cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2952
Views
0
Helpful
17
Replies

CISCO ASAv can not ping between subnets

Alex.kushnarev
Level 1
Level 1

Hi team,

 

i am using ASAv version 9.12.2 on AWS and i have few internal interfaces (security level 100) and i can not get them to ping each other even when. i am running the same-security lever permit command. i have tried to create an ACL to permit traffic from anywhere to anywhere with no success and i have few pre-made ACLs that i could not delete.   

 

here is my conf:

: Saved

 

:

: Serial Number: 9AS6FC2VFFG

: Hardware:   ASAv, 7680 MB RAM, CPU Xeon E5 series 2900 MHz, 1 CPU (4 cores)

:

ASA Version 9.12(2)

!

hostname ciscoasa

enable password ***** pbkdf2

names

no mac-address auto

 

!

interface GigabitEthernet0/0

nameif App

security-level 100

ip address dhcp setroute

!

interface GigabitEthernet0/1

nameif Web

security-level 100

ip address dhcp setroute

!

interface GigabitEthernet0/2

nameif Guest

security-level 100

ip address dhcp setroute

!             

interface Management0/0

management-only

nameif mgmt 

security-level 90

ip address dhcp setroute

!             

ftp mode passive

clock timezone IST 2

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network App

host 10.0.200.0

object network Web

subnet 10.0.100.0 255.255.255.0

access-list App_access_in extended permit ip any any

access-list Web_access_in extended permit ip any any

access-list Guest_access_in extended permit ip any any

pager lines 23

logging enable

logging trap debugging

logging asdm notifications

logging host mgmt 10.0.250.44 6/1470

mtu mgmt 1500

mtu App 1500 

mtu Web 1500 

mtu Guest 1500

no failover   

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

!             

object network App

nat (any,App) dynamic interface

object network Web

nat (any,Web) dynamic interface

access-group App_access_in in interface App

access-group Web_access_in in interface Web

access-group Guest_access_in in interface Guest

router ospf 100

network 10.0.100.0 255.255.255.0 area 0

network 10.0.200.0 255.255.255.0 area 0

network 0.0.0.0 0.0.0.0 area 0

log-adj-changes

!             

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication login-history

http server enable

http 10.0.250.0 255.255.255.0 App

http 10.0.250.0 255.255.255.0 mgmt

no snmp-server location

no snmp-server contact

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpoint _SmartCallHome_ServerCA

no validation-usage

crl configure

crypto ca trustpool policy

auto-import 

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 0509###

  quit        

telnet timeout 5

ssh stricthostkeycheck

ssh 0.0.0.0 0.0.0.0 mgmt

ssh timeout 30

ssh version 1 2

console timeout 0

vpn load-balancing

dhcp-client client-id interface App

dhcp-client client-id interface Web

dhcp-client client-id interface Guest

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

username admin nopassword privilege 15

username admin attributes

service-type admin

ssh authentication publickey ## hashed

!             

class-map inspection_default

match default-inspection-traffic

!             

!             

policy-map type inspect dns preset_dns_map

parameters   

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

class inspection_default

  inspect ip-options

  inspect netbios

  inspect rtsp

  inspect sunrpc

  inspect tftp

  inspect xdmcp

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect esmtp

  inspect sqlnet

  inspect sip 

  inspect skinny 

policy-map type inspect dns migrated_dns_map_2

parameters   

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map type inspect dns migrated_dns_map_1

parameters   

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

!             

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home     

profile License

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination transport-method http

profile CiscoTAC-1

  no active   

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:e7da6c4626b216ca9493ffa5e6e509c4

: end 

  

can any one tell me what am i missing here?

 

Best Regards,

Alex.

17 Replies 17

Hello,

 

from where are you pinging the interfaces ? Put IP addresses on the interfaces, everything is set to DHCP, so we can see whoch networks you are using. Can the local hosts directly connected to the interfaces ping their default gateways ?

hi, 

 

the ip addresses on the intefaces are :
App -> 10.0.100.240

Web -> 10.0.200.240

Guest -> 10.0.150.240

 

i have one instance in each network (10.0.100.0/24,10.0.200.0/24,10.0.150.0/24) and they can ping the relevant ASA interface but can not ping machines on different subnets lets say i have a machine in the app subnet it can ping the app interface of ASA but can not ping any machine in the web subnet.

 

Alex.

Odd. What if you manually assign the IP address to the interfaces instead of using DHCP ?

Still nothing.. 

here is the new conf 

: Saved

 

:

: Serial Number: 9AS6FC2VFFG

: Hardware:   ASAv, 7680 MB RAM, CPU Xeon E5 series 2900 MHz, 1 CPU (4 cores)

:

ASA Version 9.12(2)

!

hostname ciscoasa

enable password ***** pbkdf2

names

no mac-address auto

 

!

interface GigabitEthernet0/0

nameif App

security-level 100

ip address 10.0.100.240 255.255.255.0

!

interface GigabitEthernet0/1

nameif Web

security-level 100

ip address 10.0.200.240 255.255.255.0

!

interface GigabitEthernet0/2

nameif Guest

security-level 100

ip address 10.0.150.240 255.255.255.0

!             

interface Management0/0

management-only

nameif mgmt 

security-level 90

ip address dhcp setroute

!             

ftp mode passive

clock timezone IST 2

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network App

host 10.0.200.0

object network Web

subnet 10.0.100.0 255.255.255.0

access-list App_access_in extended permit ip any any

access-list Web_access_in extended permit ip any any

access-list Guest_access_in extended permit ip any any

access-list global_access extended permit ip any any

pager lines 23

logging enable

logging timestamp

logging trap debugging

logging asdm notifications

logging host mgmt 10.0.250.44 6/1470

mtu mgmt 1500

mtu App 1500 

mtu Web 1500 

mtu Guest 1500

no failover   

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

!             

object network App

nat (any,App) dynamic interface

object network Web

nat (any,Web) dynamic interface

access-group App_access_in in interface App

access-group Web_access_in in interface Web

access-group Guest_access_in in interface Guest

access-group global_access global

router ospf 100

network 10.0.100.0 255.255.255.0 area 0

network 10.0.200.0 255.255.255.0 area 0

network 0.0.0.0 0.0.0.0 area 0

log-adj-changes

!             

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication login-history

http server enable

http 10.0.250.0 255.255.255.0 App

http 10.0.250.0 255.255.255.0 mgmt

no snmp-server location

no snmp-server contact

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpoint _SmartCallHome_ServerCA

no validation-usage

crl configure

crypto ca trustpool policy

auto-import 

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca #####

  quit        

telnet timeout 5

ssh stricthostkeycheck

ssh 0.0.0.0 0.0.0.0 mgmt

ssh timeout 30

ssh version 1 2

console timeout 0

vpn load-balancing

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

username admin nopassword privilege 15

username admin attributes

service-type admin

ssh authentication publickey#hashed

!             

class-map inspection_default

match default-inspection-traffic

!             

!             

policy-map type inspect dns preset_dns_map

parameters   

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

class inspection_default

  inspect ip-options

  inspect netbios

  inspect rtsp

  inspect sunrpc

  inspect tftp

  inspect xdmcp

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect esmtp

  inspect sqlnet

  inspect sip 

  inspect skinny 

policy-map type inspect dns migrated_dns_map_2

parameters   

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map type inspect dns migrated_dns_map_1

parameters   

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

!             

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home     

profile License

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination transport-method http

profile CiscoTAC-1

  no active   

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:a308350a05270142ed848690ce2eede9

: end

Hello,

 

which interface is actually suppposed to be your outside ?

 

Try and remove the NAT translations:

 

object network App

nat (any,App) dynamic interface

object network Web

nat (any,Web) dynamic interface

Well now i get destination host unreachable 

i dont think there is an outside interface all of them are inside.

if needed how do i change the interface to outside security level 0?

Hello,

 

in interface configuration mode, configure the outside interface with:

 

security-level 0

 

That said, I do not see any routing in your firewall either. In what topology is this firewall functioning ?

i tried ospf and i do have an outside interface its called Managment 0/0 

also i am trying to understand how to route netween the interfaces couldnt really find a normal walk thrue on how to do it

 

Hello,

 

since you have allowed same security inter interface traffic, pings between the interfaces should work. Which clients are you pinging from ? Make sure there is no local firewall enabled on the clients...

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

    Do the clients have the default gateway set as the ASA?

 

Regards,

Cristian Matei.

HI,

 

yes the instances have the ASA set as the default gateway for the relevant interfaces

 

 

Hi,

 

     Have you removed your NAT configs? Cause based on the NAT config, you have some restrictions on traffic flow initiation.

 

Regards,

Cristian Matei.

Hi,

 

Yes i removed the nat config and those that i couldnt remove i disabled. should i share my new config ?

Hello

You need to not nat between the subnets, but you need a nat statement for that, try:

no object network App
no object network Web

 

object network App_Web
subnet 10.0.100.0 255.255.255.0
nat(App,Web) static 10.0.100.0

 

object network Web_App
subnet 10.0.200.0 255.255.255.0
nat(Web,App) static 10.0.200.0


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul