Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2850
Views
0
Helpful
2
Replies

Unable to ping Internet IPs from the ASA Firewall when the Juniper SRX is behind it

Hridin C
Level 1
Level 1

‎01-10-2013 10:32 PM - edited ‎03-11-2019 05:45 PM

Hi,

Topology:

Internet ISP -> Juniper SRX 210 Ge-0/0/0

Juniper fe0/0/2  -> Cisco ASA 5505

Cisco ASA 5505 - >Inernal LAN switch.

Scenario:

1.  Internet  is connected to Juniper Ge0/0/0  via /30 IP.

2. Juniper fe0/0/2 port is configured as inet port and configured the Internal public LAN pool provided by the ISP. And this port is directly connected to               Cisco ASA 5505 E0/0. Its a /28 pool IP address. This interface is configured as outside and security level set to 0.

Whats working for me:

             1. From Juniper SRX, am able to ping public Internet IPs (8.8.8.8).

Issue:

              1. From ASA am unable to ping public ip configured on Juniper G0/0/0 port.(/30)

               2. From ASA no other Public internet IP is pinging.

Troubleshooting Done so far.

               1, Configured icmp inspection on ASA.

                2. Used the packet tracer in ASA, it shows the packet is flowing outside without a drop.

                3.  Allowed all services in untrust zone in bound traffic in Juniper SRX.

                4. Viewed the logs when I was trying the ping 8.8.8.8 in ASA. It says "Tear down ICMP connection for faddrr **** gaddr **** "

                5. I am attaching the screenshot of the log here.

Thank you

Labels:
Preview file
10 KB
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎01-10-2013 11:25 PM

Hi,

First thing I thought of was the configuration "icmp permit outside" configuration.

I did double check the command references for 8.2 and 8.4 softwares regarding this command and they do state that by default ASA does accept all ICMP Echos to its interfaces.

I still do remember that I have had to frequently configure these permit lines to allow the ICMP to work. And more specifically the echo-reply (it seems).

I'm not sure what logic the configuration follows if you add one "icmp permit" statement. Could it be perhaps somewhat similiar to ACL where it would block all the rest as soon as you configured some specific rules to replace the default behaviour.

Does the Juniper has anything that could prevent the echo-reply? I sadly have no expirience on Juniper devices.

- Jouni

0 Helpful

Hridin C
Level 1
Level 1

‎01-11-2013 05:44 AM

All,

I have resolved the issue.

I am posting the resolution hoping it may be useful for some one.

The configuration changes are made in Juniper Box. Juniper has 2 interfaces connected to Public IPs. One is pointing to internet and the other one connected to ASA, which is connected to LAN.

When I configured Juniper, both these interfaces were put under untrust zone. This was creating the problem.

In Juniper, the internal interface connected to ASA is put under another zone (inside_private) and allowed all inboud traffic from untrust to "inside_private" zone and vice versa.

Now I can directly ping, google.com from the ASA itself.

Thanks for the reply.

Thank you,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card