Solved: Please help ASA 8.6 version - Page 2

Rohit Mangotra · ‎09-23-2013

Hi,

I am using ASA 5525 with 8.6 version, and I am trying to ping through different interfaces, However I am not able to do that. My test results are

- can PING between the outside interface and the next hop (same subnet)

- cannot PING between the inside interface and the next hop (same subnet)

- cannot PING between the DMZ interface and the next hop (same subnet)

Please see below configuration for firewall for reference.

--------------------------------------------------------------------------------

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 16.x.x.x 255.255.255.248

interface GigabitEthernet0/1

no nameif

security-level 0

no ip address

!

interface GigabitEthernet0/1.16

vlan 16

nameif inside

security-level 100

ip address 17.x.x.x 255.255.255.0

interface GigabitEthernet0/3

no nameif

security-level 0

no ip address

!

interface GigabitEthernet0/3.69

vlan 69

nameif dmz

security-level 50

ip address 18.x.x.x 255.255.255.0

2. access-list o_inside extended permit icmp any any

access-list o_inside extended permit icmp any any echo

access-list o_inside extended permit icmp 17.x.x.x (Inside interface) 255.255.0.0 18.x.x.x (DMZ interface) 255.255.255.0

access-list o_dmz extended permit icmp any any

access-list outside extended permit icmp any any

access-list outside extended permit icmp any any echo-reply

icmp permit any outside

icmp permit any dmz

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

3. route inside 17.x.0.0 (Whole inside interface subnet) 255.255.0.0 17.x.x.x (Internal Network) 1

route dmz 17.x.x.0 (Internal) 255.255.255.0 18.x.x.x (DMZ Nework) 1

route outside 18.x.x.0 (DMZ) 255.255.255.0 16.x.x.x (Outside Network) 1

If possible could anyone please tell me what is wrong with the configuration, and what I need to add to achive the above desired result.

Thank You,

Kind Regards

Rohit Mangotra.

Rohit Mangotra · ‎10-24-2013

Hi Jouni,

Sorry for late reply, actually was busy with the ongoing project.We converted the configuration as you recomended, and it is working except for 1 issue that we are facing. Please see attached file for more information.

•- Can PING from internal network to VPN concentrator Private interface
•- Can PING from DMZ network to VPN concentrator Private interface
•- Can PING from external network to VPN concentrator Public interface
•- Can PING from VPN concentrator to Internal network
•- Can PING from VPN concentrator to DMZ network
•- Can PING from VPN concentrator to Outside network

•- Cannot PING from internal network to VPN concentrator Public interface

(can see PING traffics hit the FW’s ACL when PINGING from internal network)

•- Cannot PING from DMZ network to VPN concentrator Public interface

(can see PING traffics hit the FW’s ACL when PINGING from DMZ network)

Thanks a lot in advance

Regards

Rohit.

Jouni Forss · ‎10-24-2013

Hi,

Please provide "packet-tracer" output for the PING from INTERNAL to VPN CONCENTRATOR PUBLIC and from DMZ to VPN CONCENTRATOR PUBLIC

packet-tracer input inside icmp 8 0

packet-tracer input dmz icmp 8 0

This should tell us if the ASA configurations are fine

- Jouni

Rohit Mangotra · ‎10-24-2013

Hi Jouni,

Please see the attached file for Packet-Tracker as you asked.

Thank You,

Kind Regards

Rohit.

Jouni Forss · ‎10-25-2013

Hi,

Seems to go through just fine.

Has this worked before change?

I was just thinking how you have setup routing on the VPN Concentrator. The default route on the concentrator should forward the ICMP Echo reply through its public interface UNLESS you have routed the INSIDE and DMZ network through the concentrators private interface.

- Jouni

Rohit Mangotra · ‎10-25-2013

Hi Jouni,

Thanks a lot for all your help. I will have a look at the vpn concentrator and see what's going on.

Thanks

Kind Regards

Rohit.