ā12-11-2015 12:07 PM - edited ā03-05-2019 02:55 AM
Hi
I am facing one interesting issue with ASR9K device. Below is my topology. Two different ASRs connected through a ASA.
ASR9K------->ASA---------->ASR9K
The routing between first ASR9k and ASA is ebgp.
The routing between ASA and second ASR9k is also ebgp.
Initially the routes in ASR9k was neither advertised nor received to their peers. However after configuring route policy with "pass all", asr9k started advertising and receiving routes between their peers.
Now even the far end ASR9k routes are availabe in route table (not only in bgp table, its present route table as well) in both ASRs,
however if i ping from one asr to another asr its not reachable.
even for traceroute its not even reaching first hop. however the routes are available with correct next hop defined and even the next hop (which is ASA) is reachable from either of asr.
can you please suggest why bgp routes are not exiting the interface itself to reach next hop from ASR ?
ā12-11-2015 02:36 PM
Hi,
Im not an expert on firewalls at all.
I just have an appreciation of what they do.
You say your bgp is paaing ok so ip/tcp port 179 is good
But ping and trace route use icmp
Is ICMP aalowed through.
see this link:-
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html
You could test with a different protocol try telnet or ssh betwen the routers
Regards
Alex
ā12-11-2015 06:09 PM
Hello,
If the routes exist in the ASR routing table, you only need to check ASA policy. ASR passes the traffic for sure. It is ASA blocking the traffic. Make sure you have added ICMP in Global policy. and also access-lists for ICMP.
policy-map global_policy
class inspection_default
inspect icmp
Please share your ASA configuration if your problem still exists.
Masoud
ā12-12-2015 12:31 AM
Hi Masoud,
I have configured the configurations given by you and even configured few access lists for icmp with the same access group number as per the link shared by acampbell (below comment).
Nothing was working for me.
However I configured two security level 0 interface and looks like that was the problem and when I changed the security level to 100 for one interface, I can reach end to end now.
Please share some ASA related docs with minimum as it will be useful who has worked in routing and switching alone
ā12-12-2015 06:48 AM
Hello,
Some basic configurations,
http://www.firewall.cx/forums/10-firewall-filtering-idsips-a-security/32041-howto-basic-asa-5505-configuration.html
http://www.soundtraining.net/i-t-tutorials/cisco-tutorials/41-cisco-asa-security-appliance-eight-basic-commands
http://www.routerfreak.com/basic-configuration-tutorial-for-the-cisco-asa-5505-firewall/
Masoud
ā01-19-2016 11:15 PM
Hi Masoud
I am again facing same issue with different ASA now.
Traffic from Inside towards Outside interface is not working properly.
1. If I ping Lan device to Inside interface of ASA (Locally Connected) I am getting replies.
2. But if I ping LAN device to Outside interface of ASA then I no reply ..Even in debug icmp trace command I couldnt see the traffic is hitting firewall. ACLs have been implemented correctly and global policy as well allowed with inspect icmp.
3. If I ping Lan device to Outside network IP then as well no reply. But I could see the request hitting firewall using debug icmp trace command but not replies seen in ASA.
Not sure where the issue is blocked
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide