05-24-2015 09:24 PM
I am setting up asa in my GNS3 lab, however I am unable to ping across the firewall, from inside interface to outside interface. Here is my running-config ..I am sure I am missing some I am not sure what. If someone can find what it is, that would be nice.
show run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif inside
security-level 100
ip address 10.0.0.2 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 4.2.2.2 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 10.0.1.2 1
route inside 172.16.0.0 255.255.254.0 10.0.0.1 1
route outside 172.16.2.0 255.255.254.0 10.0.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:d6838a5cc1c3620ba830e7d745eaf9a1
: end
Solved! Go to Solution.
05-25-2015 03:04 PM
You config shows that you have enabled the statefull inspection of icmp, so you should be able to ping through the firewall it the rest is setup correctly.
How is your topology and from which source-ip are you pinging to which destination-ip?
At least the next-hop in your outside route is wrong, the next-hop has to be in the ip-range of your outside interface.
Be aware that you can't ping the outside ip of the ASA from any inside system.
05-26-2015 10:03 AM
After thinking about it twice, it's clear. I wrote to change it because it is a best practice, but with the ASA on the other side it's needed.
If you use the outgoing interface as the destination of a route, the router needs to arp for the destination-IP (for each one that is used) to find the next-hop L2-address. The other side (the ASA in your scenario) needs to have proxy-arp enabled for that because the request is not for a configured address.
If you configure an IP as the next hop, the router needs only to find the L2-address for the one next-hop IP-address that is used in the static route.
05-25-2015 03:04 PM
You config shows that you have enabled the statefull inspection of icmp, so you should be able to ping through the firewall it the rest is setup correctly.
How is your topology and from which source-ip are you pinging to which destination-ip?
At least the next-hop in your outside route is wrong, the next-hop has to be in the ip-range of your outside interface.
Be aware that you can't ping the outside ip of the ASA from any inside system.
05-25-2015 10:26 PM
I have changed my outside ip to be in the same subnet as the next hop. I am still unable to ping. I am dumping configs from the other devices as well. also I am attaching the screenshot of the topology. I can ping all inside and outside ip's from the ASA, just can't ping across.
R1
R1#show run
Building configuration...
Current configuration : 997 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
interface Loopback0
ip address 172.16.0.1 255.255.255.0
!
interface Loopback1
ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
duplex half
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end
From the ASA
ciscoasa# show run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif inside
security-level 100
ip address 10.0.0.2 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 10.0.1.1 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network OUTSIDE_IP
host 10.0.1.1
object-group network INSIDE_NET
network-object 172.16.0.0 255.255.254.0
network-object 10.0.0.0 255.255.255.0
access-list OUT_IN standard permit any
access-list OUTSIDE_IN extended permit icmp any any traceroute
access-list OUTSIDE_IN extended permit icmp any any echo
access-list OUTSIDE_IN extended permit icmp any any echo-reply
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.1.2 1
route inside 172.16.0.0 255.255.254.0 10.0.0.1 1
route outside 172.16.2.0 255.255.254.0 10.0.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:ae09723fcbdd4866a2ce4cf44dc2d3a4
: end
R2
R2#show run
Building configuration...
Current configuration : 1148 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
interface Loopback0
ip address 172.16.2.1 255.255.255.255
!
interface Loopback1
ip address 172.16.3.1 255.255.255.255
!
interface Loopback2
ip address 8.8.8.8 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.1.2 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.0.1.1
ip route 10.0.0.0 255.255.255.252 10.0.1.1
ip route 172.16.0.0 255.255.254.0 10.0.1.1
!
no cdp run
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end
05-25-2015 11:17 PM
On R1: For Ethernet, always use the next-hop IP in static routes, and not the outgoing interface. But that's not part of the problem.
On both routers, you can enable "debug ip icmp" to see if the ping reaches the destination.
then test the following pings:
R1-L0 from the ASA
R2-L0 from the ASA
ASA inside from R1-L0
ASA outside from R2-L0
05-26-2015 09:10 AM
The solution is something I totally don't understand. On R1, I went ahead and pointed my default route to the next-hop as opposed to the outgoing interface.. and bam! the pings are working now. If you can explain, I will appreciate.
05-26-2015 10:03 AM
After thinking about it twice, it's clear. I wrote to change it because it is a best practice, but with the ASA on the other side it's needed.
If you use the outgoing interface as the destination of a route, the router needs to arp for the destination-IP (for each one that is used) to find the next-hop L2-address. The other side (the ASA in your scenario) needs to have proxy-arp enabled for that because the request is not for a configured address.
If you configure an IP as the next hop, the router needs only to find the L2-address for the one next-hop IP-address that is used in the static route.
05-26-2015 05:20 PM
Also, your suggestion about enabling "ip debug icmp" helped. That is when I noticed that the pings weren't even leaving R1. That is when I thought take another look at the routing and with your other suggestion in mind.
...Plus I have learnt something new, the one about ASA's and proxy-arp.
once again cheers!!
05-25-2015 04:44 PM
08-17-2018 02:20 PM - edited 08-17-2018 02:26 PM
I know this is old and "Supposedly" solved, but I was just searching for a solution to this exact problem and this "Solution" didn't solve a thing for me!
So, I figured I'd add the TRUE solution here, in case anyone else stumbles upon this and needs the help.
From the ASA:
conf t
object-group icmp-type ALLOW_ICMP
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object time-exceeded
icmp-object unreachable
access-list INBOUND permit icmp any any object-group ALLOW_ICMP
access-group INBOUND in interface OUTSIDE
That is the real solution ;-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide