09-18-2017 05:22 AM - edited 02-21-2020 06:19 AM
Hello,
The topology is in the attached file.
My problem is I can't ping client 2 from client 1 and Client 1 from client 2.
Interface 2 and 3 have same security level.
Here is the configuration of the ASA :
!
ASA Version 9.8(1)
!
hostname PTF-FW002
domain-name XXXXXX
enable password XXXXXXXXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
!
interface GigabitEthernet1/1
nameif Outside
security-level 1
pppoe client vpdn group Orange
ip address pppoe
!
interface GigabitEthernet1/2
nameif Corporate
security-level 95
ip address 10.38.143.245 255.255.255.248
!
interface GigabitEthernet1/3
nameif AGNET-SGI
security-level 95
ip address 10.103.1.253 255.255.255.0
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 10.0.0.253 255.255.255.0
!
boot system disk0:/asa981-lfbff-k8.SPA
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name XXXXXXX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Airbus-Network
subnet 10.0.0.0 255.0.0.0
object-group network DM_INLINE_NETWORK_2
network-object 10.103.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 10.103.1.0 255.255.255.0
access-list AGNET-SGI_access_in extended permit ip 10.103.1.0 255.255.255.0 object Airbus-Network
access-list Corporate_access_in extended permit ip object Airbus-Network object-group DM_INLINE_NETWORK_2
access-list global_access extended permit ip any object Airbus-Network
pager lines 24
logging enable
logging asdm warnings
mtu Outside 1500
mtu AGNET-SGI 1500
mtu Corporate 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit host XX.XX.XX.XX management
asdm image disk0:/asdm-781-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (AGNET-SGI,Corporate) source static any any destination static Airbus-Network Airbus-Network no-proxy-arp
access-group AGNET-SGI_access_in in interface AGNET-SGI
access-group Corporate_access_in in interface Corporate
access-group global_access global
route Corporate 10.0.0.0 255.0.0.0 10.38.143.246 1
route management XX.XX.XX.XX 255.255.255.255 XX.XX.XX.XX 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http XX.XX.XX.XX 255.255.255.255 management
snmp-server host management XX.XX.XX.XX community *****
snmp-server location XXX
snmp-server contact XXX
snmp-server community *****
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh XX.XX.XX.XX 255.255.255.255 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group Orange request dialout pppoe
vpdn group Orange localname fti/pbetyd4
vpdn group Orange ppp authentication pap
vpdn username fti/pbetyd4 password XXXXXXX
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server XX.XX.XX.XX source Corporate prefer
ntp server XX.XX.XX.XX source Corporate prefer
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:26a1ccce98f42b4412ed36d3fee54767
: end
asdm image disk0:/asdm-781-150.bin
no asdm history enable
I don't understand what's wrong.
Thanks for your help
Solved! Go to Solution.
09-18-2017 07:41 AM
Hello,
Thanks for your answer but problem cames from my NAT rules. I have configured a previous NAT on other interface and this is this NAT rules wich is used. Problem solved by erasing all my NAT rules and redo a NAT on the correct interface.
Regards.
Jean-Yves
09-18-2017 06:11 AM
Jean,
Start by adding inspect icmp on your policy-map. Just run this as presented below:
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
If does not works, please, prove routing table for all device on the topoloy, include PCs.
09-18-2017 07:41 AM
Hello,
Thanks for your answer but problem cames from my NAT rules. I have configured a previous NAT on other interface and this is this NAT rules wich is used. Problem solved by erasing all my NAT rules and redo a NAT on the correct interface.
Regards.
Jean-Yves
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide