cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
393
Views
5
Helpful
4
Replies
Highlighted
Beginner

My Cisco867AE won't to talk to my ASA5510.

Should be a simple act, but no matter what I do, I can't ping from my ASA5510 to VLAN1 of the Router.

 

ASA5510 Interface:

interface Ethernet0/0

speed 100

duplex full

nameif Outside-Internet

security-level 0

ip address 122.56.33.108 255.255.255.248

 

 

Router Interface.

interface FastEthernet0

Description ToASA5510(eth0/0)

no ip address ! Because you can't put ip address on L2 interface

interface Vlan1

Description IPforFast0

 ip address 122.56.33.110 255.255.255.248

 

 

Router#sh ip int br

Interface                  IP-Address      OK? Method Status                Protocol

ATM0                       unassigned      YES NVRAM  administratively down down

Ethernet0                  unassigned      YES NVRAM  administratively down down

FastEthernet0              unassigned      YES unset  up                    up

FastEthernet1              unassigned      YES unset  down                  down

FastEthernet2              unassigned      YES unset  down                  down

FastEthernet3              unassigned      YES unset  down                  down

GigabitEthernet0           unassigned      YES unset  down                  down

GigabitEthernet1           122.56.100.113  YES NVRAM  down                  down

Vlan1                      122.56.33.110   YES NVRAM  up                    up

 

 

sh ip route

ip route 0.0.0.0 0.0.0.0 122.56.100.112

122.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        122.56.33.104/29 is directly connected, Vlan1

L        122.56.33.110/32 is directly connected, Vlan1

 

 

All ASA polices have been set to any/any/any

 

ciscoasa# ping 122.56.33.110  --- fails

 

What's missing?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hello,

 

try and add:

 

icmp permit any Outside-Internet

View solution in original post

4 REPLIES 4
Highlighted
VIP Expert

Hello,

 

are you allowing ICMP on the outside interface ? Post the full config of your ASA...

Highlighted

Sure, Here it is:

(You'll notice the E0/0 interface is down, Thats only because i have the router disconnected while i look at another issue).

: Saved

:

: Serial Number: JMX1049K21L

: Hardware:   ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

:

ASA Version 9.0(4)42

!

hostname ciscoasa

enable password xxxxxxxxxxxxxxx encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd xxxxxxxxxxxxxxxxxx  encrypted

names

!

interface Ethernet0/0

 speed 100

 duplex full

 nameif Outside-Internet

 security-level 100

 ip address 122.56.33.108 255.255.255.248

!

interface Ethernet0/1

 no nameif

 security-level 100

 no ip address

!

interface Ethernet0/1.50

 vlan 50

 nameif Servers

 security-level 100

 ip address 192.168.50.1 255.255.255.0

!

interface Ethernet0/1.202

 vlan 202

 nameif Users

 security-level 100

 ip address 192.168.202.1 255.255.255.0

!

interface Ethernet0/2

 no nameif

 security-level 100

 no ip address

!

interface Ethernet0/2.102

 vlan 102

 nameif Pod2

 security-level 100

 ip address 192.168.102.1 255.255.255.0

!

interface Ethernet0/2.103

 vlan 103

 nameif Pod3

 security-level 100

 ip address 192.168.103.1 255.255.255.0

!

interface Ethernet0/2.104

 vlan 104

 nameif Pod4

 security-level 100

 ip address 192.168.104.1 255.255.255.0

!

interface Ethernet0/2.105

 vlan 105

 nameif Pod14

 security-level 100

 ip address 192.168.105.1 255.255.255.0

!

interface Ethernet0/2.107

 vlan 107

 nameif Pod1-Jeff

 security-level 100

 ip address 192.168.107.1 255.255.255.0

!

interface Ethernet0/2.110

 vlan 110

 nameif Pod10

 security-level 100

 ip address 192.168.110.1 255.255.255.0

!

interface Ethernet0/2.115

 vlan 115

 nameif Pod15

 security-level 100

 ip address 192.168.115.1 255.255.255.0

!

interface Ethernet0/2.116

 vlan 116

 nameif Pod16

 security-level 100

 ip address 192.168.116.1 255.255.255.0

!

interface Ethernet0/2.118

 vlan 118

 nameif Pod18

 security-level 100

 ip address 192.168.118.1 255.255.255.0

!

interface Ethernet0/2.119

 vlan 119

 nameif Pod19

 security-level 100

 ip address 192.168.119.1 255.255.255.0

!

interface Ethernet0/2.120

 vlan 120

 nameif Pod20

 security-level 100

 ip address 192.168.120.1 255.255.255.0

!

interface Ethernet0/2.121

 vlan 121

 nameif Pod21

 security-level 100

 ip address 192.168.121.1 255.255.255.0

!

interface Ethernet0/2.122

 vlan 122

 nameif Pod22

 security-level 100

 ip address 192.168.122.1 255.255.255.0

!

interface Ethernet0/3

 no nameif

 security-level 100

 no ip address

!

interface Ethernet0/3.210

 vlan 210

 nameif ManageInternal

 security-level 100

 ip address 192.168.210.2 255.255.255.0

!

interface Management0/0

 management-only

 no nameif

 security-level 100

 no ip address

!

boot system disk0:/asa904-42-k8.bin

ftp mode passive

object-group icmp-type DM_INLINE_ICMP_1

 icmp-object echo

 icmp-object echo-reply

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group service DM_INLINE_SERVICE_1

 service-object tcp-udp

 service-object ip

 service-object icmp

 service-object icmp echo

 service-object icmp echo-reply

object-group service DM_INLINE_SERVICE_2

 service-object tcp-udp

 service-object ip

 service-object icmp echo

 service-object icmp echo-reply

 service-object icmp

access-list ManageInternal_access_in extended permit object-group TCPUDP any4 any4

access-list ManageInternal_access_in extended permit ip any4 any4 log

access-list ManageInternal_access_in extended permit icmp any4 any4 object-group DM_INLINE_ICMP_1

access-list ManageInternal_access_in extended permit icmp any4 any4

access-list Servers_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 any4

access-list Servers_access_in extended deny ip any any

access-list Users_access_in extended permit object-group DM_INLINE_SERVICE_2 any4 any4

access-list Users_access_in extended deny ip any4 any4

pager lines 24

logging enable

logging asdm informational

mtu Outside-Internet 1500

mtu Servers 1500

mtu Users 1500

mtu Pod2 1500

mtu Pod3 1500

mtu Pod4 1500

mtu Pod14 1500

mtu Pod1-Jeff 1500

mtu Pod10 1500

mtu Pod15 1500

mtu Pod16 1500

mtu Pod18 1500

mtu Pod19 1500

mtu Pod20 1500

mtu Pod21 1500

mtu Pod22 1500

mtu ManageInternal 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo Servers

icmp permit any echo-reply Servers

icmp permit any echo Users

icmp permit any echo-reply Users

icmp permit any echo ManageInternal

icmp permit any echo-reply ManageInternal

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group Servers_access_in in interface Servers

access-group Users_access_in in interface Users

access-group ManageInternal_access_in in interface ManageInternal

route Outside-Internet 0.0.0.0 0.0.0.0 122.56.33.110 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 ManageInternal

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 ManageInternal

ssh timeout 60

console timeout 0

vpn-addr-assign local reuse-delay 20

no threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username admin password xxxxxxxxxxxxxxxxx encrypted privilege 15

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:0a6252208bea6c2de982747806ae0c10

: end

ciscoasa# sh int ip brief

Interface                  IP-Address      OK? Method Status                Protocol

Ethernet0/0                122.56.33.108   YES CONFIG down                  down

Ethernet0/1                unassigned      YES unset  up                    up

Ethernet0/1.50             192.168.50.1    YES CONFIG up                    up

Ethernet0/1.202            192.168.202.1   YES CONFIG up                    up

Ethernet0/2                unassigned      YES unset  up                    up

Ethernet0/2.102            192.168.102.1   YES CONFIG up                    up

Ethernet0/2.103            192.168.103.1   YES CONFIG up                    up

Ethernet0/2.104            192.168.104.1   YES CONFIG up                    up

Ethernet0/2.105            192.168.105.1   YES CONFIG up                    up

Ethernet0/2.107            192.168.107.1   YES CONFIG up                    up

Ethernet0/2.110            192.168.110.1   YES CONFIG up                    up

Ethernet0/2.115            192.168.115.1   YES CONFIG up                    up

Ethernet0/2.116            192.168.116.1   YES CONFIG up                    up

Ethernet0/2.118            192.168.118.1   YES CONFIG up                    up

Ethernet0/2.119            192.168.119.1   YES CONFIG up                    up

Ethernet0/2.120            192.168.120.1   YES CONFIG up                    up

Ethernet0/2.121            192.168.121.1   YES CONFIG up                    up

Ethernet0/2.122            192.168.122.1   YES CONFIG up                    up

Ethernet0/3                unassigned      YES unset  up                    up

Ethernet0/3.210            192.168.210.2   YES CONFIG up                    up

Management0/0              unassigned      YES unset  down                  down

ciscoasa# sh ip address

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

Ethernet0/0              Outside-Internet       122.56.33.108   255.255.255.248 CONFIG

Ethernet0/1.50           Servers                192.168.50.1    255.255.255.0   CONFIG

Ethernet0/1.202          Users                  192.168.202.1   255.255.255.0   CONFIG

Ethernet0/2.102          Pod2                   192.168.102.1   255.255.255.0   CONFIG

Ethernet0/2.103          Pod3                   192.168.103.1   255.255.255.0   CONFIG

Ethernet0/2.104          Pod4                   192.168.104.1   255.255.255.0   CONFIG

Ethernet0/2.105          Pod14                  192.168.105.1   255.255.255.0   CONFIG

Ethernet0/2.107          Pod1-Jeff              192.168.107.1   255.255.255.0   CONFIG

Ethernet0/2.110          Pod10                  192.168.110.1   255.255.255.0   CONFIG

Ethernet0/2.115          Pod15                  192.168.115.1   255.255.255.0   CONFIG

Ethernet0/2.116          Pod16                  192.168.116.1   255.255.255.0   CONFIG

Ethernet0/2.118          Pod18                  192.168.118.1   255.255.255.0   CONFIG

Ethernet0/2.119          Pod19                  192.168.119.1   255.255.255.0   CONFIG

Ethernet0/2.120          Pod20                  192.168.120.1   255.255.255.0   CONFIG

Ethernet0/2.121          Pod21                  192.168.121.1   255.255.255.0   CONFIG

Ethernet0/2.122          Pod22                  192.168.122.1   255.255.255.0   CONFIG

Ethernet0/3.210          ManageInternal         192.168.210.2   255.255.255.0   CONFIG

Current IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

Ethernet0/0              Outside-Internet       122.56.33.108   255.255.255.248 CONFIG

Ethernet0/1.50           Servers                192.168.50.1    255.255.255.0   CONFIG

Ethernet0/1.202          Users                  192.168.202.1   255.255.255.0   CONFIG

Ethernet0/2.102          Pod2                   192.168.102.1   255.255.255.0   CONFIG

Ethernet0/2.103          Pod3                   192.168.103.1   255.255.255.0   CONFIG

Ethernet0/2.104          Pod4                   192.168.104.1   255.255.255.0   CONFIG

Ethernet0/2.105          Pod14                  192.168.105.1   255.255.255.0   CONFIG

Ethernet0/2.107          Pod1-Jeff              192.168.107.1   255.255.255.0   CONFIG

Ethernet0/2.110          Pod10                  192.168.110.1   255.255.255.0   CONFIG

Ethernet0/2.115          Pod15                  192.168.115.1   255.255.255.0   CONFIG

Ethernet0/2.116          Pod16                  192.168.116.1   255.255.255.0   CONFIG

Ethernet0/2.118          Pod18                  192.168.118.1   255.255.255.0   CONFIG

Ethernet0/2.119          Pod19                  192.168.119.1   255.255.255.0   CONFIG

Ethernet0/2.120          Pod20                  192.168.120.1   255.255.255.0   CONFIG

Ethernet0/2.121          Pod21                  192.168.121.1   255.255.255.0   CONFIG

Ethernet0/2.122          Pod22                  192.168.122.1   255.255.255.0   CONFIG

Ethernet0/3.210          ManageInternal         192.168.210.2   255.255.255.0   CONFIG

ciscoasa# sh ver

 

 

Cisco Adaptive Security Appliance Software Version 9.0(4)42

Device Manager Version 5.2(4)

 

Compiled on Fri 09-Sep-16 14:51 by builders

System image file is "disk0:/asa904-42-k8.bin"

Config file at boot was "startup-config"

 

ciscoasa up 52 mins 25 secs

 

Hardware:   ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz,

Internal ATA Compact Flash, 256MB

Slot 1: ATA Compact Flash, 128MB

BIOS Flash AT49LW080 @ 0xfff00000, 1024KB

 

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)

                             Boot microcode        : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.08

                             Number of accelerators: 1

 

 0: Ext: Ethernet0/0         : address is 0019.2f8f.210e, irq 9

 1: Ext: Ethernet0/1         : address is 0019.2f8f.210f, irq 9

 2: Ext: Ethernet0/2         : address is 0019.2f8f.2110, irq 9

 3: Ext: Ethernet0/3         : address is 0019.2f8f.2111, irq 9

 4: Ext: Management0/0       : address is 0019.2f8f.2112, irq 11

 5: Int: Not used            : irq 11

 6: Int: Not used            : irq 5

 

Licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 100            perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Active  perpetual

Encryption-DES                    : Enabled        perpetual

Encryption-3DES-AES               : Enabled        perpetual

Security Contexts                 : 2              perpetual

GTP/GPRS                          : Disabled       perpetual

AnyConnect Premium Peers          : 2              perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 250            perpetual

Total VPN Peers                   : 250            perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

Cluster                           : Disabled       perpetual

 

This platform has an ASA 5510 Security Plus license.

 

Serial Number: JMX1049K21L

Running Permanent Activation Key: 0x5e0a0774 0xa8506e82 0x64b12da8 0xa3187408 0x011be298

Configuration register is 0x1

Configuration last modified by enable_15 at 15:23:29.089 UTC Wed Oct 30 2019

ciscoasa# sh route

 

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

 

Gateway of last resort is not set

 

C    192.168.122.0 255.255.255.0 is directly connected, Pod22

C    192.168.107.0 255.255.255.0 is directly connected, Pod1-Jeff

C    192.168.104.0 255.255.255.0 is directly connected, Pod4

C    192.168.121.0 255.255.255.0 is directly connected, Pod21

C    192.168.120.0 255.255.255.0 is directly connected, Pod20

C    192.168.105.0 255.255.255.0 is directly connected, Pod14

C    192.168.210.0 255.255.255.0 is directly connected, ManageInternal

C    192.168.110.0 255.255.255.0 is directly connected, Pod10

C    192.168.115.0 255.255.255.0 is directly connected, Pod15

C    192.168.202.0 255.255.255.0 is directly connected, Users

C    192.168.102.0 255.255.255.0 is directly connected, Pod2

C    192.168.119.0 255.255.255.0 is directly connected, Pod19

C    192.168.50.0 255.255.255.0 is directly connected, Servers

C    192.168.118.0 255.255.255.0 is directly connected, Pod18

C    192.168.103.0 255.255.255.0 is directly connected, Pod3

C    192.168.116.0 255.255.255.0 is directly connected, Pod16

ciscoasa#

Highlighted

Hello,

 

try and add:

 

icmp permit any Outside-Internet

View solution in original post

Highlighted

Oh yes. Silly me. I thought I'd put that policy in. I must not have applied it or saved it.

That did the trick - Thanks!

Content for Community-Ad
This widget could not be displayed.