Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
755
Views
0
Helpful
2
Replies

Ping and SNMP broken after 8.4(4)1 upgrade

Go to solution
Michael Schubert
Beginner
Beginner

‎09-20-2012 02:41 PM - edited ‎03-11-2019 04:56 PM

Before upgrading to 8.4(4)1 I was able to ping our inside interface accross the VPN.  Now I cannot.  Because ping is not working, my SNMP server thinks that the device is offline however I know the VPN tunnel is still up and the remote branch office is working fine.  Here is the config of the branch office ASA 5505 in question.  Any idea how to get icmp working again?

ASA Version 8.4(4)1

!

hostname BranchASA5505

domain-name houston.deh

enable password yz7MhLySlV/YT6Oe encrypted

passwd yz7MhLySlV/YT6Oe encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!           

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.80.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 209.163.148.54 255.255.255.252

!

boot system disk0:/asa844-1-k8.bin

ftp mode passive

clock timezone CDT -6

dns server-group DefaultDNS

domain-name houston.deh

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj_192.168.1.0

subnet 192.168.1.0 255.255.255.0

object network obj_10.10.15.0

subnet 10.10.15.0 255.255.255.0

object network obj_192.168.80.0

subnet 192.168.80.0 255.255.255.0

object network obj_192.168.2.0

subnet 192.168.2.0 255.255.255.0

object network obj_10.10.25.0

subnet 10.10.25.0 255.255.255.0

object network obj_10.10.45.0

subnet 10.10.45.0 255.255.255.0

object network obj_10.10.10.0

subnet 10.10.10.0 255.255.255.0

access-list HOUSTON extended permit ip 192.168.80.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list HOUSTON extended permit ip 192.168.80.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list HOUSTON extended permit ip 192.168.80.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list HOUSTON extended permit ip 192.168.80.0 255.255.255.0 10.10.25.0 255.255.255.0

access-list ICMPACL extended permit icmp any any

access-list netflow-export extended permit ip any any

access-list Datacenter extended permit ip 192.168.80.0 255.255.255.0 10.10.45.0 255.255.255.0

access-list Datacenter extended permit ip 192.168.80.0 255.255.255.0 10.10.10.0 255.255.255.0

pager lines 24

logging asdm informational

no logging message 106015

no logging message 313001

no logging message 313008

no logging message 106023

no logging message 710003

no logging message 106100

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 302018

no logging message 302017

no logging message 302016

no logging message 302021

no logging message 302020

flow-export destination inside 192.168.1.21 9996

flow-export template timeout-rate 1

flow-export delay flow-create 60

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649-103.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static obj_192.168.80.0 obj_192.168.80.0 destination static obj_192.168.1.0 obj_192.168.1.0 route-lookup

nat (inside,outside) source static obj_192.168.80.0 obj_192.168.80.0 destination static obj_10.10.15.0 obj_10.10.15.0 route-lookup

nat (inside,outside) source static obj_192.168.80.0 obj_192.168.80.0 destination static obj_192.168.2.0 obj_192.168.2.0 route-lookup

nat (inside,outside) source static obj_192.168.80.0 obj_192.168.80.0 destination static obj_10.10.25.0 obj_10.10.25.0 route-lookup

nat (inside,outside) source static obj_192.168.80.0 obj_192.168.80.0 destination static obj_10.10.45.0 obj_10.10.45.0

nat (inside,outside) source static obj_192.168.80.0 obj_192.168.80.0 destination static obj_10.10.10.0 obj_10.10.10.0

!

object network obj_any

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 XXXXXXX 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 outside

http 192.168.80.0 255.255.255.0 inside

snmp-server host inside 192.168.1.21 community ***** version 2c

snmp-server host outside 192.168.1.21 community ***** version 2c

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

crypto ipsec ikev1 transform-set MAINSET esp-aes esp-sha-hmac

crypto ipsec df-bit clear-df outside

crypto map VPN_map 10 match address HOUSTON

crypto map VPN_map 10 set peer XXXXX

crypto map VPN_map 10 set ikev1 transform-set MAINSET

crypto map VPN_map 10 set security-association lifetime seconds 25000

crypto map VPN_map 10 set security-association lifetime kilobytes 4608000

crypto map VPN_map 11 match address Datacenter

crypto map VPN_map 11 set peer XXXXXX

crypto map VPN_map 11 set ikev1 transform-set MAINSET

crypto map VPN_map 11 set security-association lifetime seconds 25000

crypto map VPN_map 11 set security-association lifetime kilobytes 4608000

crypto map VPN_map interface outside

crypto isakmp identity address

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption aes

hash sha

group 2

lifetime 28800

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 30

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access outside

dhcpd dns 192.168.1.57

dhcpd domain houston.deh

dhcpd auto_config outside

!

dhcpd address 192.168.80.100-192.168.80.150 inside

dhcpd dns 192.168.1.57 192.168.1.58 interface inside

dhcpd option 150 ip 192.168.2.10 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 64.90.182.55

webvpn

username XXXXXX password XXXXXXXX encrypted privilege 15

tunnel-group XXXXXX  type ipsec-l2l

tunnel-group XXXXXX  ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group XXXXXXXX type ipsec-l2l

tunnel-group XXXXXXXX ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

class-map flow_export_class

match access-list netflow-export

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect pptp

  inspect snmp

class flow_export_class

  flow-export event-type all destination 192.168.1.21

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
Advisor
Advisor

‎09-20-2012 03:16 PM

Hello Michael,

Please change the following:

no management-access outside

management-access inside

That should do it!

Any other question..Sure.. Just remember to rate all of my answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Julio Carvajal
Advisor
Advisor

‎09-20-2012 03:16 PM

Hello Michael,

Please change the following:

no management-access outside

management-access inside

That should do it!

Any other question..Sure.. Just remember to rate all of my answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Michael Schubert
Beginner
Beginner
In response to Julio Carvajal

‎09-20-2012 03:38 PM

Thank you.  That was it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents