Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8006
Views
0
Helpful
8
Replies

Can't ping across the firewall

Go to solution
slicerpro
Level 1
Level 1

‎05-24-2015 09:24 PM

I am setting up asa in my GNS3 lab, however I am unable to ping across the firewall, from inside interface to outside interface. Here is my running-config ..I am sure I am missing some I am not sure what. If someone can find what it is, that would be nice.

 

 show run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif inside
 security-level 100
 ip address 10.0.0.2 255.255.255.0
!
interface GigabitEthernet1
 nameif outside
 security-level 0
 ip address 4.2.2.2 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 10.0.1.2 1
route inside 172.16.0.0 255.255.254.0 10.0.0.1 1
route outside 172.16.2.0 255.255.254.0 10.0.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:d6838a5cc1c3620ba830e7d745eaf9a1
: end

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎05-25-2015 03:04 PM

You config shows that you have enabled the statefull inspection of icmp, so you should be able to ping through the firewall it the rest is setup correctly.

How is your topology and from which source-ip are you pinging to which destination-ip?

At least the next-hop in your outside route is wrong, the next-hop has to be in the ip-range of your outside interface.

Be aware that you can't ping the outside ip of the ASA from any inside system.

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to slicerpro

‎05-26-2015 10:03 AM

After thinking about it twice, it's clear. I wrote to change it because it is a best practice, but with the ASA on the other side it's needed.

If you use the outgoing interface as the destination of a route, the router needs to arp for the destination-IP (for each one that is used) to find the next-hop L2-address. The other side (the ASA in your scenario) needs to have proxy-arp enabled for that because the request is not for a configured address.

If you configure an IP as the next hop, the router needs only to find the L2-address for the one next-hop IP-address that is used in the static route.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Karsten Iwen
VIP
VIP

‎05-25-2015 03:04 PM

You config shows that you have enabled the statefull inspection of icmp, so you should be able to ping through the firewall it the rest is setup correctly.

How is your topology and from which source-ip are you pinging to which destination-ip?

At least the next-hop in your outside route is wrong, the next-hop has to be in the ip-range of your outside interface.

Be aware that you can't ping the outside ip of the ASA from any inside system.

0 Helpful

Go to solution
slicerpro
Level 1
Level 1
In response to Karsten Iwen

‎05-25-2015 10:26 PM

I have changed my outside ip to be in the same subnet as the next hop. I am still unable to ping. I am dumping configs from the other devices as well. also I am attaching the screenshot of the topology. I can ping all inside and outside ip's from the ASA, just can't ping across.

R1 

R1#show run
Building configuration...

Current configuration : 997 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
interface Loopback0
 ip address 172.16.0.1 255.255.255.0
!
interface Loopback1
 ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.0.0.1 255.255.255.0
 duplex half
!
interface FastEthernet1/0
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface FastEthernet1/1
 no ip address
 shutdown
 speed auto
 duplex auto
!
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
end

 

From the ASA

 

ciscoasa# show run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif inside
 security-level 100
 ip address 10.0.0.2 255.255.255.0
!
interface GigabitEthernet1
 nameif outside
 security-level 0
 ip address 10.0.1.1 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network OUTSIDE_IP
 host 10.0.1.1
object-group network INSIDE_NET
 network-object 172.16.0.0 255.255.254.0
 network-object 10.0.0.0 255.255.255.0
access-list OUT_IN standard permit any
access-list OUTSIDE_IN extended permit icmp any any traceroute
access-list OUTSIDE_IN extended permit icmp any any echo
access-list OUTSIDE_IN extended permit icmp any any echo-reply
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.1.2 1
route inside 172.16.0.0 255.255.254.0 10.0.0.1 1
route outside 172.16.2.0 255.255.254.0 10.0.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:ae09723fcbdd4866a2ce4cf44dc2d3a4
: end

 

 

 

R2

R2#show run
Building configuration...

Current configuration : 1148 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
interface Loopback0
 ip address 172.16.2.1 255.255.255.255
!
interface Loopback1
 ip address 172.16.3.1 255.255.255.255
!
interface Loopback2
 ip address 8.8.8.8 255.255.255.255
!
interface FastEthernet0/0
 ip address 10.0.1.2 255.255.255.0
 duplex full
!
interface FastEthernet1/0
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface FastEthernet1/1
 no ip address
 shutdown
 speed auto
 duplex auto
!
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.0.1.1
ip route 10.0.0.0 255.255.255.252 10.0.1.1
ip route 172.16.0.0 255.255.254.0 10.0.1.1
!
no cdp run
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
end

 

 

 

Preview file
31 KB
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to slicerpro

‎05-25-2015 11:17 PM

On R1: For Ethernet, always use the next-hop IP in static routes, and not the outgoing interface. But that's not part of the problem.

On both routers, you can enable "debug ip icmp" to see if the ping reaches the destination.

then test the following pings:

R1-L0 from the ASA

R2-L0 from the ASA

ASA inside from R1-L0

ASA outside from R2-L0

0 Helpful

Go to solution
slicerpro
Level 1
Level 1
In response to Karsten Iwen

‎05-26-2015 09:10 AM

The solution is something I totally don't understand. On R1, I went ahead and pointed my default route to the next-hop as opposed to the outgoing interface.. and bam! the pings are working now. If you can explain, I will appreciate.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to slicerpro

‎05-26-2015 10:03 AM

After thinking about it twice, it's clear. I wrote to change it because it is a best practice, but with the ASA on the other side it's needed.

If you use the outgoing interface as the destination of a route, the router needs to arp for the destination-IP (for each one that is used) to find the next-hop L2-address. The other side (the ASA in your scenario) needs to have proxy-arp enabled for that because the request is not for a configured address.

If you configure an IP as the next hop, the router needs only to find the L2-address for the one next-hop IP-address that is used in the static route.

0 Helpful

Go to solution
slicerpro
Level 1
Level 1
In response to Karsten Iwen

‎05-26-2015 05:20 PM

Also, your suggestion about enabling "ip debug icmp" helped. That is when I noticed that the pings weren't even leaving R1. That is when I thought take another look at the routing and with your other suggestion in mind.

...Plus I have learnt something new, the one about ASA's and proxy-arp.

once again cheers!!
 

0 Helpful

Go to solution
Abaji Rawool
Level 3
Level 3

‎05-25-2015 04:44 PM


 

0 Helpful

Go to solution
dubu2
Level 1
Level 1

‎08-17-2018 02:20 PM - edited ‎08-17-2018 02:26 PM

I know this is old and "Supposedly" solved, but I was just searching for a solution to this exact problem and this "Solution" didn't solve a thing for me!

So, I figured I'd add the TRUE solution here, in case anyone else stumbles upon this and needs the help.

 

From the ASA:

 

conf t

object-group icmp-type ALLOW_ICMP

icmp-object echo

icmp-object echo-reply

icmp-object traceroute

icmp-object time-exceeded

icmp-object unreachable

 

access-list INBOUND permit icmp any any object-group ALLOW_ICMP

access-group INBOUND in interface OUTSIDE

 

That is the real solution ;-)

"Nothing is permanent. Everything is subject to change. Being is always becoming."
0 Helpful
Customers Also Viewed These Support Documents