Solved: Ping to Switch in DMZ not working from Edge Switch

mahesh18 · ‎05-10-2013

Hi Everyone,

Below is my home Lab setup

Sw1----trunk ----ospf sw2-------direct conenction to ASA------DMZ ------SW3 -------

Switch3 has SVI IP 192.168.69.1

I can ping the IP 169.168.69.1 from sw2 as this has default static route to ASA outside interface IP address.

But i can not ping IP 192.168.69.1 from SW1 need to why ?

is this default behaviour?

On switch 1 i add the static route 192.168.69.0 255.255.255.0 192.168.11.1

Where 192.168.11.1 is interface IP of Sw2 which has direct connection to ASA outside Interface IP ---192.168.11.2.

Also i define Loopback IP 192.167.77.1 on Sw3.

This IP i can ping from Sw1 but IP 192.168.69.1 i can not ping.

I define below static route of Sw1

ip route 192.168.77.0 255.255.255.0 192.168.10.2

where 10.2 is vlan 10 IP on Sw2.

Thanks

Mahesh

Message was edited by: mahesh parmar

Jouni Forss · ‎05-11-2013

Hi,

Can you share the output of "show ip route" from the SW1?

Also you say that you have the following static route on SW1

ip route 192.168.69.0 255.255.255.0 192.168.11.1

Shouldnt the gateway IP perhaps be 192.168.10.2 instead of 192.168.11.1?

You might also need some NAT0 rules added on teh DMZ.NAT0 ACL on the ASA

- Jouni

View solution in original post

Jouni Forss · ‎05-11-2013

Hi,

Can you add this on the ASA

access-list DMZ-NAT0 extended permit ip 192.168.69.0 255.255.255.0 192.168.10.0 255.255.255.0

And then try the ICMP again.

- Jouni

View solution in original post

Jouni Forss · ‎05-11-2013

Hi,

Notice that before you added that ACL rule/line, the network 192.168.69.0/24 had the following NAT rules on the ASA

access-list DMZ-NAT0 extended permit ip 192.168.69.0 255.255.255.0 192.168.11.0 255.255.255.0 log

global (outside) 1 interface

nat (DMZ) 0 access-list DMZ-NAT0

nat (DMZ) 1 192.168.69.0 255.255.255.0

In short the above states

For traffic between 192.168.69.0/24 and 192.168.10.0/24 is NOT NATed (applies to which ever network opens the connection)
For traffic from network 192.168.69.0/24 towards any other network the Dynamic PAT is applied and the source address is PATed to the "outside" interface IP address
Naturally also any connection attempted from any other "outside" network wont match any NAT rule and get dropped on the ASA

So as you can see the only network for which NO NAT will be done is the remote network 192.168.11.0/24 which is the network between the ASA and Switch-2

Notice now that the network between Switch-2 and Switch-1 is the network 192.168.10.0/24.

When you issue the PING command on the Switch-1 towards the DMZ IP address it will use the source address 192.168.10.1.

So since the ASA doesnt have a NAT0 rule for traffic between networks 192.168.69.0/24 and 192.168.10.0/24 then the ICMP wont succeed even if we have the routing otherwise fine.

When you added the ACL I suggested the ASA knows that it shouldnt apply any NAT between those 2 networks.

- Jouni

View solution in original post

Jouni Forss · ‎05-11-2013

Hi,

For the explanation about 192.168.77.1 we will again have to look at the NAT configurations

I'll again refer to the configuration that was before we added anything

access-list DMZ-NAT0 extended permit ip 192.168.69.0 255.255.255.0 192.168.11.0 255.255.255.0 log

global (outside) 1 interface

nat (DMZ) 0 access-list DMZ-NAT0

nat (DMZ) 1 192.168.69.0 255.255.255.0

As you can see in the above

There is NAT0 configuration for the network 192.168.69.0/24 to network 192.168.11.0/24 and it works in both directions
The Dynamic PAT configurations ONLY include the source network 192.168.69.0/24
The above means that the ASA has absolutely NO NAT configurations for the network 192.168.77.0/24.
Since we have now noticed that there is NO NAT configurations for the loopback network 192.168.77.0/24 we know that the traffic that comes from the loopback network isnt NATed towards the "outside" and it will be accessible as long as the ACLs allow it
One important thing to notice is the "nat-control" setting. If this was on (would show on top of the "global" configurations) then every connection would require a proper NAT configuration and without one would not pass the firewal. In other words the loopback networks connections would fail.
- However the default setting for "nat-control" is "no nat-control" and therefore the ASA doesnt require NAT configurations for traffic. And since the loopback network didnt have any NAT configurations ASA let it pass because it was allowed by the other rules of the ASA. Notice that the default setting "no nat-control" wont show in the configuration (because its a default setting)

And in the other case, I had a typing mistake. The network was the wrong as you correctly noticed. The network should have been 192.168.11.0/24 in that sentence that I wrote.

- Jouni

View solution in original post

Jouni Forss · ‎05-11-2013

Hi Mahesh,

I am not 100% sure on the setup. Would it be possible to see the configurations of each device in the homelab?

- Jouni

mahesh18 · ‎05-11-2013

Hi jouni,

i have attached the config of all the 4 devices.

3550A ---------------switch1

3550b------------------switch2

switch------------------switch 3 direct connection to DMZ of ASA.

Thanks

MAhesh

Jouni Forss · ‎05-11-2013

Hi,

Can you share the output of "show ip route" from the SW1?

Also you say that you have the following static route on SW1

ip route 192.168.69.0 255.255.255.0 192.168.11.1

Shouldnt the gateway IP perhaps be 192.168.10.2 instead of 192.168.11.1?

You might also need some NAT0 rules added on teh DMZ.NAT0 ACL on the ASA

- Jouni

mahesh18 · ‎05-11-2013

Hi jouni,

yesterday i already tried with gateway IP of 192.168.10.2 it did not work then i used 11.1 as gateway same issue.

Today i tried again same thing.

3550SMIA(config)#ip route 192.168.69.0 255.255.255.0 192.168.10.2

3550SMIA(config)#end

3550SMIA#ping 192.168.69.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.69.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

3550SMIA#

here is sh ip route

3550SMIA# sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.5.3 to network 0.0.0.0

100.0.0.0/32 is subnetted, 1 subnets

O 100.100.100.100 [110/3] via 192.168.5.3, 5d02h, FastEthernet0/11

3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

O 3.3.3.3/32 [110/2] via 192.168.5.3, 5d02h, FastEthernet0/11

C 3.4.4.0/24 is directly connected, Loopback0

C 192.168.30.0/24 is directly connected, Vlan30

64.0.0.0/32 is subnetted, 1 subnets

O E2 64.59.135.150 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11

S 192.168.77.0/24 [1/0] via 192.168.10.2

C 192.168.10.0/24 is directly connected, Vlan10

172.31.0.0/24 is subnetted, 4 subnets

O E2 172.31.3.0 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11

O E2 172.31.2.0 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11

O E2 172.31.1.0 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11

O E2 172.31.0.0 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11

O 192.168.11.0/24 [110/3] via 192.168.5.3, 5d02h, FastEthernet0/11

O 192.168.98.0/24 [110/2] via 192.168.99.1, 5d02h, FastEthernet0/8

C 192.168.99.0/24 is directly connected, FastEthernet0/8

C 192.168.20.0/24 is directly connected, Vlan20

192.168.5.0/31 is subnetted, 1 subnets

C 192.168.5.2 is directly connected, FastEthernet0/11

192.168.6.0/31 is subnetted, 1 subnets

O 192.168.6.2 [110/2] via 192.168.5.3, 5d02h, FastEthernet0/11

S 192.168.69.0/24 [1/0] via 192.168.10.2

O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 5d02h, FastEthernet0/11

Thanks

MAhesh

Jouni Forss · ‎05-11-2013

Hi,

Can you add this on the ASA

access-list DMZ-NAT0 extended permit ip 192.168.69.0 255.255.255.0 192.168.10.0 255.255.255.0

And then try the ICMP again.

- Jouni

mahesh18 · ‎05-11-2013

Hi Jouni,

As soon i added the statement in ASA ping worked

3550SMIA#ping 192.168.69.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.69.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Can you please explain me what magic was done by that config ?

it was working fine for 192.168.77.1 but not for 192.168.69.1 need to know why?

Regards

MAhesh

Jouni Forss · ‎05-11-2013

Hi,

Notice that before you added that ACL rule/line, the network 192.168.69.0/24 had the following NAT rules on the ASA

access-list DMZ-NAT0 extended permit ip 192.168.69.0 255.255.255.0 192.168.11.0 255.255.255.0 log

global (outside) 1 interface

nat (DMZ) 0 access-list DMZ-NAT0

nat (DMZ) 1 192.168.69.0 255.255.255.0

In short the above states

For traffic between 192.168.69.0/24 and 192.168.10.0/24 is NOT NATed (applies to which ever network opens the connection)
For traffic from network 192.168.69.0/24 towards any other network the Dynamic PAT is applied and the source address is PATed to the "outside" interface IP address
Naturally also any connection attempted from any other "outside" network wont match any NAT rule and get dropped on the ASA

So as you can see the only network for which NO NAT will be done is the remote network 192.168.11.0/24 which is the network between the ASA and Switch-2

Notice now that the network between Switch-2 and Switch-1 is the network 192.168.10.0/24.

When you issue the PING command on the Switch-1 towards the DMZ IP address it will use the source address 192.168.10.1.

So since the ASA doesnt have a NAT0 rule for traffic between networks 192.168.69.0/24 and 192.168.10.0/24 then the ICMP wont succeed even if we have the routing otherwise fine.

When you added the ACL I suggested the ASA knows that it shouldnt apply any NAT between those 2 networks.

- Jouni

mahesh18 · ‎05-11-2013

Hi Jouni,

Before i added the ACL as you told ping to 192.168.77.1 was working.

Here is debug info

ciscoasa# ICMP echo request from outside:192.168.10.1 to DMZ:192.168.77.1 ID=114 seq=0 len=72

ICMP echo reply from DMZ:192.168.77.1 to outside:192.168.10.1 ID=114 seq=0 len=72

ICMP echo request from outside:192.168.10.1 to DMZ:192.168.77.1 ID=114 seq=1 len=72

ICMP echo reply from DMZ:192.168.77.1 to outside:192.168.10.1 ID=114 seq=1 len=72

ICMP echo request from outside:192.168.10.1 to DMZ:192.168.77.1 ID=114 seq=2 len=72

ICMP echo reply from DMZ:192.168.77.1 to outside:192.168.10.1 ID=114 seq=2 len=72

ICMP echo request from outside:192.168.10.1 to DMZ:192.168.77.1 ID=114 seq=3 len=72

ICMP echo reply from DMZ:192.168.77.1 to outside:192.168.10.1 ID=114 seq=3 len=72

ICMP echo request from outside:192.168.10.1 to DMZ:192.168.77.1 ID=114 seq=4 len=72

ICMP echo reply from DMZ:192.168.77.1 to outside:192.168.10.1 ID=114 seq=4 len=72

Can you please explain why this was working?Here it shows outside IP as 192.168.10.1 even though we have no

NAT between 192.168.69.0 and 192.168.11.0

Also when you say

In short the above states

For traffic between 192.168.69.0/24 and 192.168.10.0/24 is NOT NATed (applies to which ever network opens the connection)

does this mean 192.168.69.0 and 11.0?As before we added the New ACL today there was no NAT between 192.168.69.0 and 11.0 subnets?

Regards

MAhesh

Jouni Forss · ‎05-11-2013

Hi,

For the explanation about 192.168.77.1 we will again have to look at the NAT configurations

I'll again refer to the configuration that was before we added anything

access-list DMZ-NAT0 extended permit ip 192.168.69.0 255.255.255.0 192.168.11.0 255.255.255.0 log

global (outside) 1 interface

nat (DMZ) 0 access-list DMZ-NAT0

nat (DMZ) 1 192.168.69.0 255.255.255.0

As you can see in the above

There is NAT0 configuration for the network 192.168.69.0/24 to network 192.168.11.0/24 and it works in both directions
The Dynamic PAT configurations ONLY include the source network 192.168.69.0/24
The above means that the ASA has absolutely NO NAT configurations for the network 192.168.77.0/24.
Since we have now noticed that there is NO NAT configurations for the loopback network 192.168.77.0/24 we know that the traffic that comes from the loopback network isnt NATed towards the "outside" and it will be accessible as long as the ACLs allow it
One important thing to notice is the "nat-control" setting. If this was on (would show on top of the "global" configurations) then every connection would require a proper NAT configuration and without one would not pass the firewal. In other words the loopback networks connections would fail.
- However the default setting for "nat-control" is "no nat-control" and therefore the ASA doesnt require NAT configurations for traffic. And since the loopback network didnt have any NAT configurations ASA let it pass because it was allowed by the other rules of the ASA. Notice that the default setting "no nat-control" wont show in the configuration (because its a default setting)

And in the other case, I had a typing mistake. The network was the wrong as you correctly noticed. The network should have been 192.168.11.0/24 in that sentence that I wrote.

- Jouni

mahesh18 · ‎05-11-2013

Hi jouni,

I got it now.Seems i need some practice on NAT.

I will keep reading your posts on this forum till i become comfortable with NAT.

Best regards

MAhesh