(4 votes, average: 4.25 out of 5)
Loading ...As I am sure many of you who have ever worked with a Cisco firewall know, ICMP is not allowed through the firewall by default. If you are just configuring the device, this can make it very difficult to troubleshoot connectivity issues. Thankfully, there are several ways to get around this.
Solution 1: Use access-lists to allow pings from inside/DMZ to the outside.
To allow pinging from the inside to the outside interfaces, you will need to configure an access-list for the outside interface.
Then apply the access-list to the outside interface.
This will allow only ping. If you would like to allow trace route, you will also need to allow time-exceeded.
Solution 2: Use access-list to allow ping and trace route from the internet to your dmz/inside servers.
To do this, we are going to build off of what we did above, so you should already have this in the config.
access-list OUTSIDE_IN_ACL permit icmp any any time-exceeded
access-group OUTSIDE_IN_ACL in interface outside
Now all we need to do is allow echo into the network.
Even though we are allowing icmp, we still need to have a static mapping to allow the packets to reach the DMZ.
Of course, you will need to have a static mapping for every server you want to have reachable from the internet.
Solution 3: This is a bit more complex, but will allow higher security level interfaces to ping/trace route lower security level interfaces without the use of access-lists. To do this, we will tell the ASA to inspect icmp in a service policy. If you are using a ASA, you should have a default policy in the base config called global_policy.
global_policy:
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
To add icmp inspection.
FW-ASA(config-pmap)# class inspection_default
FW-ASA(config-pmap-c)# inspect icmp
Thank you, thank you, thank you… I’ve been trying to configure this for weeks. You’ve boiled it down nicely and made it very easy to understand.
You are very welcome Doug. I am just glad someone else has found it useful.
Thank you! Thank you !!
Thanks, very succinct and helpful!
Hi , can i know what is the different between static (dmz,outside) and static (outside,dmz) ?
Thank you
noobiew:
The difference is in which way you are performing the NAT translation, as in which is the “Real” IP and which is the mapped (NAT) IP. Cisco presents the static command in a couple of ways:
static (real_ifc,mapped_ifc) mapped_ip {real_ip [netmask mask] }
AND on the ASA 8.0 software
FW-ASA(config)# static ?
configure mode commands/options:,) pair where
is the Internal or prenat interface and
is the External or postnat interface )
( Open parenthesis for (
So you are basically looking at:
static (prenat Interface,postnat Interface) postnat IP prenat IP
Please let me know if this helps.
hi,
this is a bit odd but how do i allow my ASA outside interface to reply to ping requests from the outside as well?
joe,
To ping the outside interface from any IP address, from config mode:
icmp permit any outside
That should do the trick. Let me know if there is anything else I can help with.
whoa, thats great!!! it works thanks
hi james,
i got one last question:
i have a 2811 router and an ASA 5520. the ASA subinterfaces uses dot1q while the 2811 only uses ISL, how can i make these two devices talk to each other?
thanks
here’s my config (i changed it to have ip addresses between ASA security context and router)
interface prod_outside
nameif outside
security-level 0
ip address 202.124.135.133 255.255.255.224
asr-group 1
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address 202.124.135.149 255.255.255.224
duplex auto
speed auto
but I still cant ping one from the other…any ideas?
thanks
Joe,
I am fairly certain that the 2811 supports dot1q trunking. Also, if you are running in multiple context mode on the ASA, I believe you have to use a trunk to the switch/router you are connecting it to, so assigning an IP directly to the interface on the 2811 will probably not work.
Do you have a spare switch you could use for testing? You could connect botht the ASA and the router to the switch and see if you can get it to communicate using the trunking on the switch.
On the 2811, try this:
c2811(config)#int fastEthernet 0/0
c2811(config-if)#no shut
c2811(config-if)#exit
c2811(config)#int fastEthernet 0/0.1
c2811(config-subif)#encapsulation dot1Q 1 native
c2811(config-subif)#ip address 202.124.135.149 255.255.255.224
Let me know if this helps.
hi james,
i got it working using a switch, i will try that suggestion some other time. however i have got another weird problem: my asa can communicate with the outside world and inside interface just fine but when a vlan on my core tries to access the outside via the ASA it times out.
i have trunk configured in the core swith to the ASA inside subinterface. i can ping the ASA inside interface from the core and vice versa as well. my default route to the outside world is via the ASA subinterface.
any ideas?
joe,
Since this is getting off topic, and I can respond faster by email, could you send the ASA and core switch configs to jkane@jklogic.net? I will take a look and see if we can get this fixed for you ASAP.
Hi, James, very appreciate your explanation and thank you so much.
I have another question regarding ASA firewall, can I know what the different is between
1) global (outside) 100 202.168.9.10
nat (inside) 100 192.168.7.1
and
2) static (inside, outside) 202.168.9.10 192.168.7.1 netmask 255.255.255.255
From my understanding, the first one is consider dynamic NAT and second one is consider static NAT (Am I right?). And both of it also performing the same thing which is translating private ip addresses 192.168.7.1 to outside public addresses 202.168.9.10.
But I am bit confuse what is the different between both of them. I try surf for websites but cannot find any useful information of it.
When your guys performing NAT in ASA firewall, which command your all will be using? If both of this commands also performing the same functions, I really not understand and which NAT command that i need to use.
Thank you,
Have a nice day
noobiew,
You are correct about dynamic and static NAT. The difference is in the way they are utilized.
Static NAT is generally used to make a static 1-to-1 mapping of IP addresses. In the example above, you are mapping 202.168.9.10 to 192.168.7.1. This is usefull if you have a server on the LAN or DMZ that you want to allow services from the outside world. This way, people accessing the 202.168.9.10 ip address will be redirected to the server at 192.168.7.1.
Dynamic NAT is used when you want multiple users behind the firewall to have access to the internet (or other network). In this case, you could allow all computers on the LAN to access the internet. However, the way your nat statement is written, only 192.168.7.1 will be able to access the internet. You could change it to allow the entire subnet to access the internet.
nat (inside) 100 192.168.7.0 255.255.255.0
Let me know if that didn’t answer your questions.
James,
got it working finally, that subinterfaces worked wonders…now i have a question
a context that is on standby will not have any ip addresses assigned to it?
ASA1 (production active and support standby)
secure1/support# sh fail
Failover On
Last Failover at: 23:47:28 UTC Oct 10 2008
This context: Standby Ready
Active time: 206 (sec)
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Peer context: Active
Active time: 6539 (sec)
Interface outside (202.124.135.130): Normal (Waiting)
Interface inside (10.10.2.1): Normal (Waiting)
Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 3 0 18394 1
ARP tbl 0 0 507 21
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
secure1/support#
mnl-secure1/production# sh fail
Failover On
Last Failover at: 23:44:02 UTC Oct 10 2008
This context: Active
Active time: 7013 (sec)
Interface outside (119.111.136.29): Normal (Waiting)
Interface inside (10.10.3.1): Normal (Waiting)
Peer context: Failed
Active time: 0 (sec)
Interface outside (119.111.136.28): Failed (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 34420 0 0 0
ARP tbl 74 0 0 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
secure1/production#
ASA2 (support active production standby)
nl-secure1/support# sh fail
Failover On
Last Failover at: 23:47:21 UTC Oct 10 2008
This context: Active
Active time: 6907 (sec)
Interface outside (202.124.135.130): Normal (Waiting)
Interface inside (10.10.2.1): Normal (Waiting)
Peer context: Standby Ready
Active time: 206 (sec)
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 19537 0 3 0
ARP tbl 546 0 0 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
secure1/support#
secure1/production# sh fail
Failover On
Last Failover at: 23:47:08 UTC Oct 10 2008
This context: Failed
Active time: 0 (sec)
Interface outside (119.111.136.28): Failed (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Peer context: Active
Active time: 7156 (sec)
Interface outside (119.111.136.29): Normal (Waiting)
Interface inside (10.10.3.1): Normal (Waiting)
Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 35262 10
ARP tbl 0 0 74 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
secure1/production#
any thoughts?
thanks a bunch
Wow…
Solution 3 was the answer!
You have no idea how frustrated I was getting not being able to ping from a host on my network. I looked everywhere in the Cisco documentation and I couldn’t find anything related to my problem.
Thanks!
joe,
That doesn’t look right to me. I am not running Active/Active with contexts, but I do have a failover config. Here is the sh fail:
FW-ASA# sh fail
Failover On
Failover unit Primary
Failover LAN Interface: Failover GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
failover replication http
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 21:42:13 CDT Aug 18 2008
This host: Primary - Active
Active time: 4806765 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface outside (X.X.X.226): Normal
Interface DMZ_Servers (10.10.48.1): Normal
Interface DMZ_VPN (10.10.49.1): Normal
Interface DMZ_InternetDump (10.10.126.1): Normal (Not-Monitored)
Interface inside (10.10.100.1): Normal
slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Other host: Secondary - Standby Ready
Active time: 266 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface outside (X.X.X.227): Normal
Interface DMZ_Servers (10.10.48.2): Normal
Interface DMZ_VPN (10.10.49.2): Normal
Interface DMZ_InternetDump (10.10.126.2): Normal (Not-Monitored)
Interface inside (10.10.100.2): Normal
slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Stateful Failover Logical Update Statistics
Link : Unconfigured.
It looks like you setup the failover part correctly, but did not put the standby IP address on the interfaces. Here are 2 of the interfaces from my ASAs:
!
interface GigabitEthernet0/1.48
vlan 48
nameif DMZ_Servers
security-level 48
ip address 10.10.48.1 255.255.255.0 standby 10.10.48.2
!
interface GigabitEthernet0/1.49
vlan 49
nameif DMZ_VPN
security-level 49
ip address 10.10.49.1 255.255.255.248 standby 10.10.49.2
You have to add the standby interface to every interface.
Let me know if that helps.
Hi James,
Yes, I have added the standby IP addresses however I am getting (waiting) failed on my outside interfaces…ooh so close
secure1/production# sh fail
Failover On
Last Failover at: 08:14:52 UTC Oct 11 2008
This context: Failed
Active time: 0 (sec)
Interface outside (xxx.xxx.136.18): Failed (Waiting)
Interface inside (10.10.3.10): Normal
Peer context: Active
Active time: 2428 (sec)
Interface outside (xxx.xxx.136.29): Normal (Waiting)
Interface inside (10.10.3.1): Normal
Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 1913 0
ARP tbl 0 0 15 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
secure1/production#
Hi james,
got it to work using a layer2 switch trunked to the ASA’s
Got a question about the ping. I am trying to allow a host in inside network to be able to ping to the external interface IP of the ASA. Tried various things and no luck. Inside host can pint ASA inside interface, as well as other hosts at the external network, but just not the ASA its own external interface. Can this be done?
Thanks in advance.
raymondn,
I do not believe you should be able to ping the outside interface of the ASA from the inside interface. By default the ASA will not allow a packet to exit the same interface it enters. I do not know of a way to change this behavior.
James
okay, thanks.
Guess I would have to rely on the network switches port up/down SNMP trap so I know if the router outside interface is up/down.
I gotta weird problem…hope someone can help…
Trace from a inside LAN workstation to an external site dies at the border router. but from the border router, trace to the same external site succeeds.
trace from an external IP can reach the global IP of the ASA, the ASA can ping the next hop border router and the border router can ping ASA as well.
I have cleared the arp cache and mac-address tables on both router and ASA and I still cant ping any external site.
Btw, I have a permit icmp any any and I can see the request going out of the ASA via debug ICMP trace but I dont see any reply back.
I am thinking this is a Layer 2 problem since the ASA and border router are directly connected.
I am now perplexed and confused as to what to do next…
have you looked at the ASA NAT policy for your ping traffic going out to the external network? Just an idea.
it pats just fine
marky,
Have you tried to run the traceroute from the ASA? If this is successful, there should not be a layer 2 problem between the ASA and the border router.
Also, can you ping from the internal host to the border router?
Make sure the permit icmp any any is applied incoming to the outside interface.
Let me know if any of that helps.
James