Solved

Can not ping internal network from ASA

Posted on 2009-06-30
17
603 Views
Last Modified: 2012-05-07
I can not ping internal computer from ASA. Comp IP address 192.168.187.15, gateway is 192.168.187.14 which is ASA internal interface. I've got an IP Phone connected to the same ASA with Ip address 192.168.185.15 and internal ASA interface 192.168.185.14 and everything works fine. We are doing testing, do not be surprised of configuration.
ASA Version 8.2(1)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface GigabitEthernet0/0

 nameif ouside3

 security-level 0

 ip address 10.254.17.25 255.255.255.248

!

interface GigabitEthernet0/1

 nameif outside

 security-level 0

 ip address 10.254.17.9 255.255.255.248

!

interface GigabitEthernet0/2

 nameif Lan

 security-level 100

 ip address 192.168.185.14 255.255.255.0

!

interface GigabitEthernet0/3

 nameif comp

 security-level 50

 ip address 192.168.187.14 255.255.255.0

!

interface Management0/0

 nameif management

 security-level 100

 no ip address

 management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

access-list 110 extended permit ip any any

access-list nat extended permit ip any any

access-list allow_ping extended permit icmp any any echo-reply

access-list allow_ping extended permit icmp any any source-quench

access-list allow_ping extended permit icmp any any unreachable

access-list allow_ping extended permit icmp any any time-exceeded

access-list allow_ping extended permit udp any any eq isakmp

access-list allow_ping extended permit esp any any

access-list allow_ping extended permit ah any any

access-list allow_ping extended permit gre any any

access-list nonat extended permit ip any any

access-list nat2 extended permit ip any any

access-list nonat2 extended permit ip any any

pager lines 24

logging asdm informational

mtu ouside3 1500

mtu outside 1500

mtu Lan 1500

mtu comp 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (Lan) 0 access-list nonat

nat (Lan) 1 access-list nat

nat (comp) 0 access-list nonat

nat (comp) 1 access-list nat

access-group allow_ping in interface outside

!

router eigrp 2008

 neighbor 10.254.17.10 interface outside

 network 10.254.17.8 255.255.255.248

 network 192.168.185.0 255.255.255.0

network 192.168.187.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 10.254.17.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map mymap 10 match address 110

crypto map mymap 10 set peer 10.254.17.10

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

crypto map mymap2 20 match address 110

crypto map mymap2 20 set peer 10.254.17.18

crypto map mymap2 20 set transform-set myset

crypto map mymap2 interface comp

crypto map mymap3 30 match address 110

crypto map mymap3 30 set peer 10.254.17.26

crypto map mymap3 30 set transform-set myset

crypto map mymap3 interface ouside3

crypto isakmp identity address

crypto isakmp enable ouside3

crypto isakmp enable outside

crypto isakmp enable comp

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 28800

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

priority-queue outside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

....

Open in new window

0
Comment
Question by:fgasimzade
  • 10
  • 7
17 Comments
 
LVL 1

Expert Comment

by:munir_hayat
ID: 24743922
Simply configure static route on ASA.
For example:
                      ip route 0.0.0.0 0.0.0.0 x.x.x.x 1
Where x is the address of the ASA to which Your LAN is connected.
I am sure this will solve your problem
0
 
LVL 1

Expert Comment

by:munir_hayat
ID: 24743943
Simply configure static route on ASA.
For example:
                      ip route 0.0.0.0 0.0.0.0 x.x.x.x 1
Where x is the address of the ASA to which it connected to outside.
I am sure this will solve your problem.
if it do not solve your problem than tell me about ASA is it connected to the router
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24743944
This network i directly connected, I cant see why it is not working.
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24743949
munir_hayat

Computer i connected to ASA. Computer IP address 192.168.187.15, ASA Ip address 192.168.187.14 - they can not ping each other.
0
 
LVL 1

Expert Comment

by:munir_hayat
ID: 24743952
let me know about the interface address to which it is connected directly
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24743963
interface GigabitEthernet0/3
 nameif comp
 security-level 50
 ip address 192.168.187.14 255.255.255.0

you can find configs in my first post
0
 
LVL 1

Expert Comment

by:munir_hayat
ID: 24743970
Dear i means the outside interface address  to which it is connected
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24743976
Why do you need outside interface address? It is simple - computer IP address 192.168.187.15, ASA ip address 192.168.187.14. They are DIRECTLY connected, but can not ping each other.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 1

Expert Comment

by:munir_hayat
ID: 24743989
route outside 0.0.0.0 0.0.0.0 10.254.17.10 1
change it to
route outside 0.0.0.0 0.0.0.0 10.254.17.9 1
or
route outside 0.0.0.0 0.0.0.0 10.254.17.25 1

0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24744002
It looks like you dont understand me.. Computer and ASA are DIRECTLY connected
0
 
LVL 1

Expert Comment

by:munir_hayat
ID: 24744019
ok. change your network cable try straight and cross cable
2.Match your computer subnet mask and you ASA Subnet mask.
this will solve your problem
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24744027
I have already done all those things, it didnt help
0
 
LVL 1

Expert Comment

by:munir_hayat
ID: 24744060
have you created VLAN
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24744087
There is no need in Vlans, because on the same ASA I have IP phone connected with IP address 192.168.185.15, connected to 192.168.185.14 ASA interface and everything works just fine
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24751611
Still need help. ARP knows PC's mac address, as well as PC shows ASA's mac in arp table, but they do not ping each other..
0
 
LVL 18

Author Comment

by:fgasimzade
ID: 24751615
ASA know PC's mac address
0
 
LVL 18

Accepted Solution

by:
fgasimzade earned 0 total points
ID: 24751778
The issue is solved, there was a cryptomap applied to that interface
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now