Comments on: Cisco ASA and ICMP Configurations http://jklogic.net/cisco-asa-and-icmp-configurations/ logical reality Thu, 29 Apr 2010 12:15:20 +0000 http://wordpress.org/?v=2.8.4 hourly 1 By: Abhishek Paul http://jklogic.net/cisco-asa-and-icmp-configurations/comment-page-2/#comment-3495 Abhishek Paul Tue, 20 Apr 2010 15:32:29 +0000 http://jklogic.net/cisco-asa-and-icmp-configurations/#comment-3495 Hi James I built my internal web application be accessible from the Internet using a Public IP, and it works, I can see the web site from Internet using the Public IP, But I can not use the same public IP to connect to the site from inside. How can I use the public IP even from inside? Same problem for Ping, the ping command works from outside but not from inside. I am using an ASA 5510. Thanks a lot in advance. Abhishek Hi James

I built my internal web application be accessible from the Internet using a Public IP, and it works, I can see the web site from Internet using the Public IP, But I can not use the same public IP to connect to the site from inside. How can I use the public IP even from inside?

Same problem for Ping, the ping command works from outside but not from inside.

I am using an ASA 5510.

Thanks a lot in advance.

Abhishek

]]> By: Ryan http://jklogic.net/cisco-asa-and-icmp-configurations/comment-page-2/#comment-3251 Ryan Tue, 09 Mar 2010 02:16:37 +0000 http://jklogic.net/cisco-asa-and-icmp-configurations/#comment-3251 Hi James, Thanks for a great post! I'm trying to follow option 3 from your original post. I've got an ASA 5505 ASA Version 8.2(1). I've looked at the global_policy and icmp/icmp error are already defined as inspected traffic types, but traceroute does not work (ping works fine). Here is a snippet from my config. policy-map global_policy class inspection_default inspect dns preset_dns_map dynamic-filter-snoop inspect esmtp inspect ftp inspect h323 h225 inspect h323 ras inspect icmp inspect icmp error inspect netbios inspect pptp inspect rsh inspect rtsp inspect sip inspect skinny inspect sqlnet inspect sunrpc inspect tftp inspect xdmcp Do I still need to enable the ACLs mentioned in option 1 because although ping was working fine, traceroute was not. Was there another step that I am missing. I'm using the ASDM. Thanks. Hi James,

Thanks for a great post! I’m trying to follow option 3 from your original post. I’ve got an ASA 5505 ASA Version 8.2(1). I’ve looked at the global_policy and icmp/icmp error are already defined as inspected traffic types, but traceroute does not work (ping works fine). Here is a snippet from my config.

policy-map global_policy
class inspection_default
inspect dns preset_dns_map dynamic-filter-snoop
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp

Do I still need to enable the ACLs mentioned in option 1 because although ping was working fine, traceroute was not. Was there another step that I am missing. I’m using the ASDM.

Thanks.

]]> By: G-man http://jklogic.net/cisco-asa-and-icmp-configurations/comment-page-2/#comment-3206 G-man Thu, 25 Feb 2010 17:32:16 +0000 http://jklogic.net/cisco-asa-and-icmp-configurations/#comment-3206 Hi James, I'm having an issue. I have a Cisco ASA 5510 and I can ping the inside our network and I can ping from outside to in. However I cannot ping from inside to my outside interface. Any suggestions? Hi James,

I’m having an issue. I have a Cisco ASA 5510 and I can ping the inside our network and I can ping from outside to in. However I cannot ping from inside to my outside interface. Any suggestions?

]]> By: Adam http://jklogic.net/cisco-asa-and-icmp-configurations/comment-page-2/#comment-3205 Adam Thu, 25 Feb 2010 02:25:13 +0000 http://jklogic.net/cisco-asa-and-icmp-configurations/#comment-3205 James, I'm having an issue. local hosts that use our Global Dynamic NAT to reach outside hosts can not run traceroutes (i can see the hops on LAN between host and ASA, but nothing outside of ASA. These same Static NAT hosts can not access remote (outside) TFTP servers. However, a static NAT LAN host can successfully run traceroutes and access TFTP servers. Other services like http, etc are working perfectly fine regardless of the type of NAT used. Any help would be appreciated. James,

I’m having an issue. local hosts that use our Global Dynamic NAT to reach outside hosts can not run traceroutes (i can see the hops on LAN between host and ASA, but nothing outside of ASA. These same Static NAT hosts can not access remote (outside) TFTP servers.

However, a static NAT LAN host can successfully run traceroutes and access TFTP servers.

Other services like http, etc are working perfectly fine regardless of the type of NAT used. Any help would be appreciated.

