cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1800
Views
0
Helpful
18
Replies

Unable to ping router's interface from ASA

kc1978
Level 1
Level 1

I have an ASA that is situated behind a cisco router and I'm unable to ping the router's interface that is on the same subnet as the outside interface of the ASA. I can ping the router's interface from the same switch that the ASA is connected. Wireshark on the router's switchport shows arp query but no reply from either the router or the ASA. Here is the config of the ASA and the router.  Just want to see if someone could help in letting me know what I'm missing.  Thanks

 

ASA Version 9.3(1) 

!

hostname guinep1

domain-name 

enable password encrypted

names

!

interface GigabitEthernet0/0

 speed 1000

 duplex full

 nameif outside

 security-level 0

 ip address 192.168.29.4 255.255.255.240 

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.45.196 255.255.255.0 

!

interface GigabitEthernet0/2

 shutdown

 no nameif

 security-level 0

 no ip address

!

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/4

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/5

 shutdown

 no nameif

 no security-level

 no ip address

!             

interface GigabitEthernet0/6

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/7

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/8

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 management-only

 shutdown

 nameif management

 security-level 100

 no ip address

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

 domain-name 

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network inside-net

 subnet 192.168.45.0 255.255.255.0

object network obj-192.168.45.0

 subnet 192.168.45.0 255.255.255.0

object-group network obj-inside-net

 description Inside Networks

 network-object 192.168.20.0 255.255.255.0

 network-object 192.168.25.0 255.255.255.0

 network-object 192.168.35.0 255.255.255.0

 network-object 192.168.37.0 255.255.255.0

 network-object 192.168.45.0 255.255.255.0

pager lines 23

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.29.0 255.255.255.240 outside

asdm image disk0:/asdm-742.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

route outside 0.0.0.0 0.0.0.0 192.168.29.1 1

route inside 192.168.20.0 255.255.255.0 192.168.45.1 1

route inside 192.168.25.0 255.255.255.0 192.168.45.1 1

route inside 192.168.37.0 255.255.255.0 192.168.45.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

user-identity default-domain LOCAL

http server enable

http 192.168.20.0 255.255.255.0 inside

http 192.168.25.0 255.255.255.0 inside

http 192.168.37.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

no ssh stricthostkeycheck

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

username password  encrypted privilege 15

!

class-map class_default

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect rtsp 

  inspect sunrpc 

  inspect xdmcp 

  inspect netbios 

  inspect tftp 

  inspect ip-options 

  inspect icmp 

  inspect icmp error 

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect esmtp 

  inspect sqlnet 

  inspect sip  

  inspect skinny  

 class class-default

  set connection decrement-ttl

!

service-policy global_policy global

prompt hostname context 

no call-home reporting anonymous

Cryptochecksum:05f2fcabf2b29546da648900fbcc1cca

: end

 

 

 

 

 

 

 

ROUTER

router#sh run

Building configuration...

 

 

Current configuration : 6030 bytes

!

! Last configuration change at 10:49:25 EDT Wed May 27 2015 by 

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname router

!

boot-start-marker

boot system flash:c3825-adventerprisek9-mz.151-4.M9.bin

 

interface GigabitEthernet0/0

 description $FW_OUTSIDE$$ETH-WAN$

 ip dhcp relay information trusted

 ip address dhcp client-id GigabitEthernet0/0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip virtual-reassembly in

 duplex auto

 speed auto

 media-type rj45

 no cdp enable

!

interface GigabitEthernet0/1

 description $ETH-LAN$$FW_INSIDE$

 no ip address

 no ip unreachables

 no ip proxy-arp

 duplex full

 speed 1000

 media-type rj45

 no mop enabled

!

interface GigabitEthernet0/1.29

 encapsulation dot1Q 29

 ip address 192.168.29.1 255.255.255.240

 ip nat inside

 ip virtual-reassembly in

!

interface FastEthernet1/0

 no ip address

 duplex full

 speed auto

!

interface FastEthernet1/0.35

 encapsulation dot1Q 35

 ip address 192.168.35.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

!

interface FastEthernet1/0.37

 encapsulation dot1Q 37

 ip address 192.168.37.16 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

!

interface FastEthernet1/0.45

 encapsulation dot1Q 45

 ip address 192.168.45.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

!

interface FastEthernet1/1

 no ip address

 shutdown

 duplex auto

 speed auto

!

!

router eigrp 37

 network 192.168.0.0 0.0.255.255

 passive-interface GigabitEthernet0/0

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

!

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source static udp 192.168.29.4 500 interface GigabitEthernet0/0 500

ip nat inside source static udp 192.168.29.4 4500 interface GigabitEthernet0/0 4500

ip nat inside source static esp 192.168.29.4 interface GigabitEthernet0/0

!

logging trap notifications

logging facility local6

logging 192.168.37.185

access-list 1 permit 192.168.29.0 0.0.0.15

access-list 1 permit 192.168.20.0 0.0.0.255

access-list 1 permit 192.168.25.0 0.0.0.255

access-list 1 permit 192.168.35.0 0.0.0.255

access-list 1 permit 192.168.37.0 0.0.0.255

access-list 1 permit 192.168.45.0 0.0.0.255

access-list 1 remark SDM_ACL Category=2

access-list 111 permit icmp host 192.168.29.1 host 192.168.29.5

access-list 111 permit icmp host 192.168.29.1 host 192.168.29.4

access-list 111 permit icmp host 192.168.35.12 host 192.168.29.1

!

router#

18 Replies 18

I moved the "inside" vlan 45 off this router and put it on another router.  Your'e correct about the eigrp routing.  There is  192.168.0.0 0.0.255.255 on the switch as well.  So, if I do a "ping outside 192.168.29.1" then it should flow through the ASA outside interface and then to the router.  However, this is not happening

Is the 3750 meant to be for internal vlans/IP subnets ?

If so I don't understand where the other router you have moved the inside interface to fits into the topology ie. how does it connect to the 3750 ?

The arp debug suggest something has been cabled up incorrectly ie. have you checked the physical cables running from the ASA inside and outside interfaces and made sure they are connecting to the switch ports you think they are ?

Obviously if the ASA cannot ping the router then nothing is going to work so there are two issues here -

1) why can't you ping the router from the ASA. This is where you need to check physical connectivity and make sure the ASA outside interface is in vlan 29.

2) the actual traffic flow. I still don't have a clear picture of what you are trying to do overall ie. you have moved the inside interface to another router but how does that router fit into the overall picture.

Sorry to keep throwing questions back at you but it is not clear what exactly the setup is.

Jon

Here is a diagram.  There is a 3rd connection on Router 0 which is for the internet

 

HI Jon,

I found the reason for this issue.  I'm using the Cisco ASAv and I didn't notice that Network 0 in vsphere was designated as the Management interface and I was using it as the outside interface. I just assumed that Network 0 would correspond to gi 0/0 and management would be called management.  

 

Thanks again

Review Cisco Networking for a $25 gift card