“ALLOW” results for each phase of a,
"packet-tracer input inside icmp <inside interface IP> 8 0 <next hop GW IP> detailed"
as well as show capture detail output from,
capture capin interface inside match ip host <inside interface IP> host <next hop GW IP>
capture capout interface outside match ip host <inside interface IP> host <next hop GW IP>
show that the ping was allowed out but no route on the other side to allow it back in for the ping to succeed on the next hop gateway IP DMZ network that others manage and have been informed to correct.
all feedback for this post has been appreciated. Thanks.
... View more
Actually, they are public and routable and not within the following private address ranges,
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
with one being a /30 used to connect from a lab network ASA through to another network and the other /27 used for device addresses to communicate through the ASA into that another network with just the .97 address leading to that another network needing to be pingable from the switch through the ASA.
Without adding NAT yet having not seen your post yet, I did change my switch route to ip route 0.0.0.0 0.0.0.0 x.x.251.1 when it was incorrect and changed "access-group acl-in-out in interface outside" to "access-group acl-in-out in interface inside" on the ASA and receiving "Allow" for all phases of a "packet-tracer input inside icmp x.x.251.2 8 0 x.x.249.97 detailed" command, from the switch .2 ip to the next hop .97 ip on the other side of the ASA, on the ASA afterward but still not getting a successful ping to .97 from the switch.
Latest packet-tracer output attached.
... View more
After reading though and implementing many of other configuration suggestions from community page posts related to the same issue as well as from config guides and other related pages, I am still having an issue with pinging from my Catalyst 9200 switch through a ASA5525 to next hop IP address when I am able to ping it from the ASA it is directly connected to and can ping from from both directions of the connection between the switch and ASA but just cannot from the switch through ASA to the next hop IP nor from the switch to the ASA outbound interface connected to that next hop IP.
The following ASA output is from the switch ip, of one subnet, connected to the ASA inbound interface checking the path to the .97 next hop IP, of another subnet, which lists it to be due to an implicit deny rule,
ASA# packet-tracer input inside icmp x.x.251.1 8 0 x.x.249.97 detailed
Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop x.x.249.97 using egress ifc outside
Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x2aaac7b08bb0, priority=501, domain=permit, deny=true hits=5, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=184.108.40.206, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any
Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
with the following ASA config edited down to what was believed to be the appropriate ASA configs to allow ICMP through,
: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores) ASA Version 9.8(2) ! ... ! interface GigabitEthernet0/0 description to WAN nameif outside security-level 0 ip address x.x.249.98 255.255.255.252 ! interface GigabitEthernet0/1 description to LAN nameif inside security-level 100 ip address x.x.251.1 255.255.255.224 ! ... ! ftp mode passive dns server-group DefaultDNS domain-name cisco.com object-group icmp-type ping description Ping Group icmp-object echo icmp-object echo-reply access-list acl-in-out extended permit icmp any any echo access-list acl-in-out extended permit icmp any any time-exceeded access-list OUT-IN extended permit icmp any any ... icmp unreachable rate-limit 1 burst-size 1 icmp permit any unreachable outside icmp permit any time-exceeded outside icmp permit any echo-reply outside no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 access-group acl-in-out in interface outside route outside 0.0.0.0 0.0.0.0 x.x.249.97 1 ... ! policy-map type inspect dns preset_dns_map ... policy-map icmp_policy class icmp-class inspect icmp policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect dns preset_dns_map inspect icmp inspect icmp error policy-map type inspect dns migrated_dns_map_2 ... : end ASA#
with the full ASA configuration attached along with an edited down version of my switch config if possibly needed for any reason.
Note: Hostname and IPs altered for this post to start with x.x to leave the ending subnet identifiers for each and interfaces summarized down with "..." dividers for each config.
Any feedback would be appreciated.
... View more
From page 5-4 of the Cisco Connected Mobile Experiences Configuration Guide here, http://www.cisco.com/c/en/us/td/docs/wireless/mse/10-1/cmx_config/CMX_Config_guide.pdf try either of the following, - Changing the Default Admin Password Step 1 Log in to Cisco Mobile Connected Experiences (Cisco CMX). Step 2 Choose MANAGE > Users. The Users page, where new users can be added and the roles of existing users modified, is displayed. Step 3 Click Edit in the Actions column adjacent the admin user. This opens the EDIT USER dialog box for that admin user. Step 4 Change the default factory-shipped admin password. Step 5 Click Submit OR - Editing User Information Step 1 Log in to Cisco Mobile Connected Experiences (Cisco CMX). Step 2 Choose MANAGE > Users. The Users page, where all the current users are listed, is displayed. Step 3 Click Edit in the Actions column adjacent the user whose details you want to edit. The EDIT USER dialog box is displayed. Step 4 Edit the details of the user. Note that the username cannot be edited. For information about user roles, see the “User Roles” section on page 5-3. Step 5 Click Submit.
... View more
Not entirely possible since any bittorrent client can be configured to use any port and most bittorrent clients can be configured to encrypt bittorrent traffic for harder detection. However, a default DENY policy, allowing only legit traffic (like HTTP and HTTPS - connections to ports 80,443) may work.
... View more
I found the following at this post, https://supportforums.cisco.com/discussion/11087781/air-cap3502i-ap-password-and-configuration-recovery-or-factory-default. 1. Hold down the mode button till the light turned amber. 2. enter flash and rename the following files - private-multiple-fs and env_vars. 3. Reboot the AP 4. The AP comes back as default. Cisco, Cisco now works again.
... View more