(5 votes, average: 4.4 out of 5)
Loading ...As I am sure many of you who have ever worked with a Cisco firewall know, ICMP is not allowed through the firewall by default. If you are just configuring the device, this can make it very difficult to troubleshoot connectivity issues. Thankfully, there are several ways to get around this.
Solution 1: Use access-lists to allow pings from inside/DMZ to the outside.
To allow pinging from the inside to the outside interfaces, you will need to configure an access-list for the outside interface.
Then apply the access-list to the outside interface.
This will allow only ping. If you would like to allow trace route, you will also need to allow time-exceeded.
Solution 2: Use access-list to allow ping and trace route from the internet to your dmz/inside servers.
To do this, we are going to build off of what we did above, so you should already have this in the config.
access-list OUTSIDE_IN_ACL permit icmp any any time-exceeded
access-group OUTSIDE_IN_ACL in interface outside
Now all we need to do is allow echo into the network.
Even though we are allowing icmp, we still need to have a static mapping to allow the packets to reach the DMZ.
Of course, you will need to have a static mapping for every server you want to have reachable from the internet.
Solution 3: This is a bit more complex, but will allow higher security level interfaces to ping/trace route lower security level interfaces without the use of access-lists. To do this, we will tell the ASA to inspect icmp in a service policy. If you are using a ASA, you should have a default policy in the base config called global_policy.
global_policy:
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
To add icmp inspection.
FW-ASA(config-pmap)# class inspection_default
FW-ASA(config-pmap-c)# inspect icmp
Thank you, thank you, thank you… I’ve been trying to configure this for weeks. You’ve boiled it down nicely and made it very easy to understand.
You are very welcome Doug. I am just glad someone else has found it useful.
Thank you! Thank you !!
Thanks, very succinct and helpful!
Hi , can i know what is the different between static (dmz,outside) and static (outside,dmz) ?
Thank you
noobiew:
The difference is in which way you are performing the NAT translation, as in which is the “Real” IP and which is the mapped (NAT) IP. Cisco presents the static command in a couple of ways:
static (real_ifc,mapped_ifc) mapped_ip {real_ip [netmask mask] }
AND on the ASA 8.0 software
FW-ASA(config)# static ?
configure mode commands/options:,) pair where
is the Internal or prenat interface and
is the External or postnat interface )
( Open parenthesis for (
So you are basically looking at:
static (prenat Interface,postnat Interface) postnat IP prenat IP
Please let me know if this helps.
hi,
this is a bit odd but how do i allow my ASA outside interface to reply to ping requests from the outside as well?
joe,
To ping the outside interface from any IP address, from config mode:
icmp permit any outside
That should do the trick. Let me know if there is anything else I can help with.
whoa, thats great!!! it works thanks
hi james,
i got one last question:
i have a 2811 router and an ASA 5520. the ASA subinterfaces uses dot1q while the 2811 only uses ISL, how can i make these two devices talk to each other?
thanks
here’s my config (i changed it to have ip addresses between ASA security context and router)
interface prod_outside
nameif outside
security-level 0
ip address 202.124.135.133 255.255.255.224
asr-group 1
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address 202.124.135.149 255.255.255.224
duplex auto
speed auto
but I still cant ping one from the other…any ideas?
thanks
Joe,
I am fairly certain that the 2811 supports dot1q trunking. Also, if you are running in multiple context mode on the ASA, I believe you have to use a trunk to the switch/router you are connecting it to, so assigning an IP directly to the interface on the 2811 will probably not work.
Do you have a spare switch you could use for testing? You could connect botht the ASA and the router to the switch and see if you can get it to communicate using the trunking on the switch.
On the 2811, try this:
c2811(config)#int fastEthernet 0/0
c2811(config-if)#no shut
c2811(config-if)#exit
c2811(config)#int fastEthernet 0/0.1
c2811(config-subif)#encapsulation dot1Q 1 native
c2811(config-subif)#ip address 202.124.135.149 255.255.255.224
Let me know if this helps.
hi james,
i got it working using a switch, i will try that suggestion some other time. however i have got another weird problem: my asa can communicate with the outside world and inside interface just fine but when a vlan on my core tries to access the outside via the ASA it times out.
i have trunk configured in the core swith to the ASA inside subinterface. i can ping the ASA inside interface from the core and vice versa as well. my default route to the outside world is via the ASA subinterface.
any ideas?
joe,
Since this is getting off topic, and I can respond faster by email, could you send the ASA and core switch configs to jkane@jklogic.net? I will take a look and see if we can get this fixed for you ASAP.
Hi, James, very appreciate your explanation and thank you so much.
I have another question regarding ASA firewall, can I know what the different is between
1) global (outside) 100 202.168.9.10
nat (inside) 100 192.168.7.1
and
2) static (inside, outside) 202.168.9.10 192.168.7.1 netmask 255.255.255.255
From my understanding, the first one is consider dynamic NAT and second one is consider static NAT (Am I right?). And both of it also performing the same thing which is translating private ip addresses 192.168.7.1 to outside public addresses 202.168.9.10.
But I am bit confuse what is the different between both of them. I try surf for websites but cannot find any useful information of it.
When your guys performing NAT in ASA firewall, which command your all will be using? If both of this commands also performing the same functions, I really not understand and which NAT command that i need to use.
Thank you,
Have a nice day
noobiew,
You are correct about dynamic and static NAT. The difference is in the way they are utilized.
Static NAT is generally used to make a static 1-to-1 mapping of IP addresses. In the example above, you are mapping 202.168.9.10 to 192.168.7.1. This is usefull if you have a server on the LAN or DMZ that you want to allow services from the outside world. This way, people accessing the 202.168.9.10 ip address will be redirected to the server at 192.168.7.1.
Dynamic NAT is used when you want multiple users behind the firewall to have access to the internet (or other network). In this case, you could allow all computers on the LAN to access the internet. However, the way your nat statement is written, only 192.168.7.1 will be able to access the internet. You could change it to allow the entire subnet to access the internet.
nat (inside) 100 192.168.7.0 255.255.255.0
Let me know if that didn’t answer your questions.
James,
got it working finally, that subinterfaces worked wonders…now i have a question
a context that is on standby will not have any ip addresses assigned to it?
ASA1 (production active and support standby)
secure1/support# sh fail
Failover On
Last Failover at: 23:47:28 UTC Oct 10 2008
This context: Standby Ready
Active time: 206 (sec)
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Peer context: Active
Active time: 6539 (sec)
Interface outside (202.124.135.130): Normal (Waiting)
Interface inside (10.10.2.1): Normal (Waiting)
Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 3 0 18394 1
ARP tbl 0 0 507 21
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
secure1/support#
mnl-secure1/production# sh fail
Failover On
Last Failover at: 23:44:02 UTC Oct 10 2008
This context: Active
Active time: 7013 (sec)
Interface outside (119.111.136.29): Normal (Waiting)
Interface inside (10.10.3.1): Normal (Waiting)
Peer context: Failed
Active time: 0 (sec)
Interface outside (119.111.136.28): Failed (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 34420 0 0 0
ARP tbl 74 0 0 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
secure1/production#
ASA2 (support active production standby)
nl-secure1/support# sh fail
Failover On
Last Failover at: 23:47:21 UTC Oct 10 2008
This context: Active
Active time: 6907 (sec)
Interface outside (202.124.135.130): Normal (Waiting)
Interface inside (10.10.2.1): Normal (Waiting)
Peer context: Standby Ready
Active time: 206 (sec)
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 19537 0 3 0
ARP tbl 546 0 0 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
secure1/support#
secure1/production# sh fail
Failover On
Last Failover at: 23:47:08 UTC Oct 10 2008
This context: Failed
Active time: 0 (sec)
Interface outside (119.111.136.28): Failed (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Peer context: Active
Active time: 7156 (sec)
Interface outside (119.111.136.29): Normal (Waiting)
Interface inside (10.10.3.1): Normal (Waiting)
Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 35262 10
ARP tbl 0 0 74 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
secure1/production#
any thoughts?
thanks a bunch
Wow…
Solution 3 was the answer!
You have no idea how frustrated I was getting not being able to ping from a host on my network. I looked everywhere in the Cisco documentation and I couldn’t find anything related to my problem.
Thanks!
joe,
That doesn’t look right to me. I am not running Active/Active with contexts, but I do have a failover config. Here is the sh fail:
FW-ASA# sh fail
Failover On
Failover unit Primary
Failover LAN Interface: Failover GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
failover replication http
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 21:42:13 CDT Aug 18 2008
This host: Primary – Active
Active time: 4806765 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface outside (X.X.X.226): Normal
Interface DMZ_Servers (10.10.48.1): Normal
Interface DMZ_VPN (10.10.49.1): Normal
Interface DMZ_InternetDump (10.10.126.1): Normal (Not-Monitored)
Interface inside (10.10.100.1): Normal
slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Other host: Secondary – Standby Ready
Active time: 266 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface outside (X.X.X.227): Normal
Interface DMZ_Servers (10.10.48.2): Normal
Interface DMZ_VPN (10.10.49.2): Normal
Interface DMZ_InternetDump (10.10.126.2): Normal (Not-Monitored)
Interface inside (10.10.100.2): Normal
slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Stateful Failover Logical Update Statistics
Link : Unconfigured.
It looks like you setup the failover part correctly, but did not put the standby IP address on the interfaces. Here are 2 of the interfaces from my ASAs:
!
interface GigabitEthernet0/1.48
vlan 48
nameif DMZ_Servers
security-level 48
ip address 10.10.48.1 255.255.255.0 standby 10.10.48.2
!
interface GigabitEthernet0/1.49
vlan 49
nameif DMZ_VPN
security-level 49
ip address 10.10.49.1 255.255.255.248 standby 10.10.49.2
You have to add the standby interface to every interface.
Let me know if that helps.
Hi James,
Yes, I have added the standby IP addresses however I am getting (waiting) failed on my outside interfaces…ooh so close
secure1/production# sh fail
Failover On
Last Failover at: 08:14:52 UTC Oct 11 2008
This context: Failed
Active time: 0 (sec)
Interface outside (xxx.xxx.136.18): Failed (Waiting)
Interface inside (10.10.3.10): Normal
Peer context: Active
Active time: 2428 (sec)
Interface outside (xxx.xxx.136.29): Normal (Waiting)
Interface inside (10.10.3.1): Normal
Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 1913 0
ARP tbl 0 0 15 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
secure1/production#
Hi james,
got it to work using a layer2 switch trunked to the ASA’s
Got a question about the ping. I am trying to allow a host in inside network to be able to ping to the external interface IP of the ASA. Tried various things and no luck. Inside host can pint ASA inside interface, as well as other hosts at the external network, but just not the ASA its own external interface. Can this be done?
Thanks in advance.
raymondn,
I do not believe you should be able to ping the outside interface of the ASA from the inside interface. By default the ASA will not allow a packet to exit the same interface it enters. I do not know of a way to change this behavior.
James
okay, thanks.
Guess I would have to rely on the network switches port up/down SNMP trap so I know if the router outside interface is up/down.
I gotta weird problem…hope someone can help…
Trace from a inside LAN workstation to an external site dies at the border router. but from the border router, trace to the same external site succeeds.
trace from an external IP can reach the global IP of the ASA, the ASA can ping the next hop border router and the border router can ping ASA as well.
I have cleared the arp cache and mac-address tables on both router and ASA and I still cant ping any external site.
Btw, I have a permit icmp any any and I can see the request going out of the ASA via debug ICMP trace but I dont see any reply back.
I am thinking this is a Layer 2 problem since the ASA and border router are directly connected.
I am now perplexed and confused as to what to do next…
have you looked at the ASA NAT policy for your ping traffic going out to the external network? Just an idea.
it pats just fine
marky,
Have you tried to run the traceroute from the ASA? If this is successful, there should not be a layer 2 problem between the ASA and the border router.
Also, can you ping from the internal host to the border router?
Make sure the permit icmp any any is applied incoming to the outside interface.
Let me know if any of that helps.
James
hi james,
i am using asa 5510, in that the outside interface configured with pppoe, i cant ping to the pppoe releasing to the ouside interface as well outside users also not getting reply from pppoe releasing ip. please help me to solve this issue..
I have a simulator for PIX 8.0(2) which am using to prepare for my certification. I setup a site-2-site VPN using PIX but I couldn’t ping any of the hosts on the other side of the VPN neither can i ping the outside interface of firewall from inside hosts. I have been on this for few weeks now and i have tried many method including the one on this site. I have equally enable ICMP inspect but to know avail.
Please help
In addition, i configured a 3660 router as an ISP between my PIXs. The outside interface of the two PIXs are connetecd to the router and i can ping these interfaces from the PIXs but i couldn’t ping the insdie interfaces on each PIX rom the router inspite having appropriate routes
Ade,
The PIX/ASA does not allow you to ping the outside interface from an inside host. By the same measure, you will not be able to ping the inside interface of the PIX from any outside client. The PIX/ASA does not allow traffic entering an interface to exit the same interface.
A couple things to check on the PIXs. Firstly, can one PIX ping the other PIX outside interface? Are the VPN tunnels being established? Are you able to pass other traffic between LAN host (SMB, HTTP, Telnet)?
If you would like to post the configs of each PIX I can take a look.
James
PIX Version 8.0(2)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.4.3.27 255.255.255.128
!
interface Ethernet2
nameif outside
security-level 0
ip address 95.80.40.1 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list l2l extended permit ip 10.4.3.0 255.255.255.128 192.168.2.0 255.255.
255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list l2l
route outside 0.0.0.0 195.168.2.1 255.255.255.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set NEW_TRANS esp-aes-192 esp-sha-hmac
crypto map NEW_MAP 1 match address l2l
crypto map NEW_MAP 1 set peer 57.193.90.190
crypto map NEW_MAP 1 set transform-set NEW_TRANS
crypto map NEW_MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
tunnel-group 57.193.90.190 type ipsec-l2l
tunnel-group 57.193.90.190 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:66d0ce3c8a48c8cf7f533eaea32be45e
: end
i was able to ping the outside interface b4 but while trying to resolve the problem i deleted everything and start all over again. I mirrored this pasted configuration on the second PIX. I cant also ping any of the outside interafce from the respective inside hosts.
I will appreciate if i can have sample configuration using nat or pat for the IP address that i used in my example for encrypted packet to the internet
hello james,
please, take a look at the configuration
Ade,
The first thing we need to to is to get the 2 PIXs talking with each other. To do that, we will need a couple NAT and global commands. Using the IP addresses in the config above, you would need to add:
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
This will allow all clients on the inside interface to access the outside network. Now, allow the PIX to reply to ICMP requests on its public interface:
icmp permit any outside
Now, from one PIX, try to ping the outside interface of the other PIX. If that works, try to ping the public IP of the distant PIX from a client on the near PIX LAN. Once we have the 2 PIXs communicating, we can work on the VPN config.
Hi James,
I still can’t ping the outside interface from any of the hosts on the inside network. I enabled logging on the PIX. The result of the logging result is pasted after this configuration.
Thanks
PIX Version 8.0(2)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 95.193.90.1 255.0.0.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
logging enable
logging console debugging
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:fdb0444b55ac59c8c76f22c78733effb
: end
%PIX-7-111009: User ‘enable_15′ executed cmd: show running-config
pixfirewall(config)# %PIX-7-609001: Built local-host NP Identity Ifc:192.168.2.1
%PIX-6-302020: Built inbound ICMP connection for faddr 192.168.2.2/10 gaddr 192.168.2.1/0 laddr 192.168.2.1/0
%PIX-6-302021: Teardown ICMP connection for faddr 192.168.2.2/10 gaddr 192.168.2.1/0 laddr 192.168.2.1/0
%PIX-7-609002: Teardown local-host NP Identity Ifc:192.168.2.1 duration 0:00:00
%PIX-6-302020: Built inbound ICMP connection for faddr 192.168.2.2/11 gaddr 95.193.90.1/0 laddr 95.193.90.1/0
pixfirewall(config)# %PIX-6-302021: Teardown ICMP connection for faddr 192.168.2.2/9 gaddr 95.193.90.1/0 laddr 95.193.90
.1/0
Hi James,
Could you please assist i posted the configuration since Friday.
James,
Hi there, I saw your post in your website and they are very helpful, however I ran into a little problem that I know for you it would be easy, here is the problem; we bought a Cisco 5510 ASA, we built a subnet that needs to talk to the corporate subnet and after creating the access list and access group I was able to ping from the inside to the outside without any issues, but what I am trying to accomplised after that is to ping from the outside (any of the subnet that we have to the inside), I’ll send you my current configuration:
etlab-gw# show running-config
: Saved
:
ASA Version 7.0(8)
!
hostname etlab-gw
enable password 0e53SZdxezxawxDG encrypted
passwd 0e53SZdxezxawxDG encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 128.29.109.240 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.130.0.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply
access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded
access-list OUTSIDE_IN_ACL extended permit icmp any any echo
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDE_IN_ACL in interface outside
route outside 0.0.0.0 0.0.0.0 128.29.109.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username ETAdmin password WjaDyOYOWmU8TNpm encrypted
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd address 10.130.0.20-10.130.0.100 inside
dhcpd dns 10.130.0.10
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
client-update enable
Cryptochecksum:d6a14356b9942f73a174f18536d15146
: end
etlab-gw#
If you could get back to me and give me an answer, I’ll greatly appriciated.
Thanks,
Hi James,
I was reading through this post searching for an answer to an issue that I’m having with my PIX 501. The issue that I am having is that I am not able to ping any resources on my local lan when connected through the VPN tunnel. DNS resolves the IP addresses of hosts on my LAN but I do not get replies back through the tunnel. FYI, I have no issue accessing shares so long as its done by IP. If you could shed any light on the issue that I’m having I would really appreciate it.
Thanks in advance.
Hi James,
The question I have is can you have multiple global (outside) addresses for your nat tranlation?
The reason for this question is that I’m configuring a 5510 and three of the four port are requiring different global (outside) addresses to nat the inside addresses to.
thank you for you quick answer on this
Kurt
Kurt,
Yes, you can have multiple global (outside) addresses. The question is how do you want the multiple addresses to work?
You can set it up to have all clients on the LAN use a pool of external IP addresses. This example will allow all clients on the inside to access the internet using IP address 175.1.1.3-175.1.1.64. This is a static translation on a first come, first served basis for LAN clients. To do this:
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 175.1.1.3-175.1.1.64 netmask 255.255.255.0
Another option is to have different clients on the inside use different public IP address to access the internet. If you wanted IP address 10.10.0.0/24 clients to access the internet on public IP 175.1.1.10 and IP addresses 10.20.0.0/24 to access the internet on public IP 175.1.1.20:
nat (inside) 1 10.10.0.0 255.255.255.0
nat (inside) 2 10.20.0.0 255.255.255.0
global (outside) 1 175.1.1.10 255.255.255.255
global (outside) 2 175.1.1.20 255.255.255.255
Hope this answers you question. If not, let me know what else I can help with.
Thanks for the help. I’ll keep you posted.
Ran into a different problem.
Having trouble with trunking from the ASA to the Switch and getting data to flow.
here is the config of the ASA
interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/0.1
description XXXX
vlan 1
nameif ATM_PCS
security-level 0
ip address 10.10.XXX.XXX 255.255.255.252
!
interface Ethernet0/0.2
description XXX
vlan 4
nameif ATM_Columbia
security-level 100
ip address 172.XXX.XXX.XXX 255.255.255.0
!
interface Ethernet0/1
nameif XXX
security-level 0
ip address 172.1X.XXX.XXX 255.255.255.0
!
interface Ethernet0/2
nameif XXXX
security-level 0
ip address 172.16.XXX.XXX 255.255.255.240
!
interface Ethernet0/3
nameif XXXX
security-level 100
ip address 192.XXX.XXX.XXX 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 10.1.XXX.XXX 255.255.255.0
management-only
And here is the switch
interface FastEthernet0/1
description connection to XXXXX
switchport trunk native vlan 4
switchport trunk allowed vlan 1,4,1002-1005
switchport mode trunk
!
