05-08-2013 10:47 AM - edited 03-11-2019 06:40 PM
Hello -
I have a remote ASA with four subinterfaces configured. All four subnets participate in a site-to-site VPN tunnel back to corporate. Currently I'm unable to ping the MGMT subinterface, although I have configured ICMP inspection as well as management-access. Running a debug on ICMP trace shows that, while I am trying to ping 10.33.2.1, the request comes across the debug as 10.33.0.1 (Data_VLAN subinterface).
Any ideas where I'm going wrong??
ASA Version 8.3(1)
!
hostname VA-4500-ASA-LAN-5505-1
domain-name xxxxxxxx.com
enable password <removed>
passwd <removed>
no names
!
interface Vlan2
nameif Data_VLAN
security-level 100
ip address 10.33.0.1 255.255.255.0
!
interface Vlan6
nameif Voice_VLAN
security-level 100
ip address 10.33.1.1 255.255.255.0
!
interface Vlan10
nameif MGMT_VLAN
security-level 100
ip address 10.33.2.1 255.255.255.0
!
interface Vlan56
nameif Video_VLAN
security-level 100
ip address 10.33.3.1 255.255.255.0
!
interface Vlan99
nameif Outside
security-level 0
ip address xxxxxxxx 255.255.255.252
!
interface Ethernet0/0
description Connected to Internet Router
switchport access vlan 99
!
interface Ethernet0/1
description Connected to 2960 Switch
switchport trunk allowed vlan 2,6,10,56
switchport trunk native vlan 10
switchport mode trunk
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
ftp mode passive
clock timezone EST -5
clock summer-time DST recurring
dns domain-lookup MGMT_VLAN
dns server-group DefaultDNS
retries 3
timeout 5
name-server 10.0.204.10
name-server 10.100.204.10
domain-name xxxxxxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Data_VLAN
subnet 10.33.0.0 255.255.255.0
object network Voice_VLAN
subnet 10.33.1.0 255.255.255.0
object network MGMT_VLAN
subnet 10.33.2.0 255.255.255.0
object network Video_VLAN
subnet 10.33.3.0 255.255.255.0
access-list netflow-export extended permit ip any any
access-list Outside_Cryptomap_1 extended permit ip 10.33.0.0 255.255.255.0 any
access-list Outside_Cryptomap_1 extended permit ip 10.33.1.0 255.255.255.0 any
access-list Outside_Cryptomap_1 extended permit ip 10.33.2.0 255.255.255.0 any
access-list Outside_Cryptomap_1 extended permit ip 10.33.3.0 255.255.255.0 any
pager lines 24
logging enable
logging timestamp
logging buffer-size 512000
logging buffered debugging
logging trap notifications
logging asdm notifications
logging host MGMT_VLAN 10.0.8.11
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu Data_VLAN 1500
mtu Voice_VLAN 1500
mtu MGMT_VLAN 1500
mtu Video_VLAN 1500
mtu Outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (Data_VLAN,any) source static Data_VLAN Data_VLAN
nat (Voice_VLAN,any) source static Voice_VLAN Voice_VLAN
nat (Video_VLAN,any) source static Video_VLAN Video_VLAN
nat (MGMT_VLAN,any) source static MGMT_VLAN MGMT_VLAN
route Outside 0.0.0.0 0.0.0.0 50.199.31.202 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ACS protocol tacacs+
aaa-server ACS (MGMT_VLAN) host 10.0.8.250
timeout 5
key xxxxxxxx
aaa-server ACS (MGMT_VLAN) host 10.39.157.165
timeout 5
key xxxxxxxx
aaa authentication enable console ACS LOCAL
aaa authentication http console ACS LOCAL
aaa authentication ssh console ACS LOCAL
aaa authentication telnet console ACS LOCAL
http server enable
http xxxxxxxx 255.255.255.0 Outside
http xxxxxxxx 255.255.255.0 Outside
http xxxxxxxx 255.255.255.192 Outside
http 10.0.0.0 255.0.0.0 MGMT_VLAN
http redirect MGMT_VLAN 80
http redirect Outside 80
snmp-server host MGMT_VLAN 10.0.8.11 community ***** version 2c
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_Map 1 match address Outside_Cryptomap_1
crypto map Outside_Map 1 set peer 192.64.157.61
crypto map Outside_Map 1 set transform-set ESP-AES-128-SHA
crypto map Outside_Map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 Data_VLAN
ssh 10.0.0.0 255.0.0.0 MGMT_VLAN
ssh 0.0.0.0 0.0.0.0 MGMT_VLAN
ssh xxxxxxxx 255.255.255.0 Outside
ssh xxxxxxxx 255.255.255.0 Outside
ssh xxxxxxxx 255.255.255.192 Outside
ssh timeout 5
ssh version 2
console timeout 0
management-access MGMT_VLAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.0.4.21 prefer
tftp-server MGMT_VLAN 10.0.81.160 VA-4500-ASA-LAN-5505-1_Config
webvpn
username cisco password <removed> privilege 15
tunnel-group xxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxx ipsec-attributes
pre-shared-key *****
!
class-map netflow-export-class
match access-list netflow-export
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map netflow-policy
class netflow-export-class
class class-default
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
inspect icmp
class class-default
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4fef1b392d267ef2da40dca56aad1687
: end
05-08-2013 11:51 AM
Hello Darren,
while I am trying to ping 10.33.2.1, the request comes across the debug as 10.33.0.1 (Data_VLAN subinterface
Do you mean that you see the destination being 10.33.0.1 or the source of the ICMP packet being 10.33.0.1
Regards
05-09-2013 09:14 AM
Hello -
I've performed a debug on ICMP traffic, and here's what I'm seeing from two different stations trying to ping 10.33.2.1. It's interesting as it lists the destination as the Data_VLAN subinterface (10.33.0.1).
