Solved: Having bgp routes but unable to ping

vamsi007 · ‎04-25-2020

R1====

interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/0
ip address 192.1.100.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 192.1.25.1 255.255.255.0
duplex auto
speed auto
media-type rj45

interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
router bgp 100
bgp log-neighbor-changes
network 10.1.1.0 mask 255.255.255.0
network 192.1.25.0
neighbor 192.1.100.3 remote-as 100

sh ip route

6.0.0.0/24 is subnetted, 1 subnets
B 6.6.6.0 [200/1] via 192.1.100.3, 02:31:49
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Loopback0
L 10.1.1.1/32 is directly connected, Loopback0
B 10.2.2.0/24 [200/0] via 192.1.100.3, 02:31:49
B 10.5.5.0/24 [200/1] via 192.1.100.3, 02:31:49
B 10.7.7.0/24 [200/1] via 192.1.100.3, 02:31:49
B 10.11.11.0/24 [200/0] via 192.1.100.3, 02:31:49
192.1.25.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.1.25.0/24 is directly connected, GigabitEthernet0/1
L 192.1.25.1/32 is directly connected, GigabitEthernet0/1
B 192.1.50.0/24 [200/0] via 192.1.100.3, 02:31:49
B 192.1.70.0/24 [200/0] via 192.1.100.3, 02:31:49
192.1.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.1.100.0/24 is directly connected, GigabitEthernet0/0
L 192.1.100.1/32 is directly connected, GigabitEthernet0/0

ON ROUTER R3
interface GigabitEthernet0/0
ip address 192.1.100.3 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 192.1.20.3 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 192.1.24.3 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
ip address 192.1.30.3 255.255.255.0
duplex auto
speed auto
media-type rj45
!
router bgp 100
bgp log-neighbor-changes
neighbor 192.1.20.2 remote-as 200
neighbor 192.1.30.10 remote-as 64512
neighbor 192.1.100.1 remote-as 100
neighbor 192.1.100.1 next-hop-self

sh ip route
Gateway of last resort is not set

6.0.0.0/24 is subnetted, 1 subnets
B 6.6.6.0 [20/1] via 192.1.30.10, 04:17:26
10.0.0.0/24 is subnetted, 5 subnets
B 10.1.1.0 [200/0] via 192.1.100.1, 02:47:43
B 10.2.2.0 [20/0] via 192.1.20.2, 04:07:42
B 10.5.5.0 [20/1] via 192.1.30.10, 04:17:26
B 10.7.7.0 [20/1] via 192.1.30.10, 03:36:47
B 10.11.11.0 [20/0] via 192.1.30.10, 04:17:26
192.1.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.1.20.0/24 is directly connected, GigabitEthernet0/1
L 192.1.20.3/32 is directly connected, GigabitEthernet0/1
192.1.24.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.1.24.0/24 is directly connected, GigabitEthernet0/2
L 192.1.24.3/32 is directly connected, GigabitEthernet0/2
B 192.1.25.0/24 [200/0] via 192.1.100.1, 02:52:59
192.1.30.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.1.30.0/24 is directly connected, GigabitEthernet0/3
L 192.1.30.3/32 is directly connected, GigabitEthernet0/3
B 192.1.50.0/24 [20/0] via 192.1.30.10, 04:17:26
B 192.1.70.0/24 [20/0] via 192.1.30.10, 04:17:26
192.1.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.1.100.0/24 is directly connected, GigabitEthernet0/0
L 192.1.100.3/32 is directly connected, GigabitEthernet0/0

ON ASA
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.1.30.10 255.255.255.0
!
interface GigabitEthernet0/1
description DMZ-5
nameif DMZ-5
security-level 50
ip address 192.1.50.10 255.255.255.0
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 10.11.11.10 255.255.255.0
!
interface GigabitEthernet0/3
description DMZ-7
nameif DMZ-7
security-level 50
ip address 192.1.70.10 255.255.255.0

