Solved: Cisco ASA 5505 8.2(1) ping problem

erick.hemmen · ‎11-22-2011

Hi all,

Can someone help me with a problem I'm having with a Cisco ASA 5505 IOS version 8.2(1). The problem with it is that it responds really bad on it's inside interface to ICMP-replies, although it works perfectly on the outside interface. I've been looking for the source of the problem all day yesterday, but can't find the problem. When I enable logging on the ASA with the command "debug icmp trace" I'm seeing an echo-request coming in, but no echo-reply given. And sometimes, it suddenly gives an echo-reply.

The ASA is with both Vlan's connected to a Cisco Catalyst 2960 switch. Servers in this network are connected the same way and are reacting normal on ping requests internal and external.

My config is the following (ip-addresses are fictional):

ASA Version 8.2(1)
!
hostname omega
domain-name example.nl
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.11.75 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 213.1.1.1 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
speed 100
duplex full
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
name-server 8.8.8.8

name-server 4.4.4.4
domain-name example.nl
object-group network obj_any
network-object 0.0.0.0 0.0.0.0
object-group network mylan
network-object 10.0.11.0 255.255.255.0
access-list PermitOutsideIn extended permit icmp any any echo
access-list PermitOutsideIn extended permit icmp any any echo-reply
access-list PermitOutsideIn extended permit icmp any any source-quench
access-list PermitOutsideIn extended permit icmp any any time-exceeded
access-list PermitOutsideIn extended permit tcp any object-group mylan eq ldap
access-list PermitOutsideIn extended permit tcp any object-group mylan eq ldaps
access-list PermitOutsideIn extended permit tcp any object-group mylan eq 3268
access-list PermitOutsideIn extended permit tcp any object-group mylan eq 3269
access-list PermitOutsideIn extended deny icmp any any
access-list AtoB extended permit ip 10.0.11.0 255.255.255.0 10.2.11.0 255.255.255.0 inactive
access-list 100 extended permit ip any any
access-list VPN extended permit udp any host 213.1.1.1 eq isakmp
access-list VPN extended permit esp any any
access-list NattoB extended permit ip 10.0.11.0 255.255.255.0 10.2.11.0 255.255.255.0
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NattoB
access-group inside_access_in in interface inside
access-group VPN in interface outside control-plane
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 213.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
sysopt noproxyarp outside
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map map_A2B 1 match address AtoB
crypto map map_A2B 1 set peer 81.2.2.2
crypto map map_A2B 1 set transform-set ESP-AES-128-SHA
crypto map map_A2B interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=omega.example.nl
crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto isakmp nat-traversal 100
crypto isakmp am-disable
telnet timeout 5
ssh 10.0.11.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password xxx encrypted privilege 15
tunnel-group 81.2.2.2 type ipsec-l2l
tunnel-group 81.2.2.2 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
: end

Any help will be greatly appreciated.

andrew.prince · ‎11-22-2011

Since you are in a lab environment - get back to basics, remove your config (take a copy) and use the below template to get the basics working. and move on from there

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.11.75 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 213.1.1.1 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

speed 100

duplex full

!

access-list acl-outside extended permit icmp any any echo

access-list acl-outside extended permit icmp any any echo-reply

access-list acl-outside extended permit icmp any any time-exceeded

access-list acl-outside extended permit icmp any any source-quench

!

access-list inside-lan extended permit ip 10.0.0.0 255.0.0.0 any

!

global (outside) 1 interface

nat (inside) 1 access-list inside-lan

!

access-group acl-outside in interface outside

!

route outside 0.0.0.0 0.0.0.0 213.1.1.1

View solution in original post

andrew.prince · ‎11-22-2011

First things that jump out at me are:-

1) You do not have a nat statement for the inside to outside traffic?

> nat (inside) 1 0.0.0.0 0.0.0.0

2) You are applying an "Allow ALL IP" on the inside interface - not required if you are allowing all, this is the default.

> no access-group inside_access_in in interface inside

JMTPW.

P.S changes should not be done during production hours.

erick.hemmen · ‎11-22-2011

Hi Andrew,

Thanks for your answers. Luckily the ASA is still in a test environment so I tried your options in a save controlled environment, but I'm really confused now. I added the NAT-statement and removed the access-group. After this the outside interface stopped answering to my ping requests, but the inside interface started responding.

So from the inside interface I open a SSH-session and ping an external ip-address. Now the behaviour I had on the inside interface is on the outside interface. It's sending ping requests, but it's not getting all ping replies back.

Next thing I did is removing the nat-statement, no difference in behaviour. The inside interface still responds to ping requests really good, but the outside interface doesn't reply at all. When trying to ping to an external ip-address I get a reply to just 2 or 3 out of 5 packets.

After this i did the "debug icmp trace" command again. I do see the requests on the inside interface coming in and the replies going out. On the outside interface though, I don't see any reply going out, just requests coming in. When trying to ping a ip-address on the outside interface, the requests are going out, but the replies are not all coming in.

What is it that's preventing me from getting the packets through the ASA?

andrew.prince · ‎11-22-2011

Since you are in a lab environment - get back to basics, remove your config (take a copy) and use the below template to get the basics working. and move on from there

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.11.75 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 213.1.1.1 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

speed 100

duplex full

!

access-list acl-outside extended permit icmp any any echo

access-list acl-outside extended permit icmp any any echo-reply

access-list acl-outside extended permit icmp any any time-exceeded

access-list acl-outside extended permit icmp any any source-quench

!

access-list inside-lan extended permit ip 10.0.0.0 255.0.0.0 any

!

global (outside) 1 interface

nat (inside) 1 access-list inside-lan

!

access-group acl-outside in interface outside

!

route outside 0.0.0.0 0.0.0.0 213.1.1.1

erick.hemmen · ‎11-23-2011

Thanks again for answering my questions Andrew. As you suggested I removed the config (did a reset to factory default), added the basic config and started working from there.

All went well, I could ping inside and outside untill I tried a ping from a pc behind the inside interface of teh ASA to a server behind the other endpoint of the VPN. Something really strange happened there which was being logged as: "Deny inbound icmp src outside:10.0.11.4 dst outside:10.2.11.162 (type 8, code 0)"

After I looked up the ARP-table:

omega(config)# show arp

inside 10.0.11.4 0000.488e.676f bbb

outside 213.1.1.2 0000.972f.c7c0 aaa

outside 10.0.11.4 0000.488e.676f bbb

and the route table:

omega(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 213.1.1.2 to network 0.0.0.0

C 10.0.11.0 255.255.255.0 is directly connected, inside

C 213.11.1.3 255.255.255.248 is directly connected, outside

S* 0.0.0.0 0.0.0.0 [1/0] via 213.1.1.2, outside

Now things started to make sense. Something in the network isn't right. I guess it's a thing with the configuration of the Catalyst 2960. So that's my next point of action.

Andrew, thanks again for your help. For now this issue is solved for me!

andrew.prince · ‎11-23-2011

sure no problem.

For the failed ping, it could be a nat issue ?!

Sent from Cisco Technical Support iPad App