ICMP echo request from 10.0.8.11 to 10.33.0.1 ID=288 seq=3947 len=23
ICMP echo request from 10.0.81.160 to 10.33.0.1 ID=1 seq=14 len=32
ICMP echo request from 10.0.8.11 to 10.33.0.1 ID=288 seq=3959 len=23
ICMP echo request from 10.0.81.160 to 10.33.0.1 ID=1 seq=15 len=32
Definitely a weird one!!
Darren
05-09-2013 09:45 AM
Hello Darren,
Can you change the any keyword on the nat statements to be as specific as possible.
Instead of "any" using the right output interface?
Let me know when you do the changes
05-09-2013 10:58 AM
I've updated the NAT translations to the following, with the same result...
nat (MGMT_VLAN,Outside) source static MGMT_VLAN MGMT_VLAN
nat (Data_VLAN,Outside) source static Data_VLAN Data_VLAN
nat (Voice_VLAN,Outside) source static Voice_VLAN Voice_VLAN
nat (Video_VLAN,Outside) source static Video_VLAN Video_VLAN
Thanks
Darren
05-09-2013 12:22 PM
Hello Darren,
What happens if you do
ping MGMT_VLAN 10.0.8.11
Also can you get as many logs as possible from the ICMP session??
Have you clear the xlate table after the changes?
Let me know
05-09-2013 12:41 PM
Interestingly enough, if you source the ping from the MGMT_VLAN subinterface, it will work properly. I have cleared the XLATE and CONN table after making the NAT changes to no avail.
Here's the output from an ICMP debug. Note that I am trying to ping 10.33.2.1 from 10.0.8.11 and 10.0.81.160.
ICMP echo request from 10.0.8.11 to 10.33.0.1 ID=288 seq=3947 len=23
ICMP echo request from 10.0.81.160 to 10.33.0.1 ID=1 seq=14 len=32
ICMP echo request from 10.0.8.11 to 10.33.0.1 ID=288 seq=3959 len=23
ICMP echo request from 10.0.81.160 to 10.33.0.1 ID=1 seq=15 len=32
05-09-2013 12:49 PM
Hello Darren,
Okay ,.. I would like to see the logs now, not the debugs,
I will wait for them,
Regards
05-09-2013 01:15 PM
Below are the logs - thanks
VA-4500-ASA-LAN-5505-1# sh log
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 285166 messages logged
Trap logging: level notifications, facility 20, 1736 messages logged
Logging to MGMT_VLAN 10.0.8.11
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level notifications, 2191 messages logged
May 09 2013 09:28:05: %ASA-5-111008: User 'droback' executed the 'clear logging buffer' command.
May 09 2013 09:28:05: %ASA-5-111010: User 'droback', running 'CLI' from IP 192.64.157.42, executed 'clear logging buffer'
May 09 2013 09:28:07: %ASA-7-609002: Teardown local-host Outside:10.0.81.160 duration 0:00:02
May 09 2013 09:28:07: %ASA-7-609002: Teardown local-host identity:10.33.0.1 duration 0:00:02
May 09 2013 09:28:08: %ASA-7-609001: Built local-host Outside:192.175.48.42
May 09 2013 09:28:10: %ASA-7-609001: Built local-host Outside:10.0.81.160
May 09 2013 09:28:10: %ASA-7-609001: Built local-host identity:10.33.0.1
May 09 2013 09:28:12: %ASA-7-609002: Teardown local-host Outside:10.0.81.160 duration 0:00:02
May 09 2013 09:28:12: %ASA-7-609002: Teardown local-host identity:10.33.0.1 duration 0:00:02
May 09 2013 09:28:14: %ASA-7-111009: User 'droback' executed cmd: show logging
May 09 2013 09:28:15: %ASA-7-609001: Built local-host Outside:10.0.81.160
May 09 2013 09:28:15: %ASA-7-609001: Built local-host identity:10.33.0.1
May 09 2013 09:28:17: %ASA-7-609002: Teardown local-host Outside:10.0.81.160 duration 0:00:02
May 09 2013 09:28:17: %ASA-7-609002: Teardown local-host identity:10.33.0.1 duration 0:00:02
May 09 2013 09:28:20: %ASA-7-609001: Built local-host Outside:10.0.81.160
May 09 2013 09:28:20: %ASA-7-609001: Built local-host identity:10.33.0.1
May 09 2013 09:28:20: %ASA-7-609001: Built local-host Outside:192.175.48.6
May 09 2013 09:28:22: %ASA-7-609002: Teardown local-host Outside:10.0.81.160 duration 0:00:02
May 09 2013 09:28:22: %ASA-7-609002: Teardown local-host identity:10.33.0.1 duration 0:00:02
May 09 2013 09:28:22: %ASA-7-609001: Built local-host identity:10.33.0.1
May 09 2013 09:28:24: %ASA-7-609002: Teardown local-host identity:10.33.0.1 duration 0:00:02
May 09 2013 09:28:24: %ASA-7-609001: Built local-host identity:10.33.0.1
May 09 2013 09:28:24: %ASA-7-111009: User 'droback' executed cmd: show logging
May 09 2013 09:28:25: %ASA-7-609001: Built local-host Outside:10.0.81.160
05-09-2013 09:13 PM
Hello Darren,
Please check your inbox,
I will analize the logs
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide