Ping Issue from User desktop to Firewall Inside IP

sanjeevmahadani · ‎06-12-2012

Hi,

I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip..pls suggest config is below for both switch and FW Cisco ASA5510....

TechCore-SW#ping 172.22.15.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms

TechCore-SW#ping 10.28.63.30

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.28.63.30, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

TechCore-SW#ping 10.28.63.17

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.28.63.17, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

TechCore-SW#

Failover On

Failover unit Primary

Failover LAN Interface: HA-SYNC Management0/0 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 4 of 110 maximum

failover replication http

Version: Ours 8.4(2), Mate 8.4(2)

Last Failover at: 07:23:34 UTC Jun 7 2012

This host: Primary - Active

Active time: 433668 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.4(2)) status (Up Sys)

Interface Outside_Data (172.16.1.4): Normal (Monitored)

Interface INSIDE (10.28.63.17): Normal (Monitored)

Interface CDMZ (10.28.63.33): Normal (Monitored)

Interface Outside_Voice (172.16.2.2): Link Down (Waiting)

slot 1: empty

Other host: Secondary - Standby Ready

Active time: 80520 (sec)

slot 0: ASA5510 hw/sw rev (2.0/8.4(2)) status (Up Sys)

Interface Outside_Data (172.16.1.5): Normal (Monitored)

Interface INSIDE (10.28.63.18): Normal (Monitored)

Interface CDMZ (10.28.63.34): Normal (Monitored)

Interface Outside_Voice (0.0.0.0): Link Down (Waiting)

slot 1: empty

FW

===

TechMFWPRIM# sh run

: Saved

:

ASA Version 8.4(2)

!

hostname TechMFWPRIM

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

description Outside Airtel_Data

nameif Outside_Data

security-level 0

ip address 172.16.1.4 255.255.255.240 standby 172.16.1.5

!

interface Ethernet0/1

description Inside Airtel LAN Interface

nameif INSIDE

security-level 100

ip address 10.28.63.17 255.255.255.240 standby 10.28.63.18

!

interface Ethernet0/2

description CDMZ

nameif CDMZ

security-level 50

ip address 10.28.63.33 255.255.255.240 standby 10.28.63.34

!

interface Ethernet0/3

description Outside_Voice

shutdown

nameif Outside_Voice

security-level 0

ip address 172.16.2.2 255.255.255.252

!

interface Management0/0

description LAN/STATE Failover Interface

!

ftp mode passive

pager lines 24

logging asdm informational

mtu Outside_Data 1500

mtu INSIDE 1500

mtu CDMZ 1500

mtu Outside_Voice 1500

failover

failover lan unit primary

failover lan interface HA-SYNC Management0/0

failover replication http

failover link HA-SYNC Management0/0

failover interface ip HA-SYNC 192.168.3.1 255.255.255.0 standby 192.168.3.2

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

route Outside_Data 0.0.0.0 0.0.0.0 172.16.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username TIMFW password c.6Nu5hdpSeNFjvS encrypted

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:5fc29ed40eb6e177d7089b59f2bfa1a4

: end

===========================================

Core SW

==========

TechCore-SW#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is 10.28.63.17 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.28.63.17, Vlan102

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.28.63.16/28 is directly connected, Vlan102

L 10.28.63.30/32 is directly connected, Vlan102

172.22.0.0/16 is variably subnetted, 4 subnets, 2 masks

C 172.22.15.0/24 is directly connected, Vlan104

L 172.22.15.254/32 is directly connected, Vlan104

C 172.22.16.0/24 is directly connected, Vlan105

L 172.22.16.254/32 is directly connected, Vlan105

TechCore-SW#wr

Building configuration...

[OK]

TechCore-SW#

TechCore-SW#sh run

Building configuration...

Current configuration : 7467 bytes

!

! Last configuration change at 00:35:07 UTC Sun Mar 7 1993

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname TechCore-SW

!

boot-start-marker

boot-end-marker

!

no aaa new-model

switch 1 provision ws-c3750x-24

switch 2 provision ws-c3750x-24

system mtu routing 1500

ip routing

!

crypto pki trustpoint TP-self-signed-326048768

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-326048768

revocation-check none

rsakeypair TP-self-signed-326048768

!

crypto pki certificate chain TP-self-signed-326048768

certificate self-signed 01

30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33323630 34383736 38301E17 0D393330 33303230 31353433

345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3332 36303438

37363830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

9F0F32EE 13D088C2 4712810E AB122E69 3459BE2F C27B8B6E 53CC730A D6CEF044

9FCB2F9A A56B4A44 CFD71EDD 57A3FE55 963AF033 4B2249CF 6B55E23E 295327D0

3C2D0B01 D9A1E85D 7440683D C8589B3A C523936D 9333DFE6 0304B852 F6572214

B9029443 32770F7B 5829204E 553E1B8E 7B173030 C6A04B99 A7263ED0 E8891353

02030100 01A36B30 69300F06 03551D13 0101FF04 05300301 01FF3016 0603551D

11040F30 0D820B54 65636843 6F72652D 5357301F 0603551D 23041830 1680142C

8D404C0A A95771B8 9A5321E5 00E6F0E2 F4E1FD30 1D060355 1D0E0416 04142C8D

404C0AA9 5771B89A 5321E500 E6F0E2F4 E1FD300D 06092A86 4886F70D 01010405

00038181 009166BD 69E0EE0D BBF81167 F392325B B30FE1FA 388248AE F06B1C34

4045AAB1 98E14B11 26CAD23D AB6A3F51 4FBF1960 2738056F D6A651A7 76422535

7B313EDC 7F62ECA8 FC51B450 DA3FFEA5 D44A5C72 D1822A6C 850FBFD2 68D9B083

4F7D8CF9 BE4D425D 2DE35244 6C35A3A7 01BC248C 729439AD 4E45A114 E67DDD59

8F831E09 3F

quit

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0

no ip address

no ip route-cache cef

no ip route-cache

shutdown

!

interface GigabitEthernet1/0/1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 102,104,105

switchport mode trunk

!

interface GigabitEthernet1/0/2

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/3

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/4

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/5

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/6

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/7

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/8

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/9

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/10

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/11

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/12

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/13

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/14

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/15

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/16

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/17

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/18

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/19

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/20

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/21

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/22

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/23

switchport access vlan 104

switchport mode access

!

interface GigabitEthernet1/0/24

description "Connectivity between Primary Firewall port at E

switchport access vlan 102

switchport mode access

!

interface GigabitEthernet1/1/1

!

interface GigabitEthernet1/1/2

!

interface GigabitEthernet1/1/3

!

interface GigabitEthernet1/1/4

!

interface TenGigabitEthernet1/1/1

!

interface TenGigabitEthernet1/1/2

!

interface GigabitEthernet2/0/1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 102,104,105

switchport mode trunk

!

interface GigabitEthernet2/0/2

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/3

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/4

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/5

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/6

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/7

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/8

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/9

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/10

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/11

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/12

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/13

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/14

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/15

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/16

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/17

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/18

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/19

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/20

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/21

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/22

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/23

switchport access vlan 105

switchport mode access

!

interface GigabitEthernet2/0/24

description "Trunk port between Firewall to Core SW "

switchport access vlan 102

switchport mode access

!

interface GigabitEthernet2/1/1

!

interface GigabitEthernet2/1/2

!

interface GigabitEthernet2/1/3

!

interface GigabitEthernet2/1/4

!

interface TenGigabitEthernet2/1/1

!

interface TenGigabitEthernet2/1/2

!

interface Vlan1

no ip address

shutdown

!

interface Vlan2

ip address 10.28.63.14 255.255.255.240

!

interface Vlan102

ip address 10.28.63.30 255.255.255.240

!

interface Vlan104

ip address 172.22.15.254 255.255.255.0

!

interface Vlan105

ip address 172.22.16.254 255.255.255.0

!

ip default-gateway 10.28.63.17

ip http server

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 Vlan102 10.28.63.17

!

logging esm config

!

line con 0

line vty 0 4

login

length 0

line vty 5 15

login

!

end

TechCore-SW#

sanjeevmahadani · ‎06-12-2012

From Firewall below ...

Sending 5, 100-byte ICMP Echos to 10.28.63.30, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms

TechMFWPRIM# ping 172.22.15.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.22.15.254, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

TechMFWPRIM# ping 172.22.16.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.22.16.254, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

TechMFWPRIM#

nkarthikeyan · ‎06-12-2012

remove ip default-gateway 10.28.63.17

also remove the route you have added and try mentioning like this

ip route 0.0.0.0 0.0.0.0 Vlan102 1

the try to ping from the desktop connecting to the interafce which is configured for vlan 102

even after that if it not works then put acl and enable icmp inside feature in your firewall

mvsheik123 · ‎06-12-2012

Hi Sanjeev,

Looks like you are missing routes on ASA to reach to your internal LAN. Try adding -

route INSIDE ASA inside VLan IP 1

hth

MS

sanjeevmahadani · ‎06-12-2012

Tryied no progress

TechMFWPRIM(config)# route INSIDE 172.22.15.0 255.255.255.0 10.28.63.30

TechMFWPRIM(config)# route INSIDE 172.22.16.0 255.255.255.0 10.28.63.30

TechMFWPRIM(config)#

TechMFWPRIM# wr

Building configuration...

Cryptochecksum: bf416591 c05b2280 40de7223 d582639c

3567 bytes copied in 3.220 secs (1189 bytes/sec)

[OK]

TechMFWPRIM# ping 172.22.15.10 ( This is my Desktop )

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

TechMFWPRIM#

nkarthikeyan · ‎06-12-2012

Hi Sanjeev,

You have to create sub interfaces for the inside lan vlans in the firewalls and assign the respective ip in firewalls and then add the static route for each vlan....

in the above config for eg u have configured vlan 102...

you need to add a route inside

roue inside 10.28.63.16 255.255.255.240 10.28.63.30

configure one more access interface for vlan 102 and assign some free ip's in the 10.28.63.16/28 for ur laptop and try pingig ir... it should work....

if you want for other lan subnets then you need to create multiple subinterfaces in firewall to succeed... this is one solution

sanjeevmahadani · ‎06-12-2012

Hi,

From user desktop i have traced ip 10.28.63.17 ( Firewall Inside IP ) sucessfully

C:\Users\TechM>tracert 10.28.63.17

Détermination de l'itinéraire vers 10.28.63.17 avec un maximum de 30 sauts.

1 2 ms 1 ms 1 ms 172.22.15.254

2 <1 ms <1 ms 1 ms 10.28.63.17

and from Firewall i am able to trace outside destinations too.

TechMFWPRIM# traceroute 192.168.1.55

Type escape sequence to abort.

Tracing the route to 192.168.1.55

1 172.16.1.2 0 msec 10 msec 0 msec

2 10.168.1.1 0 msec 0 msec 0 msec

3 10.3.4.93 50 msec 30 msec 40 msec

4 192.168.1.55 40 msec 40 msec 50 msec

TechMFWPRIM#

But i am unable to trace this from desktop.............

C:\Users\TechM>tracert 192.168.1.55

Détermination de l'itinéraire vers 192.168.1.55 avec un maximum de 30 sauts.

1 <1 ms 1 ms 1 ms 172.22.15.254

2 172.22.15.254 rapports : Impossible de joindre l'hôte de destination.

nkarthikeyan · ‎06-12-2012

Hi Sanjeev,

you dont have a route specified in the core switch for the source vlan(vlan 104)..... See your source vlan is 172.22.15.0/24... You don have the roue for that vlan... you need to an another def route....

ip route 0.0.0.0 0.0.0.0 vlan104 1

Also you dont have anything specified in the firewall for this subnet.... So if you create sub interface in firewall for inside interface....

e.g: like the below you can create and you can trunk and allow all vlans in core switch and connect that interface with the firewall inside... so that each will go separately.....

int fastethernet 0/1.104

ip address 172.22.15.1 255.255.255.0

security-level-90

nameif inside-vlan104

no shut

!

int fastethernet 0.102

ip address

security-level-85

nameif inside-vlan102

no shut

!