Solved: From PC 10.0.0.10 you will be

mahesh18 · ‎06-07-2014

Hi Everyone,

Below is the setup

ASA1----DMZ----SW1----DMZ----ASA2

ASA1# ping 192.168.2.51
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.51, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

ASA1 config

interface Vlan4
nameif DMZ
security-level 45
ip address 192.168.1.171 255.255.255.

/ASA1# sh run route
route DMZ 192.168.2.0 255.255.255.0 192.168.1.174 1

Switch config

interface FastEthernet1/0/3
description Connection To ASA 5510
switchport access vlan 5
switchport mode access
spanning-tree portfast

interface Vlan5
ip address 192.168.2.50 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.171

ASA2 config

interface Ethernet0/1
nameif vlan5
security-level 10
ip address 192.168.2.51 255.255.255.0

sh run route
route vlan4 0.0.0.0 0.0.0.0 192.168.1.171 1

From ASA1 i can ping the IP 192.168.2.50 but not .51

Logs from ASA1

%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.2.51/0 gaddr 192.168.1.171/17688 laddr 192.168.1.171/17688

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.51/0 gaddr 192.168.1.171/17688 laddr 192.168.1.171/17688

Logs from ASA2

%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.1.171/17381 gaddr 192.168.2.51/0 laddr 192.168.2.51/0
%ASA-6-110003: Routing failed to locate next hop for icmp from vlan5:192.168.2.51/0 to vlan5:192.168.1.171/0
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.171/17381 gaddr 192.168.2.51/0 laddr 192.168.2.51/0

Need to know is this default behaviour?

or can i fix this?

Best Regards

Mahesh

Marius Gunnerud · ‎06-08-2014

From PC 10.0.0.10 you will be able to ping ASA2 interface connected to the DMZ because that is the ingress interface of the ICMP packet. However if you also have an outside interface on ASA2, the outside interface can not be pinged by PC 10.0.0.10 because it is not the ingress interface of the ICMP packet. If you move PC 10.0.0.10 so that the ICMP packet will ingress the outside interface on ASA2 then you will be able to ping that outside interface but not the DMZ interface...

Hope I explained that well enough?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marvin Rhoads · ‎06-08-2014

Mahesh,

As Marius and Kazim noted, one cannot generally ping an ASA interface other that the one via which the packet was received.

I'd say that's the bottom line root cause of your initial observation. Thus the answer to your question "is this default behavior?" is "yes, it is".

You introduced a good bit of artificial complexity with your single switch configuration having physical connections (Layer 1) VLANS (Layer 2) and IP interfaces (Layer 3) connected physically and logically to ASA2 - as well as with the static route you have on ASA1.

View solution in original post

Marvin Rhoads · ‎06-07-2014

Mahesh,

You're only showing us half the relevant information. We'd need to see where each subnet resides and what the interface addresses of both ASAs are.

Generally speaking a given subnet needs to be contiguous.

mahesh18 · ‎06-07-2014

Hi Marvin,

ASA1

!
interface Vlan3
nameif sales
security-level 50
ip address 10.12.12.1 255.255.255.0
!
interface Vlan4
nameif DMZ
security-level 45
ip address 192.168.1.171 255.255.255.0
!

ASA2

interface Ethernet0/0
nameif vlan4
security-level 45
ip address 192.168.1.173 255.255.255.0
!
interface Ethernet0/1
nameif vlan5
security-level 55
ip address 192.168.2.51 255.255.255.0

So subnet 192.168.1.x reside in both ASAs

Also subnet 192.168.2.x reside in Switch and ASA2.

let me know if you need any other info.

Regards

Mahesh

Marvin Rhoads · ‎06-08-2014

So your pings from ASA1 to the VLAN 5 interface of ASA 2 fail with the log message that the routing fails. But pings to the switch's VLAN 5 interface pass.

I suspect the switch has a VLAN 4 interface also - is it 192.168.1.174 (the gateway defined on ASA1)? If so the pings to the switch's VLAN 5 interface do not transit ASA2. Instead the switch itself replies directly to ASA1.

mahesh18 · ‎06-08-2014

Hi Marvin,

Yes switch has vlan 4 int with IP 192.168.1.174.

Switch has gateway IP 192.168.1.171.

From ASA1 i can ping switch SVI 192.168.0.50.

As i am seeing log messages generated in the ASA2 so do u agree ping to IP 192.168.2.51 reaches the ASA2?

Regards

MAhesh

syed kazim abbas · ‎06-08-2014

Hi Mahesh,

You will not be able to ping the outside IP on the ASA from a host on the inside. Additionally, you cannot ping the inside ip address from a host on the outside. If you are trying to ping another device on the outside from a device on the inside, you can enable stateful icmp inspection.

