Solved

Cannot ping through a Cisco ASA 5505 - why?

Posted on 2008-10-29
7
6,349 Views
Last Modified: 2013-11-29
We are setting up a new extranet link.  The firewall to be used is the Cisco ASA5505.  At this

point we want to get basic connectivity tested.  In the past we have used PIX equipment but this

is our first ASA.

We are trying to ping through the firewall from Test PC to Test Router.  It does not work.
We can ping from Test PC to inside ASA.
We can ping from within the ASA to Test PC.
We can ping from within the ASA to Test Router.
We cannot ping from Test PC to Test Router - Can someone tell me why?

   Test PC                  inside    ASA     outside                  Test Router
192.168.5.11 ----- 192.168.5.2  ---  192.168.10.1  -----  192.168.10.2

Below is the output from the commands sho ver, sho start and sho route.

wf03# sho ver

Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(3)

Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"

wf03 up 4 mins 37 secs

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : ?CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: ?CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : ?CNlite-MC-IPSECm-MAIN-2.05
 0: Int: Internal-Data0/0    : address is 001d.70ff.eccc, irq 11
 1: Ext: Ethernet0/0         : address is 001d.70ff.ecc4, irq 255
 2: Ext: Ethernet0/1         : address is 001d.70ff.ecc5, irq 255
 3: Ext: Ethernet0/2         : address is 001d.70ff.ecc6, irq 255
 4: Ext: Ethernet0/3         : address is 001d.70ff.ecc7, irq 255
 5: Ext: Ethernet0/4         : address is 001d.70ff.ecc8, irq 255
 6: Ext: Ethernet0/5         : address is 001d.70ff.ecc9, irq 255
 7: Ext: Ethernet0/6         : address is 001d.70ff.ecca, irq 255
 8: Ext: Ethernet0/7         : address is 001d.70ff.eccb, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces  : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
VPN Peers                    : 10
WebVPN Peers                 : 2
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2

This platform has a Base license.

Serial Number: xxxxxxxxxxxx
Running Activation Key: xxxxxx xxxxxxxx xxxxxxxx xxxxxxx
Configuration register is 0x1
Configuration has not been modified since last system restart.

************************************************************************

wf03# sho start
: Saved
: Written by enable_15 at 07:51:03.758 UTC Wed Oct 29 2008
!
ASA Version 8.0(4)
!
hostname wf03

names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.5.2 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
access-list OUTSIDE_IN remark Open the doors for testing
access-list OUTSIDE_IN extended permit tcp any any
access-list OUTSIDE_IN extended permit udp any any
access-list OUTSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN remark Deny everything else
access-list OUTSIDE_IN extended deny tcp any any
access-list OUTSIDE_IN extended deny udp any any
access-list INSIDE_IN remark Open the doors for testing
access-list INSIDE_IN extended permit tcp any any
access-list INSIDE_IN extended permit udp any any
access-list INSIDE_IN extended permit icmp any any echo-reply
access-list INSIDE_IN extended permit icmp any any time-exceeded
access-list INSIDE_IN extended permit icmp any any unreachable
access-list INSIDE_IN extended permit icmp any any
access-list INSIDE_IN remark Deny everything else
access-list INSIDE_IN extended deny tcp any any
access-list INSIDE_IN extended deny udp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 192.168.10.5
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INSIDE_IN in interface inside
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
Cryptochecksum:4d9363363b165fc698bc9ddc60338fa1

**************************************************************************

wf03# sho route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 192.168.10.2 to network 0.0.0.0

C    192.168.10.0 255.255.255.0 is directly connected, outside
C    127.0.0.0 255.255.255.0 is directly connected, _internal_loopback
C    192.168.5.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 192.168.10.2, outside
wf03#
0
Comment
Question by:dalva
  • 3
  • 2
  • 2
7 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 22834132
You said;

We can ping from within the ASA to Test Router.
We cannot ping from Test PC to Test Router - Can someone tell me why?

I said;
within the ASA, does that mean on the same network as Test PC? If so FW is working fine
is the default route set on test PC?

You do not need a ACL on te outside to allow traffic, inside to outside and back is allowed due to security levels

harbor235 ;}
0
 
LVL 1

Author Comment

by:dalva
ID: 22834971
harbor235,
When I say within the ASA it means logged into the ASA through the Console port.
Test PC default route is 192.168.5.2 which is the inside port of ASA.

Any ideas?
0
 
LVL 1

Accepted Solution

by:
bml104 earned 200 total points
ID: 22835673
config t
icmp permit any inside
icmp permit any outside
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:dalva
ID: 22835967
bml104,
That solved my problem.
Let me see if I understand it.  ICMP is disabled by default.
Setting an ACL for ICMP sets up the rule but the ASA will not allow ICMP to flow unit it is turned on with icmp permit...

You need to have the ACL and icmp permit... to make it work.  One without the other will not work.

Am I correct?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22836688

icmp commands are for traffic the terminates at the FW not through it, so if you initiate a ping from the FW it is not allowed unless you use icmp commands.  Someone on the inside of the firewall can ping to the outside and back based on security levels without ACLs

traffic from a higher security level to a lower security level is allowed by default
traffic from a lower security level to a higher is not allowed by default and requires ACLS to allow

Just need to clarify what was happening


harbor235 ;}
0
 
LVL 1

Expert Comment

by:bml104
ID: 22851565
ICMP is like SSH or HTTP access. You just need to enable it with the command, no ACLs are needed.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22851825


That is incorrect, ICMP to the firewall is like ssh or http access to the firewall. ICMP through the firewall is different and requires an ACL if originated from the outside. IF it is originated from the inside then the FW will approximate tcp/udp//icmp connections and will allow it
because it was originated from a trusted network, the inside. The traffic flowed from a higher security level to a lower security level.

harbor235 ;}
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now