the NAT IP address and the second one the local IP address. This Static NAT naturally works in both directions. It enabled connectivity to the internal host with the NAT IP address and also views the internal host to the destination networks with the NAT IP address when it forms connections.
You dont typically do Static NAT from "outside" to "inside".
- Jouni
12-04-2013 02:35 AM
Jouni,
I have removed the sensitive info by replacing it with XXX where XXX in one command is not the same address/name on the other.
XXX# sh run
: Saved
:
ASA Version 7.1(2)
!
hostname XXX
domain-name XXX
enable password XXX encrypted
names
name...
.
.
.
name...
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.25.32.225 255.255.255.252
!
interface Ethernet0/1
speed 100
duplex full
nameif outside
security-level 0
ip address 172.16.227.5 255.255.255.252
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd XXX encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name XXX
access-list outisde_access_in ...
.
.
.
access-list outisde_access_in ...
access-list inside_access_in extended permit ip any any log
access-list inside_access_in extended permit icmp any any log
pager lines 24
logging enable
logging buffered alerts
logging asdm informational
mtu inside 1500
mtu outisde 1500
mtu management 1500
icmp permit any outside
icmp permit any echo-reply outside
icmp permit any traceroute outside
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
static (inside,outisde) XXX-NAT XXX netmask 255.255.255.255
.
.
.
static (inside,outisde) XXX-NAT XXX netmask 255.255.255.255
static (outisde,inside) XXX-NAT XXX netmask 255.255.255.255
.
.
.
static (outisde,inside) XXX-NAT XXX netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside XXX 255.255.255.255 XXX 1
.
.
.
route inside XXX 255.255.255.255 XXX 1
route outisde XXX 255.255.255.255 XXX 1
.
.
.
route outisde XXX 255.255.255.255 XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username XXX password XXX encrypted
aaa authentication telnet console LOCAL
http server enable
http XXX 255.255.255.255 inside
http XXX 255.255.255.255 inside
http XXX 255.255.255.255 inside
http XXX 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet XXX 255.255.255.255 inside
telnet XXX 255.255.255.255 inside
telnet XXX 255.255.255.255 inside
telnet XXX 255.255.255.255 inside
telnet XXX 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
tftp-server inside XXX XXX
Cryptochecksum:XXX
: end
Is there sominht like dual NAT on the ASA firewalls? For example when I send ping from inside to outside I need static (inside,outisde) command. Fot the ping reply to come back to me do I need another NAT static(outside,inside)??
12-04-2013 03:25 AM
Hi Dom,
You need a NAT to translate and an ACL as you have an access-roup binded to inside interface.
I do see both of them configured and should allow the traffic
You wont need a Twice NAT as the static NAT rules are bi directional.
Please get the output of following to troubleshoot further:
packet-tracer input inside tcp (SOURCE IP) 1034 (DESTINATION IP THAT YOU WANT TO TELNET) 21 detailed
If this shows traffic allowed, please apply captures on ingress and egress interface and share the outputs.
You can use the following to apply captures:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml
Cheers,
Naveen
12-04-2013 03:28 AM
Hi,
If you are translating your source address that is behind the "inside" interface you only need the command
static (inside,outside)
In a normal setup you shouldnt need to translate any address located behind the "outside" interface so you would NOT need the commands with "static (outside,inside)"
According to the above configuration you are missing the default route?
route outside 0.0.0.0 0.0.0.0
- Jouni
12-04-2013 03:32 AM
Also,
I cant see a Dynamic PAT configuration that you would need for all the users to connect through the firewall. Atleast typically you need this as the ASA is usually connected directly to the external/public network. In your case seems there is something in between.
Also your "route" configurations for "inside" interface are all with a host mask of 255.255.255.255 ? Should you be routing complete networks to some device behind the "inside" interface?
Is the device in front of ASA doing the Dynamic PAT for the user networks? If not then you would have to add
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
Seems to me if the above is the configuration of your device then you most likely have problems with the routing and NAT with the ASA as I have pointed above.
- Jouni
12-04-2013 04:40 AM
Hi Jouni,
The firewall has bee configured by 3rd company and it works without any issues.
I'm just trying to enable telnet to one of the devices which sits behind the firewall and that is not working,
1. Yes - all my "route" configuration are with mask /32 and we have to add new route command every time when whe would like to allow new host thru the firewall
2. The device in front of ASA is not doing any Dynamic PAT. We have everything done on the ASA itself so I believe we will need double NAT static(inside,outside) and static (outside,inside).
Is that mean my firewall is configured with statuc NAT rather thatn NAT control?
12-04-2013 04:48 AM
Hi,
I dont think "route" commands should really be used for the purpose of defining what is allowed and what is not. You should use "access-list" for that. NAT should not be used to control traffic either.
I am not sure what this firewall is used for if it doesnt have a default route. It would seem to me that it cant be used for internet connectivity atleast since it doesnt have a default route.
I would suggest the same as earlier above that you use the "packet-tracer" to simulate the Telnet traffic
packet-tracer input inside tcp
Is the router you are trying Telnet to the next hop for the ASA on the "outside" interface? If so, does the router have a router to the users IP address towards the ASA? This naturally depends is the users source IP address NATed or not.
I can't really tell what the situaton is as I dont know any of the IP addresses of this setup or the router configuration infront of the ASA.
- Jouni
12-04-2013 06:17 AM
Hi Jouni,
The firewall is not being used for Internet connectivity at all.
It just sits bitween two our LANs (10.0.0.0/8 and 172.16.0.0/16).
I think it has been configured in that way for extra security. If you have placed the ACL entry by mistake the host wont be able to access the network because the is no default route nor static route for the subnet where the host sits nor static route for the host itself.
Also because there is not default NAT/PAT in place you will have to remember to configure it every single time you allowing new host through the firewall.
Don't ask me why it has been configured in tha way...
is the packet-tracer a command build in into the ASA IOS??
I can see it...
12-04-2013 06:22 AM
Hi,
Seems your software is too old for that command
It was released in the software level 7.2 which also is a very old software.
- Jouni
12-04-2013 07:25 AM
Looks like it...
Well it looks like my telnet should work as the ping works which confirms that there is no issues with NAT or routing. The only place I could be blocked is ACL but I can see ip any any is permited which inlcludes tcp telnet so it has to be the router which doesn't accept the connection.
Anyway Jouni thatnk a lot for your help.
May need to get one ASA to play with it so I can understand it better
08-30-2024 07:49 AM
After every four hours we have observing application impact. Suspecting arp issue on firewall. After clearing arp on firewall issue is getting resolved. Facing arp issue only on particular egress interface. We are facing this issue since yesterday. Yesterday we had shutdown activity , only change we are observing after power shutdown activity is firewall state change.
MUMINTFW/sec/act# debug menu ipaddrutl 6 10.10.171.146
Gratuitous ARP not sent for 10.10.171.146
MUMINTFW/sec/act# debug menu ipaddrutl 6 10.10.171.146
Gratuitous ARP not sent for 10.10.171.146
MUMINTFW/sec/act# debug menu ipaddrutl 6 10.10.171.146
Gratuitous ARP not sent for 10.10.171.146
MUMINTFW/sec/act#
MUMINTFW/sec/act#
MUMINTFW/sec/act#
MUMINTFW/sec/act#
MUMINTFW/sec/act#
MUMINTFW/sec/act# ping 10.10.171.146
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.171.146, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
MUMINTFW/sec/act# ping 10.48.87.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.48.87.3, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
MUMINTFW/sec/act# ping 10.48.87.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.48.87.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
MUMINTFW/sec/act#
MUMINTFW/sec/act#
MUMINTFW/sec/act# sh arp
INSIDE-INTF 172.27.7.149 6c03.b5fd.c39f 1
NEW_TECHM_DMPLS_ZONE-INTF 10.48.87.3 0000.5e00.010a 4
NEW_TECHM_DMPLS_ZONE-INTF 10.48.87.1 e44e.2d4e.edf1 1471
NEW_TECHM_DMPLS_ZONE-INTF 10.48.87.2 e44e.2d4e.d921 1870
VHA-INTF 172.27.16.17 d0e0.4204.7d84 14012
BPS-INTF 10.48.103.57 6c03.b5fd.c39f 92
FAILOVER-INTF 192.168.2.1 70e4.22c3.c74a 10021
MUMINTFW/sec/act# sh arp
INSIDE-INTF 172.27.7.149 6c03.b5fd.c39f 1
NEW_TECHM_DMPLS_ZONE-INTF 10.48.87.3 0000.5e00.010a 10
NEW_TECHM_DMPLS_ZONE-INTF 10.48.87.1 e44e.2d4e.edf1 1477
NEW_TECHM_DMPLS_ZONE-INTF 10.48.87.2 e44e.2d4e.d921 1875
VHA-INTF 172.27.16.17 d0e0.4204.7d84 14017
BPS-INTF 10.48.103.57 6c03.b5fd.c39f 97
FAILOVER-INTF 192.168.2.1 70e4.22c3.c74a 10027
MUMINTFW/sec/act# sh arp
INSIDE-INTF 172.27.7.149 6c03.b5fd.c39f 2
NEW_TECHM_DMPLS_ZONE-INTF 10.48.87.3 0000.5e00.010a 11
NEW_TECHM_DMPLS_ZONE-INTF 10.48.87.1 e44e.2d4e.edf1 1478
NEW_TECHM_DMPLS_ZONE-INTF 10.48.87.2 e44e.2d4e.d921 1876
VHA-INTF 172.27.16.17 d0e0.4204.7d84 14018
BPS-INTF 10.48.103.57 6c03.b5fd.c39f 98
FAILOVER-INTF 192.168.2.1 70e4.22c3.c74a 10028
Do we have any solution for this ??
08-30-2024 07:51 AM
Please can yoh make new post
This old
Thanks alot
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide