Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1047
Views
5
Helpful
2
Replies

Problem to communicate through ASA 5506-X 9.8(1)

Go to solution
Jean-Yves ANDREOLETTI
Level 1
Level 1

‎09-18-2017 05:22 AM - edited ‎02-21-2020 06:19 AM

Hello,

 

The topology is in the attached file.

 

My problem is I can't ping client 2 from client 1 and Client 1 from client 2.

 

Interface 2 and 3 have same security level.

 

Here is the configuration of the ASA :

!
ASA Version 9.8(1)
!
hostname PTF-FW002
domain-name XXXXXX
enable password XXXXXXXXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
!
interface GigabitEthernet1/1
 nameif Outside
 security-level 1
 pppoe client vpdn group Orange
 ip address pppoe
!
interface GigabitEthernet1/2
 nameif Corporate
 security-level 95
 ip address 10.38.143.245 255.255.255.248
!
interface GigabitEthernet1/3
 nameif AGNET-SGI
 security-level 95
 ip address 10.103.1.253 255.255.255.0
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 nameif management
 security-level 100
 ip address 10.0.0.253 255.255.255.0
!
boot system disk0:/asa981-lfbff-k8.SPA
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
 domain-name XXXXXXX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Airbus-Network
 subnet 10.0.0.0 255.0.0.0
object-group network DM_INLINE_NETWORK_2
 network-object 10.103.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
 network-object 10.103.1.0 255.255.255.0
access-list AGNET-SGI_access_in extended permit ip 10.103.1.0 255.255.255.0 object Airbus-Network
access-list Corporate_access_in extended permit ip object Airbus-Network object-group DM_INLINE_NETWORK_2
access-list global_access extended permit ip any object Airbus-Network
pager lines 24
logging enable
logging asdm warnings
mtu Outside 1500
mtu AGNET-SGI 1500
mtu Corporate 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit host XX.XX.XX.XX management
asdm image disk0:/asdm-781-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (AGNET-SGI,Corporate) source static any any destination static Airbus-Network Airbus-Network no-proxy-arp
access-group AGNET-SGI_access_in in interface AGNET-SGI
access-group Corporate_access_in in interface Corporate
access-group global_access global
route Corporate 10.0.0.0 255.0.0.0 10.38.143.246 1
route management XX.XX.XX.XX 255.255.255.255 XX.XX.XX.XX 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http XX.XX.XX.XX 255.255.255.255 management
snmp-server host management XX.XX.XX.XX community *****
snmp-server location XXX
snmp-server contact XXX
snmp-server community *****
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh XX.XX.XX.XX 255.255.255.255 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group Orange request dialout pppoe
vpdn group Orange localname fti/pbetyd4
vpdn group Orange ppp authentication pap
vpdn username fti/pbetyd4 password XXXXXXX

no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server XX.XX.XX.XX source Corporate prefer
ntp server XX.XX.XX.XX source Corporate prefer
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:26a1ccce98f42b4412ed36d3fee54767
: end
asdm image disk0:/asdm-781-150.bin
no asdm history enable

 

I don't understand what's wrong.

 

Thanks for your help

Labels:
Preview file
158 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jean-Yves ANDREOLETTI
Level 1
Level 1
In response to Flavio Miranda

‎09-18-2017 07:41 AM

Hello,

 

Thanks for your answer but problem cames from my NAT rules. I have configured a previous NAT on other interface and this is this NAT rules wich is used. Problem solved by erasing all my NAT rules and redo a NAT on the correct interface.

 

Regards.

 

Jean-Yves

View solution in original post

2 Replies 2

Go to solution
Flavio Miranda
VIP
VIP

‎09-18-2017 06:11 AM

Jean,

 Start by adding inspect icmp on your policy-map. Just run this as presented below:

policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect dns preset_dns_map

  inspect icmp

 

 If does not works, please, prove routing table for all device on the topoloy, include PCs.

0 Helpful

Go to solution
Jean-Yves ANDREOLETTI
Level 1
Level 1
In response to Flavio Miranda

‎09-18-2017 07:41 AM

Hello,

 

Thanks for your answer but problem cames from my NAT rules. I have configured a previous NAT on other interface and this is this NAT rules wich is used. Problem solved by erasing all my NAT rules and redo a NAT on the correct interface.

 

Regards.

 

Jean-Yves

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card