Solved: OK my fail on this one,

Damir Reic · ‎07-17-2014

Hello,

i have ASA 5525-x and i am trying to route traffic between outside and inside interface, in the essence i want it to behave like router. So on the public interface i have 10.47.0.2 which connect to some other private IPs and on the internal interfaces i have 2 more subnets 10.44.0.0/16 and 10.43.0.0/16. When traffic goes out from these 2 insde subnets everything is OK, but when i ping something from the subnets above 10.47.0.2 ASA Outside interface is not letting me in. I've configured security level 100 on all interfaces. What am i missing here (ACLs that should allow this are in place)?

EDIT:

Looks like traffic goes fine but i can't ping interfaces for some reason. Any tips?

EDIT:

Tried capturing traffic on the interface, i don't even see it coming, but if i want to ping something behind 10.44 it pings OK and i see traffic on interface. That is odd.

Jouni Forss · ‎07-21-2014

Hi,

You can list the interface specific ICMP settings with the following command

show run icmp

But default the ASA should reply to the ICMP Echos on the interfaces if you have not changed the settings.

Since the "outside" interface replies to ICMP from the L3 switch and Palo Alto device BUT NOT the DMZ host I would go through any possible routing related configurations on the devices involved and also confirm that the actual DMZ host is configured with a default gateway so that it can reach the ASA (I presume it has a gateway set since it would be able to connect anywhere outside its network otherwise). I would also confirm that the port/Vlan to which the DMZ host is connected on the L3 switch does not have any ACL that might prevent the ICMP.

As I mentioned in the above reply. Notice that if you send ICMP from a host behind the "outside" interface to the ASA "inside" interface then this will ALWAYS FAIL. The ASA simply does not allow you to ICMP an interface through another interface.

So in short, hosts behind "outside" can ICMP the "outside" interface of the ASA and hosts behind the "inside" can ICMP the "inside" interface.

Hope this helps :)

- Jouni

View solution in original post

Jouni Forss · ‎07-17-2014

Hi,

We can only guess if we don't see any of the configurations on the ASA.

Usually if you start configuring interface with identical "security-level" values and want to pass traffic between them you need to configure "same-security-traffic permit inter-interface" though since you say the ICMP works from internal to external you seem to have configured it already.

Now personally I am interested in the current NAT configurations. Are you perhaps doing a Dynamic PAT for the internal networks and the PAT IP address is the external interfaces IP address? This would explain why the internal host would be able to connect to external networks. Also if this is the case and you try to connect to the internal networks directly with their local IP addresses from the external network then this will mean that the ASA drops the traffic because of the Dynamic PAT configuration. Typically you would either have no NAT configured or a NAT0 configured for the specific traffic if the Dynamic PAT is needed for other purposes.

You also say that you have taken capture on the interface. I presume on the external interface and you say you dont see anything in the capture? If you are targeting the local IP addresses are you sure that the external gateway router has a route for the internal networks pointing towards the ASA?

Also the last statement confuses me. You mention the other internal network and say that it works and you can see the traffic? I am not really sure where you are pinging from.

We would really need to get a picture of the setup and see some configurations. But I presume that the problem is possibly routing/NAT related.

With regards to ICMP traffic to the ASA interfaces. If you have not configured/changed any "icmp" commands then by default the ASA interface should reply to ICMP. Do remember that you can only ICMP the interface behind which the host is. So internal hosts can ICMP the internal interface and external users the external interface. You cant ICMP "past" the ASA to the other sides interface.

- Jouni

Damir Reic · ‎07-18-2014

Hi Jouni,

i aready have same-security-traffic permit inter-interface command in my config. ASA is bottom firewall in 3 tier network design and there is a firewall above it which does NAT so currently i am not doing any NAT on ASA and i don't want to.

I'll try to draw it :)

-------------------------------
Palo Alto
-------------------------------

|
   |
   ------------------------------
L3 sw
-------------------------------
|
   |
--------------------------------
   ASA
   -------------------------------

| | |
Few VLANs, host network

So from host connected to L3 switch (dmz vlan) i CAN'T ping outside interface of ASA, but if i ping it from Palo Alto or L3 switch it responds. I also CAN'T ping internal ASA interfaces from the "outside" part of ASA - no response, but if i want to ping some hosts on internal side of ASA i get reply anywhere i tried to ping it from. NAT is only done on Palo Alto.

With this current setup everything works except this ping on ASA interface and i can live without it but i want to know why it is not working.

Thanks!

Jouni Forss · ‎07-21-2014

Hi,

You can list the interface specific ICMP settings with the following command

show run icmp

But default the ASA should reply to the ICMP Echos on the interfaces if you have not changed the settings.

Since the "outside" interface replies to ICMP from the L3 switch and Palo Alto device BUT NOT the DMZ host I would go through any possible routing related configurations on the devices involved and also confirm that the actual DMZ host is configured with a default gateway so that it can reach the ASA (I presume it has a gateway set since it would be able to connect anywhere outside its network otherwise). I would also confirm that the port/Vlan to which the DMZ host is connected on the L3 switch does not have any ACL that might prevent the ICMP.

As I mentioned in the above reply. Notice that if you send ICMP from a host behind the "outside" interface to the ASA "inside" interface then this will ALWAYS FAIL. The ASA simply does not allow you to ICMP an interface through another interface.

So in short, hosts behind "outside" can ICMP the "outside" interface of the ASA and hosts behind the "inside" can ICMP the "inside" interface.

Hope this helps :)

- Jouni

Damir Reic · ‎07-22-2014

Hi Jouni,

i found that this is by design:

https://supportforums.cisco.com/discussion/11708986/should-inside-host-be-able-ping-asa-dmz-interface-ip

Although i have new problem... I have management VLAN configured on one ASA interface without management-only command on interface. I have few other VLANs on that ASA. I can ping hosts inside management VLAN from outside of it, but i can't ping hosts from Management VLAN to other VLANS on ASA. I have access lists allow ip any any on every VLAN and looks like it doesn't help. Even though if i try to access network shares same thing.

Only thing i see inside syslog is this:

6 Jul 22 2014 16:45:02 10.44.7.251 1 10.43.4.21 0 Teardown ICMP connection for faddr 10.44.7.251/1 gaddr 10.43.4.21/0 laddr 10.43.4.21/0

6 Jul 22 2014 16:45:00 10.44.7.251 1 10.43.4.21 0 Built inbound ICMP connection for faddr 10.44.7.251/1 gaddr 10.43.4.21/0 laddr 10.43.4.21/0

This matches 2 second ICMP timeout that i have configured. Access lists are 100% not blocking the traffic.

Also, by default i don't need outgoing access-lists since by default all outgoing traffic is permitted?

Thanks

Damir Reic · ‎07-22-2014

OK my fail on this one, Windows firewall was ON :D.

Looks like i'll have to live without ICMP between interface IPs.

Jouni Forss · ‎07-22-2014

Hi,

Good to hear that it was sorted out. Its not that uncommon that some problems posted here on the forums might not even be related to the actual firewall. It might be the host that is blocking the connections. In those situation I tend to either test connections with some TCP based service or even take a capture on some ASA interface to see if there is any reply from the destination host.

You can also use the "ping tcp" command on your ASA which lets you test if a certain TCP port replies from a destination host. You can also define the source for that ping.

Please do remember to mark a reply as the correct answer if it has answered your question and/or rate helpfull answers. :)

- Jouni

Routing traffic between outside and inside interface on ASA