interface FastEthernet0/2
description connection to XXX internal
switchport access vlan 20
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface FastEthernet0/25
!
interface FastEthernet0/26
!
interface FastEthernet0/27
!
interface FastEthernet0/28
!
interface FastEthernet0/29
!
interface FastEthernet0/30
!
interface FastEthernet0/31
!
interface FastEthernet0/32
!
interface FastEthernet0/33
!
interface FastEthernet0/34
!
interface FastEthernet0/35
!
interface FastEthernet0/36
!
interface FastEthernet0/37
!
interface FastEthernet0/38
!
interface FastEthernet0/39
!
interface FastEthernet0/40
!
interface FastEthernet0/41
!
interface FastEthernet0/42
!
interface FastEthernet0/43
!
interface FastEthernet0/44
!
interface FastEthernet0/45
!
interface FastEthernet0/46
!
interface FastEthernet0/47
!
interface FastEthernet0/48
switchport access vlan 20
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface VLAN1
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN4
ip address 172.XX.XXX.XXX 255.255.255.0
no ip directed-broadcast
no ip route-cache
!
interface VLAN20
ip address 192.168.XXX.XXX 255.255.255.0
no ip directed-broadcast
no ip route-cache
shutdown
!
!
line con 0
transport input none
stopbits 1
line vty 5 15
My trouble is that the ASA will mot allow me to add the encapsulation line like I would have to add to the router side when using dot1q.
any help would be greatful
Kirk,
I have a couple of ideas. I would recommend not using vlan 1 for traffic. It should be left for switch management traffic. I would remove the switchport trunk native vlan 4 line from the switch interface.
Also, I believe you have to specify dot1q trunking on the switch port. Dot1q is the only trunking protocol supported by the ASA.
On the ASA:
interface Ethernet0/2
no nameif
no security-level
no ip address
interface Ethernet0/2.10
vlan 10
nameif guests
security-level 10
ip address 10.10.10.1 255.255.255.0
interface Ethernet0/2.99
vlan 99
nameif dmz
security-level 50
ip address 10.10.99.1 255.255.255.0
On the switch:
interface FastEthernet1/0/1
description ASA 5510 Ethernet0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,98
switchport mode trunk
no ip address
no mdix auto
Let me know if that helps.
James
I’ll make the changes and see what happens. Thanks
I’ll keep you posted
Kurt
That worked, thanks.
The only catch is the switch still retains the vlan 1 as being allowed and I can’t get rid of it. That is ok as this is a test and I am writing this down so I don’t mess up when i place it into production.
Off the subject a tad how do you enable multiple vlans interfaces to be open at the same time? as you see in the 3548 XL switch I have two and I would like both interfaces to be open not shut. I have seen multiple Vlan interfaces open on other switches but unsure what command allows them to all remain open. I can only open one at a time.
Kurt
very very Thank u
Hi James,
I have follow Your instructions but I’m not able to ping from Ouside to inside
Can Help me?
Regards
Rocco
Hi James,
I have a problem with my ASA. The (inside) local lan users can not ping the DMZ interface nor the outside interface but from the ASA I can ping all IP address off the (DMZ) and (inside) and the (outside) interfaces. If I do a sh xlate or sh conn I see connections from the (inside) to the (outside) but no connections or translations to (DMZ).
Please take a look at my configuration and let me know if you can identify the issue.
ASA Version 8.0(3)6
!
hostname BrickMUA-5520ASA
domain-name brickmua.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description ## Connection to External Router ##
nameif outside
security-level 0
ip address 65.202.14.5 255.255.255.240
ospf cost 10
!
interface GigabitEthernet0/1
description ## Connection to Internal Network ##
nameif inside
security-level 100
ip address 10.1.1.10 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/2
nameif THL (DMZ)
security-level 50
ip address 10.1.200.2 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
ospf cost 10
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.1.1.8
name-server 10.1.1.1
domain-name brickmua.com
access-list VPNGroup_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list Emt3c_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp 216.157.255.0 255.255.255.0 ho
st 65.202.14.2 eq smtp
access-list outside_access_in extended permit tcp 216.157.241.0 255.255.255.0 ho
st 65.202.14.2 eq smtp
access-list outside_access_in extended deny tcp any host 65.202.14.2 eq smtp
access-list outside_access_in extended permit tcp any host 65.202.14.2 eq 3389
access-list outside_access_in extended permit tcp any host 65.202.14.2 eq https
access-list outside_access_in extended permit tcp any host 65.202.14.2 eq www
access-list outside_access_in extended permit udp any any eq domain
access-list outside_access_in extended permit tcp any any eq domain
access-list outside_access_in extended permit tcp any any eq 9002
access-list outside_access_in extended permit tcp any any eq 9003
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list csc-acl extended deny ip host 10.1.1.196 host 38.101.42.81
access-list csc-acl extended permit tcp any any eq ftp
access-list csc-acl extended permit tcp any any eq www
access-list csc-acl-ftp extended permit tcp any any eq ftp
access-list capin extended permit ip any host 38.101.42.81
access-list capin extended permit ip host 38.101.42.81 any
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu THL 1500
mtu management 1500
ip local pool ippool250 10.0.250.1-10.0.250.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0
nat (THL) 0 0.0.0.0 0.0.0.0
static (inside,outside) tcp 65.202.14.2 domain 10.1.1.4 domain netmask 255.255.2
55.255
static (inside,outside) udp 65.202.14.2 domain 10.1.1.4 domain netmask 255.255.2
55.255
static (inside,outside) 65.202.14.2 10.1.1.4 netmask 255.255.255.255
static (inside,THL) 10.1.200.0 10.1.1.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 65.202.14.1 1
route THL 10.1.2.0 255.255.255.0 10.1.200.1 1
route THL 172.16.0.0 255.255.255.0 10.1.200.1 1
route THL 172.18.0.0 255.255.0.0 10.1.200.1 1
route THL 172.20.0.0 255.255.0.0 10.1.200.1 1
route THL 172.21.0.0 255.255.0.0 10.1.200.1 1
route THL 172.22.0.0 255.255.0.0 10.1.200.1 1
telnet 10.1.1.67 255.255.255.255 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 65.86.161.80 255.255.255.240 outside
ssh 208.252.23.0 255.255.255.128 outside
ssh 199.184.162.0 255.255.255.0 outside
ssh 63.139.158.128 255.255.255.192 outside
ssh 208.50.106.0 255.255.255.0 outside
ssh 67.82.0.0 255.255.0.0 outside
ssh 75.0.0.0 255.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
console timeout 15
threat-detection basic-threat
threat-detection statistics
ntp server 66.96.98.9
!
class-map inspection_default
match default-inspection-traffic
class-map csc-class
match access-list csc-acl
class-map csc-ftp-class
match access-list csc-acl-ftp
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
class csc-class
csc fail-open
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:78bad106cac5537405f9ed32d02aea77
: end
[OK]
Charlie,
This is the normal operation for the ASA. You will not be able to ping the DMZ or Outside interface from and inside host.
Thanks James.
James,
I’m having an issue. local hosts that use our Global Dynamic NAT to reach outside hosts can not run traceroutes (i can see the hops on LAN between host and ASA, but nothing outside of ASA. These same Static NAT hosts can not access remote (outside) TFTP servers.
However, a static NAT LAN host can successfully run traceroutes and access TFTP servers.
Other services like http, etc are working perfectly fine regardless of the type of NAT used. Any help would be appreciated.
Hi James,
I’m having an issue. I have a Cisco ASA 5510 and I can ping the inside our network and I can ping from outside to in. However I cannot ping from inside to my outside interface. Any suggestions?
Hi James,
Thanks for a great post! I’m trying to follow option 3 from your original post. I’ve got an ASA 5505 ASA Version 8.2(1). I’ve looked at the global_policy and icmp/icmp error are already defined as inspected traffic types, but traceroute does not work (ping works fine). Here is a snippet from my config.
policy-map global_policy
class inspection_default
inspect dns preset_dns_map dynamic-filter-snoop
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
Do I still need to enable the ACLs mentioned in option 1 because although ping was working fine, traceroute was not. Was there another step that I am missing. I’m using the ASDM.
Thanks.