According to your log,

where u are using highlighted address:

/ASA1# sh run route
route DMZ 192.168.2.0 255.255.255.0 192.168.1.174 1

i think you need to use 192.168.1.173

but as Marvan mention below, you have mysterious configuration on switch also.

Regards,

kazim

"Don't forget to rate, if post helpful"

mahesh18 · ‎06-08-2014

Hi Kazim,

i did as per you

ASA1

route DMZ 192.168.2.0 255.255.255.0 192.168.1.173 1

after doing this i can not even ping 192.168.2.50

ping 192.168.2.50
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.50, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
pri/act/ASA1# ping 192.168.2.173
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.173, timeout is 2 seconds:
?????

Regards

MAhesh

syed kazim abbas · ‎06-08-2014

ok, send your config, especially switch interfaces which are facing ASA on both sides and vlan 4 and 5 as well

regards,

kazim

mahesh18 · ‎06-08-2014

ASA1

interface Ethernet0/3
description Connection to Switch
switchport access vlan 4

interface Vlan4
nameif DMZ
security-level 45
ip address 192.168.1.171 255.255.255.0

ASA1# sh run route

route DMZ 192.168.2.0 255.255.255.0 192.168.1.174 1

******************************************************************************************

Switch port connecting to ASA1

interface FastEthernet1/0/1
description Connection To ASA 5505
switchport access vlan 4
switchport mode access
spanning-tree portfast

Switch Ports connecting to ASA2

interface FastEthernet1/0/2
description Connection To ASA 5510 Int Eth0/0
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface FastEthernet1/0/3
description Connection To ASA 5510 Int Eth0/1
switchport access vlan 5
switchport mode access
spanning-tree portfast

interface Vlan4
ip address 192.168.1.174 255.255.255.0
!
interface Vlan5
ip address 192.168.2.50 255.255.255.0

default route of switch is points to ASA1

ip route 0.0.0.0 0.0.0.0 192.168.1.171

**********************************************************************************************

ASA2 ports connecting to Switch are below --

interface Ethernet0/0
nameif vlan4
security-level 45
ip address 192.168.1.173 255.255.255.0
!
interface Ethernet0/1
nameif vlan5
security-level 55
ip address 192.168.2.51 255.255.255.0

Default gateway of ASA2 is

sh run route
route vlan4 0.0.0.0 0.0.0.0 192.168.1.171 1

Regards

MAhesh

Marius Gunnerud · ‎06-08-2014

As already mentioned you will not be able to ping another interface on the ASA other than the ingress interface, so you will never be able to ping VLAN5 interface on ASA2. It is normal behavior that you will see the failed to locate next hop log message. this is because the ICMP packet reaches ASA2 but ASA2 has security measures in place to prevent pinging across the ASA interfaces.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎06-08-2014

Hi MArius,

Thanks for answering the question.

For better understanding the firewalls i work at my home lab on weekends.

So does it mean that if host is behind say inside interface of ASA1 which is 10.0.0.x then that host can not ping anyother interface IP of ASA2?

Even though ASA2 is connected far in the network??

Setup is here

PC--10.0.0.10-------inside---ASA1----DMZ---SW---- DMZ ASA2

From PC i can ping the IP of Vlan 5 on switch 192.168.2.50 but

i can not ping IP 192.168.2.51 of ASA2 interface

So does your answer applies to this also?

Best regards

Mahesh

Marius Gunnerud · ‎06-08-2014

From PC 10.0.0.10 you will be able to ping ASA2 interface connected to the DMZ because that is the ingress interface of the ICMP packet. However if you also have an outside interface on ASA2, the outside interface can not be pinged by PC 10.0.0.10 because it is not the ingress interface of the ICMP packet. If you move PC 10.0.0.10 so that the ICMP packet will ingress the outside interface on ASA2 then you will be able to ping that outside interface but not the DMZ interface...

Hope I explained that well enough?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marvin Rhoads · ‎06-08-2014

Mahesh,

As Marius and Kazim noted, one cannot generally ping an ASA interface other that the one via which the packet was received.

I'd say that's the bottom line root cause of your initial observation. Thus the answer to your question "is this default behavior?" is "yes, it is".

You introduced a good bit of artificial complexity with your single switch configuration having physical connections (Layer 1) VLANS (Layer 2) and IP interfaces (Layer 3) connected physically and logically to ASA2 - as well as with the static route you have on ASA1.

mahesh18 · ‎06-08-2014

Hi Marvin,

I was trying to understand the Firewall world so i was testing these things at home.This helps me in my job where i work extensively on firewalls.

Now i understand things better after getting replies from you.

Best regards

Mahesh

mahesh18 · ‎06-08-2014

Hi Marius,

You explained me very well.

Many thanks

MAhesh