07-15-2011 05:59 AM - edited 03-11-2019 01:59 PM
I don't know what's going on. I can't ping or access any internal host with the IP 10.1.1.X. If I ping from the inside interface, it works. If i ping from the outside interface, it doesn't work. What's the deal? That network works anywhere internally but not past the asa.
10.15.81.1 10.15.81.10 10.10.81.9 10.10.81.1 10.10.81.254
EXternal router--------------------ASA-----------------------Internal Router----Remote Router---10.1.1.1
ciscoasa# ping inside 10.1.1.1
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa# ping outside 10.1.1.1
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ciscoasa#
ciscoasa# show run
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name default.domain.invalid
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.15.81.10 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.81.9 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.13.81.198 255.255.255.0
management-only
!
ftp mode passive
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 10.10.81.127 eq https
access-list outside_access_in extended permit tcp 10.10.2.0 255.255.255.0 any
access-list outside_access_in extended permit tcp 10.10.1.0 255.255.255.0 host 10.10.81.1
access-list outside_access_in extended permit ip host 10.10.1.29 host 10.10.106.2
access-list outside_access_in extended permit ip host 10.10.1.29 any
access-list outside_access_in extended permit ip host 10.10.1.27 host 10.10.81.115
access-list outside_access_in extended permit tcp any host 10.10.81.15 eq 3389
access-list outside_access_in extended permit ip any host 10.10.81.141
access-list outside_access_in extended permit ip 10.10.1.0 255.255.255.0 host 10.10.81.118
access-list outside_access_in extended permit ip 10.81.15.0 255.255.255.0 any
access-list gesupport extended permit ip 192.168.190.8 255.255.255.252 193.37.92.240 255.255.255.252
access-list natge1 extended permit ip host 10.10.81.99 193.37.92.240 255.255.255.252
access-list natge2 extended permit ip host 10.10.81.109 193.37.92.240 255.255.255.252
access-list inside_nat0_outbound extended permit ip 10.10.81.0 255.255.255.0 10.10.106.0 255.255.255.0
access-list outside_cryptomap_120 extended permit ip 10.10.81.0 255.255.255.0 10.10.106.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0
static (inside,outside) 10.10.81.127 10.10.81.127 netmask 255.255.255.255
static (inside,outside) 10.10.81.144 10.10.81.144 netmask 255.255.255.255
static (inside,outside) 10.10.81.118 10.10.81.118 netmask 255.255.255.255
static (inside,outside) 10.10.81.1 10.10.81.1 netmask 255.255.255.255
static (inside,outside) 10.10.81.149 10.10.81.149 netmask 255.255.255.255
static (inside,outside) 10.10.81.152 10.10.81.152 netmask 255.255.255.255
static (inside,outside) 10.10.81.195 10.10.81.195 netmask 255.255.255.255
static (inside,outside) 192.168.190.9 access-list natge1
static (inside,outside) 192.168.190.10 access-list natge2
static (inside,outside) 10.10.106.2 10.10.106.2 netmask 255.255.255.255
static (inside,outside) 10.10.106.103 10.10.106.103 netmask 255.255.255.255
static (inside,outside) 10.10.81.15 10.10.81.15 netmask 255.255.255.255
static (inside,outside) 10.10.81.99 10.10.81.99 netmask 255.255.255.255
static (inside,outside) 10.10.81.115 10.10.81.115 netmask 255.255.255.255
static (inside,outside) 10.10.81.141 10.10.81.141 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.15.81.1 1
route inside 10.81.0.0 255.255.0.0 10.10.81.1 1
route inside 10.10.107.0 255.255.255.0 10.10.81.1 1
route inside 10.10.106.0 255.255.255.0 10.10.81.1 1
route inside 10.10.79.0 255.255.255.0 10.10.81.1 1
route inside 10.10.78.0 255.255.255.0 10.10.81.1 1
route inside 10.1.1.0 255.255.255.0 10.10.81.1 1
route management 0.0.0.0 0.0.0.0 10.13.81.1 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.10.81.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:0f976dddf4ec25a6ad927e9a0cbc0b48
: end
ciscoasa#
Solved! Go to Solution.
07-15-2011 07:22 AM
Hi Jomar,
For the whole network, you can add :
static (inside,outside) 10.1.1.0 10.1.1.0 255.255.255.0
it shoudl work after this.
Thanks,
Varun
07-15-2011 06:09 AM
EXTERNALROUTER#traceroute 10.1.1.1
Type escape sequence to abort.
Tracing the route to 10.1.1.1
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
EXTERNALROUTER#show ip route 10.1.1.1
Routing entry for 10.1.1.0/24
Known via "static", distance 1, metric 0
Redistributing via bgp 65001
Advertised by bgp 65001
Routing Descriptor Blocks:
* 10.15.81.10
Route metric is 0, traffic share count is 1
EXTERNALROUTER#
07-15-2011 06:21 AM
Hi Jomar,
That is teh default behavior of firewall, it will not ping from remote interface, only from the interface to which the client machine is connected to. If the 10.1.1.1 machine is statically mapped to then from outside interafce you can ping the public ip For eg:
ping outside 1.1.1.1
so don't worry everything is fine.
Thanks,
Varun
07-15-2011 06:25 AM
I have a ICMP permit any any. The network isn't accessible from anywhere past the asa. Pings to all other networks work.
I've even added an" access-list outside_access_in extended permit ip permit any 10.1.1.0 255.255.255.0" and it doesn't work
07-15-2011 06:33 AM
Hi jomar,
If you are doing " ping outside 10.1.1.1" it would not work.
But if you are pinging from the router, then make sure you have a nat translation for the traffic on the firewall if nat-control is enabled.
The access-list is good.
Thanks,
Varun
07-15-2011 06:42 AM
Thanks Varun.
I can't ping it from routers past the asa. Tracert dies when it passes through the ASA. There is not NAT being used..I tried opening the network to everyone..
One thing we notcied is that the ASA had:
route inside 10.1.1.0 255.255.255.0 10.10.81.1 1
We changed it to:
route inside 10.1.1.0 255.255.255.0 10.10.81.254 1
but still not not working. Also, I can't ping past the ASA from 10.1.1.1, ASA is being mean to me.
07-15-2011 06:49 AM
Could you chcek if you have nat control enabled, do "show run nat-control"
Varun
07-15-2011 06:51 AM
ciscoasa# show run nat-control
no nat-control
ciscoasa#
any other ideas?
07-15-2011 07:03 AM
Take captures on the ASA and identify why the packets are getting dropped:
https://supportforums.cisco.com/docs/DOC-17345
Varun
07-15-2011 07:17 AM
Thank you.
I just tried something. I added:
static (inside,outside) 10.1.1.1 10.1.1.1 netmask 255.255.255.255
and it started to ping and I can telnet now.
How can I do this for all the IPs without doing a statement for every host?
07-15-2011 07:22 AM
Hi Jomar,
For the whole network, you can add :
static (inside,outside) 10.1.1.0 10.1.1.0 255.255.255.0
it shoudl work after this.
Thanks,
Varun
07-15-2011 07:36 AM
sorry there is a netmask keyword as well.
static (inside,outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
07-15-2011 07:52 AM
Thanks. I think that might have fixed it. I'm trying to get confirmation. Using the capture you provided, I noticed they are using nat. That's why some statements didn't work as well. I'm trying to get them to work on it.
07-15-2011 10:01 AM
Hey thats good...let me know if you face any issues...
Thanks,
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide