cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11205
Views
0
Helpful
12
Replies

Cant ping from / to ASA 5505

Screwball011
Level 1
Level 1

Hi,

I am trying to config my ASA 5505 to load an IOS via TFTP, from my cpu.  I can't ping between the devices and I cant even ping the local interface on the ASA from itself.  I get the below errors when pinging from the ASA....Also, I pasted the running config.  

Any advice would be appreciated.  I need to load an IOS on here fast!

 

ciscoasa# ping 169.254.1.5 --------------->  (TFTP ip)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.1.5, timeout is 2 seconds:
No route to host 169.254.1.5Success rate is 0 percent (0/1)


ciscoasa# ping 169.254.1.1  ---------->  (ASA Vlan#1 IP)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.1.1, timeout is 2 seconds:
No route to host 169.254.1.1

_______________________________________________________________

ASA running config:

ciscoasa# sh run
: Saved
:
ASA Version 8.4(4)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
 shutdown
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
!
interface Vlan1
 no nameif
 no security-level
 ip address 169.254.1.1 255.255.255.0
!
ftp mode passive
pager lines 24
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:58714a5e86d7d1486c778e8a70e65df3
: end
ciscoasa#

 

2 Accepted Solutions

Accepted Solutions

Hi did you enable icmp inspection ?

View solution in original post

Is the cpu a Win box? Any chance Win firewall is enabled?

View solution in original post

12 Replies 12

togrul.azizli
Level 1
Level 1

Hi ,

Under the interface vlan 1  put  

#nameif INSIDE

#security level 100

then create ACL 

#access-list INSIDE_IN extended permit any any 

#access-group INSIDE_IN in interface INSIDE

 

then ping to work put command

#icmp permit any INSIDE 

 

See if it works, and let me know

Thanks, but still not working.  I had to tweak the following command:

#access-list INSIDE_IN extended permit icmp any any 

I highlighted the cmds that you had me add in the config below.  But I am still getting no ping between devices.

ciscoasa# ping 169.254.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.1.5, timeout is 2 seconds:
No route to host 169.254.1.5

 

ciscoasa# sh run
: Saved
:
ASA Version 8.4(4)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
 shutdown
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 169.254.1.1 255.255.255.0

!
ftp mode passive
access-list INSIDE_IN extended permit icmp any any
pager lines 24
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
access-group INSIDE_IN in interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e984c3184687b87b09e5b3ea115027de
: end
ciscoasa#

 169.0.0.0 ip range is usually given by computer itself to it's NIC when it cannot get an IP address from DHCP server.  In other words , this IP range is not often given to computers , can you change IPs that you gave to your interface and your TFTP server, maybe then it will work . Give something like 192.168.1.0/24 or 172.16.0.0/16

Let me know what happens

I changed the IPs to the 192.168.1.0/24 subnet and still the same result.  I can ping the asa to itself, and from the cpu -> asa, but not from the asa -> cpu.

asa ip: 192.168.1.1

cpu ip: 192.168.1.5

ciscoasa# ping 192.168.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
?????

Hi did you enable icmp inspection ?

Robert,

Hi.  Yes, I enabled "icmp inspection" using fixup protocol icmp command.  I verified and can see it in the running config.  After enabling that, I could ping the local asa interface to itself, but still not to the cpu...

I think Fed S. may be onto something with the firewall issue on the cpu....

 

Thanks,

Scott

Is the cpu a Win box? Any chance Win firewall is enabled?

Fed S.

You might be right!  I will have to check it when I go back to work tomorrow.  Networking at my work is crazy, they use AD and from what I saw, the Win Firewall was not even enabled, but there could be one in the anti-virus software. 

I will check it again and let ya know...

 

Thanks,

Scott

That worked Fed S.  I had to allow all connections "inbound" and now I can successfully TFTP to the ASA.  

I do have another issue...I am not able to open ASDM via web-browser.  I get address isn't valid when typing "https://" in the browser....can anyone pls advise on this one?

 

 

running config -

ciscoasa# sh run
: Saved
:
ASA Version 8.4(4)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 shutdown
!
interface Ethernet0/1
 shutdown
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/flash
boot system disk0:/asa844-k8.bin
ftp mode passive
object-group network INSIDE_NET
access-list inside_in extended permit icmp any any
pager lines 24
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-742.bin
no asdm history enable
arp timeout 14400
access-group inside_in in interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd address 192.168.1.2-192.168.1.10 inside
dhcpd enable inside

!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:28321e758bdb5901c9f08745f5e604a2
: end
ciscoasa#

Scott,

 

Be sure browser on 192.168.1.x is not configured to use a proxy (AD gp policy) or 192.168.1.1 is excepted.

Also don't use Firefox, it doesn't like ssl cert less than 2k if I'm not mistaken.

You can try a telnet 192.168.1.1 443 to see if it works. Using Wireshark/Windump is always useful.

 

Ps: have you generated a cert on ASA? Something like crypto key generate rsa mod .... ?

 

Fed

Fed S,

I resolved the issue by removing the access list statement "icmp permit any inside".  Apparently, the implicit deny was blocking HTTP, I assume.  As soon, as I did, the webinterface for ASDM started. 

I appreciate everyone's feedback and help!

 

Scott

Togrul,

The statement: "icmp permit any inside" was preventing me from opening the ASDM web-browser.  I had to remove it to allow HTTP connections for ASDM - FYI.

Thanks,

Scott

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco