cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
207
Views
0
Helpful
4
Replies
Highlighted
Beginner

ASA5512 ver 9.2 - can ping inside firewall interface but cannot ping to internal network

# sh run
ASA Version 9.2(2)4
!
hostname CBK-KAL-FW
domain-name test.com
enable password CPvrcBKnyVPXs2g6 encrypted
passwd SwuuYThZAkyq4HXA encrypted
names
ip local pool vpnpool 10.34.49.1-10.34.49.252 mask 255.255.240.0
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 10.34.63.252 255.255.240.0
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 122.X.X.X 255.255.255.248
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa922-4-smp-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.34.63.239
 name-server 10.34.63.238
 domain-name test.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network lotusnotes
 host 10.34.63.221
object network cbk-wstation
 subnet 0.0.0.0 0.0.0.0
object network Host-10.34.48.26
 host 10.34.48.26
object network CITRIX
 host 10.34.63.223
object network SOFTRAK
 host 10.34.62.40
object network SAP
 host 10.34.61.1
object network NETWORK_OBJ_10.34.49.0_24
 subnet 10.34.49.0 255.255.255.0
object service citrix-1604
 service tcp destination eq 1604
object service sap-3200
 service tcp destination eq 3200
object service sap-3299
 service tcp destination eq 3299
object service sap-3300
 service tcp destination eq 3300
object service sap-3389
 service tcp destination eq 3389
object network Host-10.34.63.240
 host 10.34.63.240
object network Test-network
 subnet 10.230.230.0 255.255.255.0
object network NETWORK_OBJ_10.34.48.0_20
 subnet 10.34.48.0 255.255.240.0
object network 10.34.0.0
 subnet 10.34.0.0 255.255.0.0
object network Host-10.34.48.150
 host 10.34.48.150
object network Host-10.34.63.249
 host 10.34.63.249
 description CBK-FS1
object network Host-10.34.63.59
 host 10.34.63.59
object network Host-10.34.48.31
 host 10.34.48.31
 description Glen Ernas
object network Host-10.1.1.3
 host 10.1.1.3
object network Host-10.34.48.165
 host 10.34.48.165
 description Citrix
object network Host-10.34.63.57
 host 10.34.63.57
object network Site-A-Subnet
 subnet 10.34.48.0 255.255.240.0
 description Site A
object network Site-B-Subnet
 subnet 10.34.16.0 255.255.240.0
object network Host-10.34.61.12
 host 10.34.61.12
 description SAP PROD
object network Host-10.34.63.233
 host 10.34.63.233
 description New Server
object network Host-10.34.48.195
 host 10.34.48.195
 description PC-NPIE
object network Host-10.34.48.69
 host 10.34.48.69
object network Host-10.34.48.41
 host 10.34.48.41
 description Req-by mam Zink temp
object network Host-10.34.48.118
 host 10.34.48.118
 description TEMPORAR
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service LN_SERVICE
 service-object tcp destination eq https
 service-object tcp destination eq imap4
 service-object tcp destination eq lotusnotes
 service-object tcp destination eq pop3
 service-object tcp destination eq smtp
 service-object tcp destination eq www
object-group network Allowed_Host
 description 10.34.48.69
 network-object object CITRIX
 network-object object Host-10.34.112.70
 network-object object Host-10.34.48.126
 network-object object Host-10.34.48.145
 network-object object Host-10.34.48.173
 network-object object Host-10.34.48.177
 network-object object Host-10.34.48.180
 network-object object Host-10.34.48.183
 network-object object Host-10.34.48.200
 network-object object Host-10.34.48.235
 network-object object Host-10.34.48.236
 network-object object Host-10.34.48.238
 network-object object Host-10.34.48.243
 network-object object Host-10.34.48.249
 network-object object Host-10.34.48.250
 network-object object Host-10.34.48.252
 network-object object Host-10.34.48.26
 network-object object Host-10.34.48.79
 network-object object Host-10.34.48.92
 network-object object Host-10.34.50.103
 network-object object Host-10.34.50.204
 network-object object Host-10.34.63.210
 network-object object Host-10.34.63.211
 network-object object Host-10.34.63.220
 network-object object Host-10.34.63.222
 network-object object Host-10.34.63.224
 network-object object Host-10.34.63.225
 network-object object Host-10.34.63.237
 network-object object Host-10.34.63.238
 network-object object Host-10.34.63.239
 network-object object Host-10.34.64.10
 network-object object SAP
 network-object object SOFTRAK
 network-object object lotusnotes
 network-object object Host-10.34.63.240
 network-object object Host-10.34.48.150
 network-object object Host-10.34.48.115
 network-object object Host-10.34.63.249
 network-object object Host-10.34.48.62
 network-object object Host-10.34.63.59
 network-object object Host-10.34.48.251
 network-object object Host-10.34.48.31
