Solved

Cannot ping through a Cisco ASA 5505 - why?

Posted on 2008-10-29
7
6,398 Views
Last Modified: 2013-11-29
We are setting up a new extranet link.  The firewall to be used is the Cisco ASA5505.  At this

point we want to get basic connectivity tested.  In the past we have used PIX equipment but this

is our first ASA.

We are trying to ping through the firewall from Test PC to Test Router.  It does not work.
We can ping from Test PC to inside ASA.
We can ping from within the ASA to Test PC.
We can ping from within the ASA to Test Router.
We cannot ping from Test PC to Test Router - Can someone tell me why?

   Test PC                  inside    ASA     outside                  Test Router
192.168.5.11 ----- 192.168.5.2  ---  192.168.10.1  -----  192.168.10.2

Below is the output from the commands sho ver, sho start and sho route.

wf03# sho ver

Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(3)

Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"

wf03 up 4 mins 37 secs

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : ?CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: ?CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : ?CNlite-MC-IPSECm-MAIN-2.05
 0: Int: Internal-Data0/0    : address is 001d.70ff.eccc, irq 11
 1: Ext: Ethernet0/0         : address is 001d.70ff.ecc4, irq 255
 2: Ext: Ethernet0/1         : address is 001d.70ff.ecc5, irq 255
 3: Ext: Ethernet0/2         : address is 001d.70ff.ecc6, irq 255
 4: Ext: Ethernet0/3         : address is 001d.70ff.ecc7, irq 255
 5: Ext: Ethernet0/4         : address is 001d.70ff.ecc8, irq 255
 6: Ext: Ethernet0/5         : address is 001d.70ff.ecc9, irq 255
 7: Ext: Ethernet0/6         : address is 001d.70ff.ecca, irq 255
 8: Ext: Ethernet0/7         : address is 001d.70ff.eccb, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces  : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
VPN Peers                    : 10
WebVPN Peers                 : 2
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2

This platform has a Base license.

Serial Number: xxxxxxxxxxxx
Running Activation Key: xxxxxx xxxxxxxx xxxxxxxx xxxxxxx
Configuration register is 0x1
Configuration has not been modified since last system restart.

************************************************************************

wf03# sho start
: Saved
: Written by enable_15 at 07:51:03.758 UTC Wed Oct 29 2008
!
ASA Version 8.0(4)
!
hostname wf03

names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.5.2 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
access-list OUTSIDE_IN remark Open the doors for testing
access-list OUTSIDE_IN extended permit tcp any any
access-list OUTSIDE_IN extended permit udp any any
access-list OUTSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN remark Deny everything else
access-list OUTSIDE_IN extended deny tcp any any
access-list OUTSIDE_IN extended deny udp any any
access-list INSIDE_IN remark Open the doors for testing
access-list INSIDE_IN extended permit tcp any any
access-list INSIDE_IN extended permit udp any any
access-list INSIDE_IN extended permit icmp any any echo-reply
access-list INSIDE_IN extended permit icmp any any time-exceeded
access-list INSIDE_IN extended permit icmp any any unreachable
access-list INSIDE_IN extended permit icmp any any
access-list INSIDE_IN remark Deny everything else
access-list INSIDE_IN extended deny tcp any any
access-list INSIDE_IN extended deny udp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 192.168.10.5
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INSIDE_IN in interface inside
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
Cryptochecksum:4d9363363b165fc698bc9ddc60338fa1

**************************************************************************

wf03# sho route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 192.168.10.2 to network 0.0.0.0

C    192.168.10.0 255.255.255.0 is directly connected, outside
C    127.0.0.0 255.255.255.0 is directly connected, _internal_loopback
C    192.168.5.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 192.168.10.2, outside
wf03#
0
Comment
Question by:dalva
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 22834132
You said;

We can ping from within the ASA to Test Router.
We cannot ping from Test PC to Test Router - Can someone tell me why?

I said;
within the ASA, does that mean on the same network as Test PC? If so FW is working fine
is the default route set on test PC?

You do not need a ACL on te outside to allow traffic, inside to outside and back is allowed due to security levels

harbor235 ;}
0
 
LVL 1

Author Comment

by:dalva
ID: 22834971
harbor235,
When I say within the ASA it means logged into the ASA through the Console port.
Test PC default route is 192.168.5.2 which is the inside port of ASA.

Any ideas?
0
 
LVL 1

Accepted Solution

by:
bml104 earned 200 total points
ID: 22835673
config t
icmp permit any inside
icmp permit any outside
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:dalva
ID: 22835967
bml104,
That solved my problem.
Let me see if I understand it.  ICMP is disabled by default.
Setting an ACL for ICMP sets up the rule but the ASA will not allow ICMP to flow unit it is turned on with icmp permit...

You need to have the ACL and icmp permit... to make it work.  One without the other will not work.

Am I correct?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22836688

icmp commands are for traffic the terminates at the FW not through it, so if you initiate a ping from the FW it is not allowed unless you use icmp commands.  Someone on the inside of the firewall can ping to the outside and back based on security levels without ACLs

traffic from a higher security level to a lower security level is allowed by default
traffic from a lower security level to a higher is not allowed by default and requires ACLS to allow

Just need to clarify what was happening


harbor235 ;}
0
 
LVL 1

Expert Comment

by:bml104
ID: 22851565
ICMP is like SSH or HTTP access. You just need to enable it with the command, no ACLs are needed.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22851825


That is incorrect, ICMP to the firewall is like ssh or http access to the firewall. ICMP through the firewall is different and requires an ACL if originated from the outside. IF it is originated from the inside then the FW will approximate tcp/udp//icmp connections and will allow it
because it was originated from a trusted network, the inside. The traffic flowed from a higher security level to a lower security level.

harbor235 ;}
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question