cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
25920
Views
5
Helpful
30
Replies

unable to ping outside interface of ASA

mudasir05
Level 1
Level 1

 

Hello All,

I build a small GNS lab,all my internal devices are pinging well on the same subnet,however when i try to reach another subnet via ASA its giving me unreachable icmp mesg.

as per the attached topology iam unable to reach outside interface of ASA from R1.

 

Any help would be appreciated.

 

2 Accepted Solutions

Accepted Solutions

Hi,

 

You seem to have the ICMP Inspection configured so thats fine.

 

I am not sure what this "route" configurations purpose is

 

route outside 10.10.10.2 255.255.255.255 192.168.1.1 1

 

You can remove this from the configuration

 

You seem to have configured a Static NAT for some internal host. Is this Static NAT for the R1?

static (inside,outside) 10.10.10.2 192.168.2.10 netmask 255.255.255.255

 

This does a NAT for some internal IP address and uses a NAT IP address that belongs to the "outside" interface subnet. This should mean that atleast this internal host should be able to reach the ISP Router R5 IP address without needing any additional routing configurations on the ISP Router.

 

So is the IP address 192.168.2.10 the IP address of the R1? Or as you say the PCs.

 

- Jouni

 

View solution in original post

Hi,

 

The main problem here are these things

 

You have configured the subnet 10.10.10.0/30 between the ASA and the ISP R5. This means the subnet contains addresses between 10.10.10.0 - 10.10.10.3. Of these addresses 10.10.10.0 and 10.10.10.3 are not used as they are subnet and broadcast address. IP address 10.10.10.1 is configured on ASA interface and IP address 10.10.10.2 is configured on the ISP R5.

 

On the ASA you have configured the following Static NAT

 

static (inside,outside) 10.10.10.2 192.168.2.10 netmask 255.255.255.255

 

This basically tells the ASA to translate the internal IP address 192.168.2.10 to external IP address 10.10.10.2. This does not make sense as IP address 10.10.10.2 is configured on the ISP R5. The IP address is used both on ASA and on ISP R5 and this naturally can not work.

 

I would therefore suggest that you change the subnet mask on the ASA and ISP R5 to /24 (255.255.255.0) and remove the existing Static NAT and replace it with this for example

 

static (inside,outside) 10.10.10.10 192.168.2.10 netmask 255.255.255.255

 

Then you could try to ping 10.10.10.2 from R1

 

- Jouni

View solution in original post

30 Replies 30

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

Which side of the ASA is the "outside" ? Which ASA interfaces IP address are you trying to ping?

 

Notice that the users/device has to be behind the interface which it tries to ping to be able to get a reply. You can not ping the ASA interface IP address if you are doing the ping from behind a different ASA interface.

 

So in your case if for example the "outside" interface is the "e1" then you can not ping it from R1. Only from R5 as its behind that ASA interface.

 

If the device is behind the correct interface then by default the ASA should reply to the ICMP to my understanding. You can always add the command

 

icmp permit any outside

 

This would allow all ICMP on the interface. In an actual network environment the above command would probably not be ideal to use.

 

Also you should make sure that the ASA and all the Routers in between have the necesary routing information so that the ICMP can go through.

 

Hope this helps :)

 

PS. Did you manage the solve problems related to ASDM in your other post?

Thanks Jouni for the reply,

yes e1 is the outside interface of the ASA.

In my topology R1 is a user PC which is trying to reach the outside network i.e R5.

How can i allow R1 to reach R5 if as per you its not possible.

 

p.s well for the asdm issue i have to go to my other office....will definitely let u know

 

Thanks for ur help

Hi,

 

Ok, if "e1" is the "outside" then no device behind the "e0" interface will be able to ping the "outside" interface. The only limiting factor here is simply the thing I mentioned. The device/host doing the ping must be located behind the interface that its trying to ping.

 

To allow ICMP from R1 to R5 should not require much (if any) configurations on the ASA other than the normal interface settings.

 

Its hard for me to say that the problem might be if you cannot ICMP from the R1 to R5 without seeing the configurations. I would suggest checking routing first. Make sure that R1 has a route for the IP address on R5 that you are trying to ping. This might use default route unless your lab simply uses specific static routes. Similiarly you should check on R5 that it has the route towards the R1 address where the ping is coming from. Notice that the devices use the closest interface towards the destination IP address as the source for the ping so that is the address for which you should check routes in between and at the destination device.

 

After going through the routing then there is naturally the big question with the ASA configurations.

 

Does it use interface ACLs that could block the traffic?  If no ACLs are in use on the ASA interfaces then the "security-level" determines which direction connections can be initiated. Users behind the interface with the higher "security-level" interface can connect to any destination behind any lower "security-level" interface. As I said, if ACLs are in use on the interfaces then the "security-level" does not matter but traffic has to be allowed in the interface ACL instead.

 

 

Is the ASA doing NAT between its interfaces as this could affect the possibility to connect between the Routers. If there is any Dynamic PAT configurations between the ASA interfaces then it means that connections can be initiated only from one end. (As Dynamic translations dont enable bidirectional connection initiation)

 

 

Do you have "inspect icmp" and "inspect icmp error" configured under the "policy-map" configurations?

 

You can use the following command to check if those are enabled

 

show run policy-map

 

If you can not see the "inspect icmp" configurations there you should add them there. Go to the right configuration mode (under which the existing "inspect" commands are located) and enter the commands.

 

Above are some things to check.

 

Hope I made any sense and hope it helps :)

 

- Jouni

Thanks for your help,

In my scenario R1 is a PC with no ip routing configured and iam considering R5 as the ISP router on which i have only assigned ip address on the interface facing towards the ASA,assuming iam not having no privelige on R5.What iam trying to achieve is how a user at R1 reaches the isp router.

I have static routing configured on every device.

Kindly find the ASA config below,

ciscoasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 10.10.10.1 255.255.255.252
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list 101 extended permit icmp any host 10.10.10.2 echo
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
static (inside,outside) 10.10.10.2 192.168.2.10 netmask 255.255.255.255
access-group 101 in interface outside
route inside 0.0.0.0 0.0.0.0 192.168.1.2 1
route outside 10.10.10.2 255.255.255.255 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:840e8d7a27f16c9094388b697a7894fb
: end

 

Let me know if you need any other device config.

 

Thanks

 

Hi,

 

You seem to have the ICMP Inspection configured so thats fine.

 

I am not sure what this "route" configurations purpose is

 

route outside 10.10.10.2 255.255.255.255 192.168.1.1 1

 

You can remove this from the configuration

 

You seem to have configured a Static NAT for some internal host. Is this Static NAT for the R1?

static (inside,outside) 10.10.10.2 192.168.2.10 netmask 255.255.255.255

 

This does a NAT for some internal IP address and uses a NAT IP address that belongs to the "outside" interface subnet. This should mean that atleast this internal host should be able to reach the ISP Router R5 IP address without needing any additional routing configurations on the ISP Router.

 

So is the IP address 192.168.2.10 the IP address of the R1? Or as you say the PCs.

 

- Jouni

 

 

Thanks Jouni for the reply,though ur every reply is correct I clicked the correct answer too early,anyways,

as per your suggestion I removed the route outside command.

you are right 192.168.2.10 is the ip address of R1 (pc) and the static nat purpose was to allow this host to reach the isp router i.e R5.

iam still not able to reach R5,

R1#ping 10.10.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

 

Thanks

Hi,

 

Seems to me to be a routing problem still. As I suggested before go through the all the devices and on each device make sure that there is always a route for the source address of the ping and the destination address of the ping.

 

Seems like you are missing a route somewhere. Make sure that there are no typos in the static routes for example.

 

- Jouni

 

plz find the routing table of each device:

L3 switch:

===

L3switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.2.1 to network 0.0.0.0

C    192.168.2.0/24 is directly connected, Vlan2
S*   0.0.0.0/0 [1/0] via 192.168.2.1

 

R4 Router:

===

R4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets
S       10.10.10.0 [1/0] via 192.168.1.1
C    192.168.1.0/24 is directly connected, Ethernet1/0
C    192.168.2.0/24 is directly connected, FastEthernet0/0

 

ASA:

====

ciscoasa# SH ROUte

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 192.168.1.2 to network 0.0.0.0

C    10.10.10.0 255.255.255.252 is directly connected, outside
C    192.168.1.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 192.168.1.2, inside

====

As i told u earlier that  i have not done any sort of configuration on the ISP Router (R5),let me know if something needs to be done on that as well.

 

Thanks

Hi,

 

ASA has the required routes, even though the default route pointing to internal network is not typical but then again this is a lab network.

 

R4 connected to ASA seems to have the routes also and it has the subnet 192.168.2.0/24 directly connected.

 

Now my confusion is with the fact that the topology picture lists 2x L3 switches. Are we missing one L3 switches configuration? Is the missing device also missing the required routing information?

 

It seems to me that the R4 is already directly connected to the subnet 192.168.2.0/24 and therefore there should not be devices routing between R1 and R4. I mean that there should be a L2 link between R4 and R1 atleast with regards to the connection from R4 port FastEthernet0/0. On the switch it seems to be Vlan ID 2? So that should go all the way from the port connected to the R4 F0/0 to R2 port F1/0

 

- Jouni

 

EDIT: So many typos

 

yes ur right the other L3 switch which u see in the topology has been used as an L2 switch only to bypass the Vlan information.

Your observation is right.

Now iam wondering since R1 is able to reach ASA but not beyond that so do we need to configure any static route which would allow 192.168.2.0/24 network to reach R5 on ASA.

Thanks 

Hi,

 

I just now noticed that you tried to ping the IP address 10.10.10.2 from the R1. You are pinging the NAT IP address of the host where you are pinging from.

 

What is the IP address on the ISP R5? You should be pinging that IP address. Though considering that your subnet mask is /30 on the link between ASA and R5 there does not really seem to be many free IP addresses. Could you maybe reconfigure the network mask on ASA and R5 for their link?

 

- Jouni

 

yes 10.10.10.2 is the nat address as well as the ip address of the R5 link connected to the ASA.

I reconfigured the subnet mask both on ASA and R5 and changed to /24.

iam still not able to ping:now i notice packet drops instead of unreachable icmp mesgg.

R1#ping 10.10.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Hi,

 

What I meant with the thing is that the pinging to the NAT IP address of the R1 makes no sense.

 

You said you were trying to ping the R5 so in that case the IP address 10.10.10.2 has nothing to do with R5 as its not configured there or atleast should not be since its configured on the ASA.

 

The IP address 10.10.10.2 is the IP address with which the R1 is visible to the ISP Router R5. So what is the IP address configured on the R5 that you should be pinging?

 

- Jouni

 

 

 

 

 

Now iam confued,

10.10.10.2 is the ip address configured on R5 and 10.10.10.1 is configured on outside interface of ASA.

Now iam not sure whether the static Nat command which i have configured is correct or not.

R5#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                10.10.10.2      YES manual up                    up

 

======

ciscoasa# sh int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                192.168.1.1     YES manual up                    up
Ethernet0/1                10.10.10.1      YES manual up                    up

iam trying to ping from R1 to ethernet0/0 of R5.

Thanks

Review Cisco Networking for a $25 gift card