 network-object object Host-10.34.48.165
 network-object object Host-10.34.63.57
 network-object object Host-10.34.61.12
 network-object object Host-10.34.63.233
 network-object object Host-10.34.48.195
 network-object object Host-10.34.48.69
 network-object object Host-10.34.48.41
 network-object object Host-10.34.48.122
 network-object object Host-10.34.48.118
object-group service CITRIX_SERVICE
 service-object object citrix-1604
 service-object tcp destination eq citrix-ica
 service-object tcp destination eq www
object-group network DM_INLINE_NETWORK_1
 network-object object CITRIX
 network-object object SAP
 network-object object SOFTRAK
 network-object object lotusnotes
access-list outside_access_in_2 extended permit object-group LN_SERVICE any object lotusnotes
access-list outside extended permit object-group LN_SERVICE any object lotusnotes
access-list outside extended permit object-group SAP_SERVICE any object SAP
access-list outside extended permit object-group CITRIX_SERVICE any object CITRIX
access-list outside extended permit object-group Softrak_Service any object SOFTRAK
access-list outside extended deny ip any object-group DM_INLINE_NETWORK_1
access-list outside extended permit ip any 10.34.48.0 255.255.240.0
access-list inside_access_in extended permit object-group TCPUDP 10.0.0.0 255.0.0.0 any
access-list inside_access_in extended permit icmp 10.0.0.0 255.0.0.0 any
access-list inside_access_in_1 extended permit ip object lotusnotes any
access-list inside_access_in_1 extended permit ip object CITRIX any
access-list inside_access_in_1 extended permit ip object SAP any
access-list inside_access_in_1 extended permit ip object SOFTRAK any
access-list inside_access_in_1 extended permit ip object-group Allowed_Host any
access-list inside_access_in_1 extended deny ip 10.34.48.0 255.255.240.0 any
access-list ACL_ANY extended permit ip any any
access-list outside2_access_in extended permit ip any 10.34.48.0 255.255.240.0 inactive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu outside2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-7221.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.34.49.0_24 NETWORK_OBJ_10.34.49.0_24 no-proxy-arp route-lookup
nat (inside,outside) source dynamic Allowed_Host interface dns
access-group inside_access_in_1 in interface inside
access-group outside in interface outside
!
prefix-list anyconnect description VPNConnection
!
!
route-map anyconnect permit 11
!
route outside 0.0.0.0 0.0.0.0 122.X.X.X 1
route inside 0.0.0.0 0.0.0.0 10.34.63.254 tunneled
no snmp-server location
no snmp-server contact
sysopt noproxyarp inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
no ssh stricthostkeycheck
ssh 10.34.48.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.0.00061-k9.pkg 1
 anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
 anyconnect profiles anyconnect_client_profile disk0:/anyconnect_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy SSL-VPN internal
group-policy SSL-VPN attributes
 wins-server none
 dns-server none
 vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
 default-domain value test.com
 webvpn
  url-list none
  anyconnect ask enable default webvpn timeout 20
  customization value DfltCustomization
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 10.34.63.239 10.34.63.238
 vpn-tunnel-protocol ikev1 ssl-client
 default-domain value testpower.com
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_anyconnect internal
group-policy GroupPolicy_anyconnect attributes
 wins-server none
 dns-server value 10.34.63.239 10.34.63.238
 vpn-tunnel-protocol ikev2 ssl-client
 default-domain value test.com
 webvpn
  anyconnect profiles value AnyConnect_client_profile type user
  customization value DfltCustomization
username robert password s2AH/eaJdUkt6QnP encrypted
tunnel-group DefaultRAGroup general-attributes
 address-pool vpnpool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
tunnel-group anyconnect type remote-access
tunnel-group anyconnect general-attributes
 address-pool vpnpool
 authentication-server-group RADIUSSERVERS LOCAL
 default-group-policy GroupPolicy_anyconnect
tunnel-group anyconnect webvpn-attributes
 group-alias CBK-KAL-VPN enable
 group-alias anyconnect disable
tunnel-group SSL-VPN type remote-access
tunnel-group SSL-VPN general-attributes
 address-pool vpnpool
 authentication-server-group RADIUSSERVERS LOCAL
 default-group-policy SSL-VPN
!
class-map SFR
 match access-list ACL_ANY
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map policy
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
 class SFR
  sfr fail-close
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2e5b98f4ad7e8236305e711c7b5aef88
: end

=================================================

Show cap capi.
69 packets captured

   1: 00:24:26.227130       10.34.49.1 > 10.34.48.122: icmp: echo request
   2: 00:24:31.249651       10.34.49.1 > 10.34.63.254: icmp: echo request
   3: 00:24:35.817355       10.34.49.1 > 10.34.63.254: icmp: echo request
   4: 00:24:36.715569       10.34.49.1 > 10.34.48.122: icmp: echo request
   5: 00:24:40.782231       10.34.49.1 > 10.34.63.254: icmp: echo request
   6: 00:24:41.288971       10.34.49.1 > 10.34.48.122: icmp: echo request
   7: 00:24:45.775640       10.34.49.1 > 10.34.63.254: icmp: echo request
   8: 00:24:50.820422       10.34.49.1 > 10.34.63.254: icmp: echo request
   9: 00:24:51.314528       10.34.49.1 > 10.34.48.122: icmp: echo request

Show run nat

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.34.
49.0_24 NETWORK_OBJ_10.34.49.0_24 no-proxy-arp route-lookup

sh run all group-policy DefaultRAGroup
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 10.34.63.239 10.34.63.238
 vpn-tunnel-protocol ikev1 ssl-client
 default-domain value test.com

 

 

 

 

 

Everyone's tags (1)
4 REPLIES 4
Highlighted
Enthusiast

Hi

Hi

What IP are you trying to ping from? What IP are you trying to ping to?

What does packet tracer say?

packet-tracer input icmp <source interface> <source ip> 8 0 <destination ip>
Highlighted
Beginner

Hi,Here's the output. Test#

Hi,

Here's the output. 


Test# packet-tracer input outside icmp 10.34.49.1 8 0 10.34.63.254

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   10.34.48.0      255.255.240.0   inside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.34.
49.0_24 NETWORK_OBJ_10.34.49.0_24 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 10.34.63.254/0 to 10.34.63.254/0

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside in interface outside
access-list outside extended permit ip any 10.34.48.0 255.255.240.0
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.34.
49.0_24 NETWORK_OBJ_10.34.49.0_24 no-proxy-arp route-lookup
Additional Information:
Static translate 10.34.49.1/0 to 10.34.49.1/0

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map SFR
 match access-list ACL_ANY
policy-map global_policy
 class SFR
  sfr fail-close
service-policy global_policy global
Additional Information:

Phase: 10
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 11
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Thank you.

Highlighted
Enthusiast

Hi

Hi

The packet-tracer output is expected because the source traffic is coming from the VPN.

I can't see why this wouldn't work.

Try this on the router with IP 10.34.63.254.

access-list 101 permit icmp host 10.34.49.1 host 10.34.63.254

debug ip packet 101 detail

And see what happends when you try the ping again.

Highlighted
Beginner

Hi henrik,there's no

Hi henrik,

there's no result

but heres the debug ip icmp from firewall and routers.

10.34.63.252 - Firewall

ICMP echo request from outside:10.34.49.1 to inside:10.34.48.122 ID=1 seq=7234 len=32

ICMP echo request from outside:10.34.49.1 to inside:10.34.63.254 ID=1 seq=7235 len=32

 

10.34.63.59 - Router

Oct 22 02:15:02.537: ICMP: echo reply sent, src 10.34.63.59, dst 10.34.49.1

Oct 22 02:15:06.893: ICMP: echo reply sent, src 10.34.63.59, dst 10.34.49.1

Oct 22 02:15:11.857: ICMP: echo reply sent, src 10.34.63.59, dst 10.34.49.1

10.34.63.254 - Router

Oct 22 02:23:27.268:     ICMP type=8, code=0, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Oct 22 02:23:27.268: IP: s=10.34.49.1 (GigabitEthernet0/0), d=10.34.63.254, len 60, input feature

Oct 22 02:23:27.268:     ICMP type=8, code=0, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Oct 22 02:23:27.268: IP: s=10.34.49.1 (GigabitEthernet0/0), d=10.34.63.254, len 60, input feature

 

thanks