D 6.6.6.0 255.255.255.0 [90/130816] via 10.11.11.6, 03:37:36, inside
B 10.1.1.0 255.255.255.0 [20/0] via 192.1.30.3, 02:51:07
B 10.2.2.0 255.255.255.0 [20/0] via 192.1.30.3, 03:37:36
D 10.5.5.0 255.255.255.0 [90/130816] via 192.1.50.5, 03:37:36, DMZ-5
D 10.7.7.0 255.255.255.0 [90/130816] via 192.1.70.7, 03:37:36, DMZ-7
C 10.11.11.0 255.255.255.0 is directly connected, inside
L 10.11.11.10 255.255.255.255 is directly connected, inside
B 192.1.25.0 255.255.255.0 [20/0] via 192.1.30.3, 02:55:58
C 192.1.30.0 255.255.255.0 is directly connected, outside
L 192.1.30.10 255.255.255.255 is directly connected, outside
C 192.1.50.0 255.255.255.0 is directly connected, DMZ-5
L 192.1.50.10 255.255.255.255 is directly connected, DMZ-5
C 192.1.70.0 255.255.255.0 is directly connected, DMZ-7
L 192.1.70.10 255.255.255.255 is directly connected, DMZ-7

ON ROUTER R6

sh ip route

6.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 6.6.6.0/24 is directly connected, Loopback0
L 6.6.6.6/32 is directly connected, Loopback0
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
D EX 10.1.1.0/24
[170/281856] via 10.11.11.10, 02:56:21, GigabitEthernet0/0
D EX 10.2.2.0/24
[170/281856] via 10.11.11.10, 02:58:20, GigabitEthernet0/0
D 10.5.5.0/24 [90/131072] via 10.11.11.10, 04:28:07, GigabitEthernet0/0
D 10.7.7.0/24 [90/131072] via 10.11.11.10, 03:46:03, GigabitEthernet0/0
C 10.11.11.0/24 is directly connected, GigabitEthernet0/0
L 10.11.11.6/32 is directly connected, GigabitEthernet0/0
D EX 192.1.25.0/24 [170/281856] via 10.11.11.10, 02:58:20, GigabitEthernet0/0
D 192.1.50.0/24 [90/3072] via 10.11.11.10, 04:39:39, GigabitEthernet0/0
D 192.1.70.0/24 [90/3072] via 10.11.11.10, 04:32:23, GigabitEthernet0/0

paul driver · ‎04-26-2020

Hello

By default icmp is prohibited to be initiated externally traveling towards or through the asa fw this is because the wan interface usually always has a lower security level than any other interface on the fw and traffic from a lower level interface towards a higher level interface is by default denied that is unless it is allowed with an access-list, Icmp traffic that is initiated from a higher level interface to a lower level is allowed but the returning echo reply needs to be enabled for inspection and this inspection isn't enabled by default.

So to allow returning icmp echo-reply through the ASA fw you can can apply the following:
policy-map global_policy
class inspection_default
inspect icmp

To allow icmp to be initiated externally from the fw then you need an access-list

access-list 100 extended permit icmp any any

access-group 100 in interface outside

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎04-26-2020

Hello

By default icmp is prohibited to be initiated externally traveling towards or through the asa fw this is because the wan interface usually always has a lower security level than any other interface on the fw and traffic from a lower level interface towards a higher level interface is by default denied that is unless it is allowed with an access-list, Icmp traffic that is initiated from a higher level interface to a lower level is allowed but the returning echo reply needs to be enabled for inspection and this inspection isn't enabled by default.

So to allow returning icmp echo-reply through the ASA fw you can can apply the following:
policy-map global_policy
class inspection_default
inspect icmp

To allow icmp to be initiated externally from the fw then you need an access-list

access-list 100 extended permit icmp any any

access-group 100 in interface outside

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

vamsi007 · ‎04-26-2020

Thanks paul your solution worked,and one more doubt regarding this topology,i am getting ping only when i used source loopback from bgp router,what changes should i make to bgp router to get ping with physical interface as source

Router# ping 6.6.6.6 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/12/20 ms
Router# ping 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

paul driver · ‎04-26-2020

Hello

it sounds like you need to also advertise the physical interface addressing so reachability is established sourcing from those interfaces.

note: if they are originally advertised via eigrp this routing process by default is classfull so you may need to turn off autosummarisation so they get advertised correctly

router eigrp x

mo auto summary

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul