[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
6.5

TCP & ICMP NO CONNECTION THROUGH THE ASA 8.0(4)16 FIREWALL

Asked by Andres2007 in Cisco PIX Firewall

Hi,
first sorry by my poor english.
I've got a connectivity problem in my intranet area

FROM 10.1.27.10 host:
I cannot ping to one interface of ASA 10.1.127.4, but I can do telnet to it.
I cannot ping to 10.1.127.20, 10.1.127.21
I cannot telnet to 10.1.127.20, 10.1.127.21
I do ping and telnet to 10.1.127.51, 52, 53, 54 as weel

Please, what should i do to make allways ping and telnet to all interfaces outside the ASA.
I need telnet and ping to 10.1.127.48 / 28 (i do it as weel from 10.1.27.4)
I need telnet and ping to 10.1.127.4 (i do only telnet from 10.1.27.4)
I need telnet and ping to 10.1.127.16 / 28 (I can't reach nothing in this network from 10.1.27.4)

So I need to ping and telnet anywhere outside the ASA. ANY TRAFFIC THAT ENTER THE ASA FOR ANY INTERFACE CAN RETURN TO THE ORIGIN HOST FOR OTHER DIFFERENT INTERFACE THAN FIRST.



1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:

this is the config:
 
Result of the command: "sh run"
 
: Saved
:
ASA Version 8.0(4)16 
!
hostname ESCFWLA
 
 
names
!
interface GigabitEthernet0/0
 description Conexion a Internet
 shutdown
 nameif Conex_Internet_V279
 security-level 0
 ip address 10.1.127.97 255.255.255.240 standby 10.1.127.98 
!
interface GigabitEthernet0/1
 nameif Interconex_Firewall_Nokia_V1270
 security-level 100
 ip address 10.1.127.4 255.255.255.240 standby 10.1.127.5 
!
interface GigabitEthernet0/2
 description Trunk vlan 1271/1272/1273  (Vpn_ clara y cifrada, gestion_gateways)
 nameif Trk_v1271_v1272_v1273
 security-level 50
 no ip address
!
interface GigabitEthernet0/2.1
 description Conexin con la vlan clara. ESCGWCONMA 1/0/4
 vlan 1271
 nameif vlan_clara
 security-level 50
 ip address 10.1.127.17 255.255.255.240 standby 10.1.127.18 
!
interface GigabitEthernet0/2.2
 description Conexin con la vlan cifrada. ESCGWCONMA 1/0/10
 vlan 1272
 nameif vlan_cifrada
 security-level 50
 ip address 10.1.127.33 255.255.255.240 standby 10.1.127.34 
!
interface GigabitEthernet0/2.3
 description VLAN de Gestion para C3845
 vlan 1273
 nameif gestion_gateways
 security-level 50
 ip address 10.1.127.49 255.255.255.240 standby 10.1.127.50 
!
interface GigabitEthernet0/3
 description LAN Failover Interface
!
interface Management0/0
 description Solo para gestion
 nameif management
 security-level 100
 ip address 10.1.127.68 255.255.255.240 standby 10.1.127.69 
!
boot system disk0:/asa804-16-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
 
object-group network Cluster_Network_NO_Management
 description Todas las redes del Cluster ASA excepto la Gestion
 network-object 10.1.127.0 255.255.255.240
 network-object 10.1.127.16 255.255.255.240
 network-object 10.1.127.32 255.255.255.240
 network-object 10.1.127.48 255.255.255.240
 network-object 10.1.127.96 255.255.255.240
 
access-list Interconex_Firewall_Nokia_V1270_access_in extended permit ip any any 
access-list vlan_clara_access_in extended permit ip any any 
access-list vlan_cifrada_access_in extended permit ip any any 
access-list Trk_v1271_v1272_v1273_access_in extended permit ip any any 
access-list gestion_gateways_access_in extended permit ip any any 
access-list management_access_out extended permit ip any any 
access-list Interconex_Firewall_Nokia_V1270_access_out extended permit ip any any 
access-list management_access_in extended permit ip any any 
access-list management_access_in_1 extended permit ip any any 
access-list Interconex_Firewall_Nokia_V1270_access_in_1 extended permit ip any any 
access-list management_access_in_2 extended permit ip any any 
access-list Interconex_Firewall_Nokia_V1270_access_in_2 extended permit ip any any 
access-list management_access_in_3 extended permit ip any any 
access-list gestion_gateways_access_out extended permit ip any any 
pager lines 24
logging enable
logging timestamp
logging standby
logging console informational
logging monitor informational
logging buffered emergencies
logging trap informational
logging history informational
logging asdm informational
logging mail informational
mtu Conex_Internet_V279 1500
mtu Interconex_Firewall_Nokia_V1270 1500
mtu Trk_v1271_v1272_v1273 1500
mtu vlan_clara 1500
mtu vlan_cifrada 1500
mtu gestion_gateways 1500
mtu management 1500
 
ip verify reverse-path interface Conex_Internet_V279
ip verify reverse-path interface vlan_clara
ip verify reverse-path interface vlan_cifrada
 
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 10.1.127.81 255.255.255.248 standby 10.1.127.82
no monitor-interface Conex_Internet_V279
monitor-interface vlan_clara
monitor-interface vlan_cifrada
monitor-interface gestion_gateways
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (gestion_gateways) 1 interface
access-group Interconex_Firewall_Nokia_V1270_access_in_2 in interface Interconex_Firewall_Nokia_V1270
access-group Interconex_Firewall_Nokia_V1270_access_out out interface Interconex_Firewall_Nokia_V1270
access-group Trk_v1271_v1272_v1273_access_in in interface Trk_v1271_v1272_v1273
access-group vlan_clara_access_in in interface vlan_clara
access-group vlan_cifrada_access_in in interface vlan_cifrada
access-group gestion_gateways_access_in in interface gestion_gateways
access-group gestion_gateways_access_out out interface gestion_gateways
access-group management_access_in_3 in interface management
access-group management_access_out out interface management
route Interconex_Firewall_Nokia_V1270 10.0.0.0 255.0.0.0 10.1.127.1 1
route management 10.1.27.10 255.255.255.255 10.1.127.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ACS protocol tacacs+
 accounting-mode simultaneous
 max-failed-attempts 5
aaa-server ACS (Interconex_Firewall_Nokia_V1270) host 10.1.27.11
 key qwerty
aaa authentication enable console ACS LOCAL
aaa authentication http console ACS LOCAL
aaa authentication ssh console ACS LOCAL
aaa authentication telnet console ACS LOCAL
 
http server enable
http 10.1.27.9 255.255.255.255 management
http 10.1.27.10 255.255.255.255 management
http 10.1.27.0 255.255.255.192 management
snmp-server host Interconex_Firewall_Nokia_V1270 10.1.30.3 community pagina version 2c
snmp-server host Interconex_Firewall_Nokia_V1270 10.1.30.45 community pagina version 2c
snmp-server location SSCC
snmp-server contact CGR
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
auth-prompt prompt CISCO ASA 5540 
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 Interconex_Firewall_Nokia_V1270
telnet 10.1.27.9 255.255.255.255 management
telnet 10.1.27.10 255.255.255.255 management
telnet 10.1.27.0 255.255.255.192 management
telnet timeout 5
ssh 10.1.27.10 255.255.255.255 management
ssh 10.1.27.9 255.255.255.255 management
ssh 10.1.27.0 255.255.255.192 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
 
!
class-map inspection_default
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect http 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:7791611eaf7fbe1943c881a5f6166439
: end
 
 
When I do ping from 10.1.27.10 to 10.1.127.20:
6|Jan 28 2009|12:41:40|302021|10.1.127.20|0|10.1.27.10|512|Teardown ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:40|302021|10.1.127.20|0|10.1.27.10|512|Teardown ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:36|302020|10.1.127.20|0|10.1.27.10|512|Built inbound ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:36|302020|10.1.27.10|512|10.1.127.20|0|Built outbound ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:35|302021|10.1.127.20|0|10.1.27.10|512|Teardown ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:35|302021|10.1.127.20|0|10.1.27.10|512|Teardown ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:34|110002|10.1.27.6|1027|||Failed to locate egress interface for UDP from Interconex_Firewall_Nokia_V1270:10.1.27.6/1027 to 128.8.10.90/53
6|Jan 28 2009|12:41:31|302010|||||17 in use, 122 most used
6|Jan 28 2009|12:41:31|302020|10.1.127.20|0|10.1.27.10|512|Built inbound ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:31|302020|10.1.27.10|512|10.1.127.20|0|Built outbound ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:30|302021|10.1.127.20|0|10.1.27.10|512|Teardown ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:30|302021|10.1.127.20|0|10.1.27.10|512|Teardown ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:26|302020|10.1.127.20|0|10.1.27.10|512|Built inbound ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:26|302020|10.1.27.10|512|10.1.127.20|0|Built outbound ICMP connection for faddr 10.1.127.20/0 gaddr 10.1.27.10/512 laddr 10.1.27.10/512
6|Jan 28 2009|12:41:23|110002|10.1.27.7|3659|||Failed to locate egress interface for UDP from Interconex_Firewall_Nokia_V1270:10.1.27.7/3659 to 172.27.48.51/53
6|Jan 28 2009|12:41:12|110002|10.1.27.6|1027|||Failed to locate egress interface for UDP from Interconex_Firewall_Nokia_V1270:10.1.27.6/1027 to 202.12.27.33/53
6|Jan 28 2009|12:41:11|302015|10.1.127.54|161|10.1.30.3|62674|Built outbound UDP connection 20675 for gestion_gateways:10.1.127.54/161 (10.1.127.54/161) to Interconex_Firewall_Nokia_V1270:10.1.30.3/62674 (10.1.30.3/62674)
 
When I do telnet from 10.1.27.10 to 10.1.127.20:
6|Jan 28 2009|12:42:09|106015|10.1.127.20|23|10.1.27.10|1675|Deny TCP (no connection) from 10.1.127.20/23 to 10.1.27.10/1675 flags ACK  on interface gestion_gateways
6|Jan 28 2009|12:42:08|110002|10.1.27.6|1027|||Failed to locate egress interface for UDP from Interconex_Firewall_Nokia_V1270:10.1.27.6/1027 to 192.5.5.241/53
6|Jan 28 2009|12:42:06|106015|10.1.127.20|23|10.1.27.10|1675|Deny TCP (no connection) from 10.1.127.20/23 to 10.1.27.10/1675 flags SYN ACK  on interface gestion_gateways
6|Jan 28 2009|12:42:03|106015|10.1.127.20|23|10.1.27.10|1675|Deny TCP (no connection) from 10.1.127.20/23 to 10.1.27.10/1675 flags ACK  on interface gestion_gateways
6|Jan 28 2009|12:42:02|106015|10.1.127.20|23|10.1.27.10|1675|Deny TCP (no connection) from 10.1.127.20/23 to 10.1.27.10/1675 flags SYN ACK  on interface gestion_gateways
6|Jan 28 2009|12:42:00|106015|10.1.127.20|23|10.1.27.10|1675|Deny TCP (no connection) from 10.1.127.20/23 to 10.1.27.10/1675 flags SYN ACK  on interface gestion_gateways
6|Jan 28 2009|12:42:00|302013|10.1.127.20|23|10.1.27.10|1675|Built outbound TCP connection 20684 for vlan_clara:10.1.127.20/23 (10.1.127.20/23) to Interconex_Firewall_Nokia_V1270:10.1.27.10/1675 (10.1.27.10/1675)
6|Jan 28 2009|12:41:57|110002|10.1.27.7|3659|||Failed to locate egress interface for UDP from Interconex_Firewall_Nokia_V1270:10.1.27.7/3659 to 172.27.48.51/53
 
Please, can anybody help me??
Attachments:
 
topology.jpg (96 KB) (File Type Details) 
INTRANET AREA TOPOLOGY
INTRANET AREA TOPOLOGY
 
[+][-]01/28/09 09:30 AM, ID: 23488882Accepted Solution

Your question has an Asker Certified™ answer! Andres2007 verified that this solution worked for them--which means it will likely work for you, too. Click to view the solution free for 30-days now.

About this solution

Zone: Cisco PIX Firewall
Sign Up Now!
Solution Provided By: asavener
Participating Experts: 1
Solution Grade: C
 
[+][-]01/28/09 05:54 AM, ID: 23486390Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/28/09 06:56 AM, ID: 23487065Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/29/09 09:05 AM, ID: 23499706Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20100308-EE-VQP-140 - Hierarchy / EE_QW_3_20080625
Your technology problems solved.
Close See Plans and Pricing. Try it FREE for 30 days.