]]> By: Charlie http://jklogic.net/cisco-asa-and-icmp-configurations/comment-page-2/#comment-3131 Charlie Tue, 09 Feb 2010 02:33:22 +0000 http://jklogic.net/cisco-asa-and-icmp-configurations/#comment-3131 Thanks James. Thanks James.

]]> By: James http://jklogic.net/cisco-asa-and-icmp-configurations/comment-page-2/#comment-3119 James Thu, 04 Feb 2010 18:54:12 +0000 http://jklogic.net/cisco-asa-and-icmp-configurations/#comment-3119 Charlie, This is the normal operation for the ASA. You will not be able to ping the DMZ or Outside interface from and inside host. Charlie,

This is the normal operation for the ASA. You will not be able to ping the DMZ or Outside interface from and inside host.

]]> By: Charlie http://jklogic.net/cisco-asa-and-icmp-configurations/comment-page-1/#comment-3098 Charlie Fri, 22 Jan 2010 18:16:52 +0000 http://jklogic.net/cisco-asa-and-icmp-configurations/#comment-3098 Hi James, I have a problem with my ASA. The (inside) local lan users can not ping the DMZ interface nor the outside interface but from the ASA I can ping all IP address off the (DMZ) and (inside) and the (outside) interfaces. If I do a sh xlate or sh conn I see connections from the (inside) to the (outside) but no connections or translations to (DMZ). Please take a look at my configuration and let me know if you can identify the issue. ASA Version 8.0(3)6 ! hostname BrickMUA-5520ASA domain-name brickmua.com enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names dns-guard ! interface GigabitEthernet0/0 description ## Connection to External Router ## nameif outside security-level 0 ip address 65.202.14.5 255.255.255.240 ospf cost 10 ! interface GigabitEthernet0/1 description ## Connection to Internal Network ## nameif inside security-level 100 ip address 10.1.1.10 255.255.255.0 ospf cost 10 ! interface GigabitEthernet0/2 nameif THL (DMZ) security-level 50 ip address 10.1.200.2 255.255.255.0 ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown nameif management security-level 100 no ip address ospf cost 10 management-only ! ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup inside dns server-group DefaultDNS name-server 10.1.1.8 name-server 10.1.1.1 domain-name brickmua.com access-list VPNGroup_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0 access-list Emt3c_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0 access-list outside_access_in extended permit icmp any any access-list outside_access_in extended permit tcp 216.157.255.0 255.255.255.0 ho st 65.202.14.2 eq smtp access-list outside_access_in extended permit tcp 216.157.241.0 255.255.255.0 ho st 65.202.14.2 eq smtp access-list outside_access_in extended deny tcp any host 65.202.14.2 eq smtp access-list outside_access_in extended permit tcp any host 65.202.14.2 eq 3389 access-list outside_access_in extended permit tcp any host 65.202.14.2 eq https access-list outside_access_in extended permit tcp any host 65.202.14.2 eq www access-list outside_access_in extended permit udp any any eq domain access-list outside_access_in extended permit tcp any any eq domain access-list outside_access_in extended permit tcp any any eq 9002 access-list outside_access_in extended permit tcp any any eq 9003 access-list outside_access_in extended permit icmp any any echo access-list outside_access_in extended permit icmp any any echo-reply access-list outside_access_in extended permit icmp any any source-quench access-list outside_access_in extended permit icmp any any unreachable access-list outside_access_in extended permit icmp any any time-exceeded access-list csc-acl extended deny ip host 10.1.1.196 host 38.101.42.81 access-list csc-acl extended permit tcp any any eq ftp access-list csc-acl extended permit tcp any any eq www access-list csc-acl-ftp extended permit tcp any any eq ftp access-list capin extended permit ip any host 38.101.42.81 access-list capin extended permit ip host 38.101.42.81 any pager lines 24 logging enable logging monitor debugging logging asdm informational mtu outside 1500 mtu inside 1500 mtu THL 1500 mtu management 1500 ip local pool ippool250 10.0.250.1-10.0.250.254 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-603.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 0.0.0.0 0.0.0.0 nat (THL) 0 0.0.0.0 0.0.0.0 static (inside,outside) tcp 65.202.14.2 domain 10.1.1.4 domain netmask 255.255.2 55.255 static (inside,outside) udp 65.202.14.2 domain 10.1.1.4 domain netmask 255.255.2 55.255 static (inside,outside) 65.202.14.2 10.1.1.4 netmask 255.255.255.255 static (inside,THL) 10.1.200.0 10.1.1.0 netmask 255.255.255.0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 65.202.14.1 1 route THL 10.1.2.0 255.255.255.0 10.1.200.1 1 route THL 172.16.0.0 255.255.255.0 10.1.200.1 1 route THL 172.18.0.0 255.255.0.0 10.1.200.1 1 route THL 172.20.0.0 255.255.0.0 10.1.200.1 1 route THL 172.21.0.0 255.255.0.0 10.1.200.1 1 route THL 172.22.0.0 255.255.0.0 10.1.200.1 1 telnet 10.1.1.67 255.255.255.255 inside telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh 65.86.161.80 255.255.255.240 outside ssh 208.252.23.0 255.255.255.128 outside ssh 199.184.162.0 255.255.255.0 outside ssh 63.139.158.128 255.255.255.192 outside ssh 208.50.106.0 255.255.255.0 outside ssh 67.82.0.0 255.255.0.0 outside ssh 75.0.0.0 255.0.0.0 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 30 console timeout 15 threat-detection basic-threat threat-detection statistics ntp server 66.96.98.9 ! class-map inspection_default match default-inspection-traffic class-map csc-class match access-list csc-acl class-map csc-ftp-class match access-list csc-acl-ftp ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp class csc-class csc fail-open ! service-policy global_policy global privilege cmd level 3 mode exec command perfmon privilege cmd level 3 mode exec command ping privilege cmd level 3 mode exec command who privilege cmd level 3 mode exec command logging privilege cmd level 3 mode exec command failover privilege show level 5 mode exec command import privilege show level 5 mode exec command running-config privilege show level 3 mode exec command reload privilege show level 3 mode exec command mode privilege show level 3 mode exec command firewall privilege show level 3 mode exec command interface privilege show level 3 mode exec command clock privilege show level 3 mode exec command dns-hosts privilege show level 3 mode exec command access-list privilege show level 3 mode exec command logging privilege show level 3 mode exec command vlan privilege show level 3 mode exec command ip privilege show level 3 mode exec command failover privilege show level 3 mode exec command asdm privilege show level 3 mode exec command arp privilege show level 3 mode exec command route privilege show level 3 mode exec command ospf privilege show level 3 mode exec command aaa-server privilege show level 3 mode exec command aaa privilege show level 3 mode exec command eigrp privilege show level 3 mode exec command crypto privilege show level 3 mode exec command vpn-sessiondb privilege show level 3 mode exec command ssh privilege show level 3 mode exec command dhcpd privilege show level 3 mode exec command vpn privilege show level 3 mode exec command blocks privilege show level 3 mode exec command wccp privilege show level 3 mode exec command webvpn privilege show level 3 mode exec command uauth privilege show level 3 mode exec command compression privilege show level 3 mode configure command interface privilege show level 3 mode configure command clock privilege show level 3 mode configure command access-list privilege show level 3 mode configure command logging privilege show level 3 mode configure command ip privilege show level 3 mode configure command failover privilege show level 5 mode configure command asdm privilege show level 3 mode configure command arp privilege show level 3 mode configure command route privilege show level 3 mode configure command aaa-server privilege show level 3 mode configure command aaa privilege show level 3 mode configure command crypto privilege show level 3 mode configure command ssh privilege show level 3 mode configure command dhcpd privilege show level 5 mode configure command privilege privilege clear level 3 mode exec command dns-hosts privilege clear level 3 mode exec command logging privilege clear level 3 mode exec command arp privilege clear level 3 mode exec command aaa-server privilege clear level 3 mode exec command crypto privilege cmd level 3 mode configure command failover privilege clear level 3 mode configure command logging privilege clear level 3 mode configure command arp privilege clear level 3 mode configure command crypto privilege clear level 3 mode configure command aaa-server prompt hostname context Cryptochecksum:78bad106cac5537405f9ed32d02aea77 : end [OK] Hi James,

I have a problem with my ASA. The (inside) local lan users can not ping the DMZ interface nor the outside interface but from the ASA I can ping all IP address off the (DMZ) and (inside) and the (outside) interfaces. If I do a sh xlate or sh conn I see connections from the (inside) to the (outside) but no connections or translations to (DMZ).

Please take a look at my configuration and let me know if you can identify the issue.

ASA Version 8.0(3)6
!
hostname BrickMUA-5520ASA
domain-name brickmua.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description ## Connection to External Router ##
nameif outside
security-level 0
ip address 65.202.14.5 255.255.255.240
ospf cost 10
!
interface GigabitEthernet0/1
description ## Connection to Internal Network ##
nameif inside
security-level 100
ip address 10.1.1.10 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/2
nameif THL (DMZ)
security-level 50
ip address 10.1.200.2 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
ospf cost 10
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.1.1.8
name-server 10.1.1.1
domain-name brickmua.com
access-list VPNGroup_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list Emt3c_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp 216.157.255.0 255.255.255.0 ho
st 65.202.14.2 eq smtp
access-list outside_access_in extended permit tcp 216.157.241.0 255.255.255.0 ho
st 65.202.14.2 eq smtp
access-list outside_access_in extended deny tcp any host 65.202.14.2 eq smtp
access-list outside_access_in extended permit tcp any host 65.202.14.2 eq 3389
access-list outside_access_in extended permit tcp any host 65.202.14.2 eq https

access-list outside_access_in extended permit tcp any host 65.202.14.2 eq www
access-list outside_access_in extended permit udp any any eq domain
access-list outside_access_in extended permit tcp any any eq domain
access-list outside_access_in extended permit tcp any any eq 9002
access-list outside_access_in extended permit tcp any any eq 9003
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded

access-list csc-acl extended deny ip host 10.1.1.196 host 38.101.42.81
access-list csc-acl extended permit tcp any any eq ftp
access-list csc-acl extended permit tcp any any eq www
access-list csc-acl-ftp extended permit tcp any any eq ftp
access-list capin extended permit ip any host 38.101.42.81
access-list capin extended permit ip host 38.101.42.81 any
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu THL 1500
mtu management 1500
ip local pool ippool250 10.0.250.1-10.0.250.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0
nat (THL) 0 0.0.0.0 0.0.0.0
static (inside,outside) tcp 65.202.14.2 domain 10.1.1.4 domain netmask 255.255.2
55.255
static (inside,outside) udp 65.202.14.2 domain 10.1.1.4 domain netmask 255.255.2
55.255
static (inside,outside) 65.202.14.2 10.1.1.4 netmask 255.255.255.255
static (inside,THL) 10.1.200.0 10.1.1.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 65.202.14.1 1
route THL 10.1.2.0 255.255.255.0 10.1.200.1 1
route THL 172.16.0.0 255.255.255.0 10.1.200.1 1
route THL 172.18.0.0 255.255.0.0 10.1.200.1 1
route THL 172.20.0.0 255.255.0.0 10.1.200.1 1
route THL 172.21.0.0 255.255.0.0 10.1.200.1 1
route THL 172.22.0.0 255.255.0.0 10.1.200.1 1
telnet 10.1.1.67 255.255.255.255 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 65.86.161.80 255.255.255.240 outside
ssh 208.252.23.0 255.255.255.128 outside
ssh 199.184.162.0 255.255.255.0 outside
ssh 63.139.158.128 255.255.255.192 outside
ssh 208.50.106.0 255.255.255.0 outside
ssh 67.82.0.0 255.255.0.0 outside
ssh 75.0.0.0 255.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
console timeout 15
threat-detection basic-threat
threat-detection statistics
ntp server 66.96.98.9
!
class-map inspection_default
match default-inspection-traffic
class-map csc-class
match access-list csc-acl
class-map csc-ftp-class
match access-list csc-acl-ftp
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
class csc-class
csc fail-open
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:78bad106cac5537405f9ed32d02aea77
: end
[OK]

]]> By: Rocco http://jklogic.net/cisco-asa-and-icmp-configurations/comment-page-1/#comment-2774 Rocco Mon, 14 Dec 2009 12:22:30 +0000 http://jklogic.net/cisco-asa-and-icmp-configurations/#comment-2774 Hi James, I have follow Your instructions but I'm not able to ping from Ouside to inside Can Help me? Regards Rocco Hi James,
I have follow Your instructions but I’m not able to ping from Ouside to inside
Can Help me?

Regards
Rocco

]]> By: sunny kumar http://jklogic.net/cisco-asa-and-icmp-configurations/comment-page-1/#comment-2720 sunny kumar Fri, 27 Nov 2009 17:28:43 +0000 http://jklogic.net/cisco-asa-and-icmp-configurations/#comment-2720 very very Thank u very very Thank u

]]> By: Kurt http://jklogic.net/cisco-asa-and-icmp-configurations/comment-page-1/#comment-2675 Kurt Wed, 30 Sep 2009 20:06:45 +0000 http://jklogic.net/cisco-asa-and-icmp-configurations/#comment-2675 That worked, thanks. The only catch is the switch still retains the vlan 1 as being allowed and I can't get rid of it. That is ok as this is a test and I am writing this down so I don't mess up when i place it into production. Off the subject a tad how do you enable multiple vlans interfaces to be open at the same time? as you see in the 3548 XL switch I have two and I would like both interfaces to be open not shut. I have seen multiple Vlan interfaces open on other switches but unsure what command allows them to all remain open. I can only open one at a time. Kurt That worked, thanks.

The only catch is the switch still retains the vlan 1 as being allowed and I can’t get rid of it. That is ok as this is a test and I am writing this down so I don’t mess up when i place it into production.

Off the subject a tad how do you enable multiple vlans interfaces to be open at the same time? as you see in the 3548 XL switch I have two and I would like both interfaces to be open not shut. I have seen multiple Vlan interfaces open on other switches but unsure what command allows them to all remain open. I can only open one at a time.

Kurt

]]>