?
Solved

cannot ping through ASA 5505

Posted on 2010-01-02
9
Medium Priority
?
1,008 Views
Last Modified: 2012-05-08
I am unable to ping *through* the ASA 5505. I can ping from the ASA to the inside and outside networks, and can ping from device to device within the inside network, and can ping from an inside device to the ASA.

192.168.22.0 -> ASA <- yyy.yyy.yyy.yyy

Config is attached. Note I recently added a VPN configuration, but the problem existed prior.
:
ASA Version 8.2(1) 
!
hostname bna
enable password X/rb/gIw.fvCCPS5 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted

!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.22.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
boot system disk0:/asdm-623.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
 name-server xxxxxxxx
 name-server xxxxxxxx

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
access-list inside_nat0_outbound extended permit ip 192.168.22.0 255.255.255.0 any 
access-list inside_nat0_outbound_1 extended permit ip 192.168.22.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list outside_1_cryptomap extended permit ip 192.168.22.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list outside_in extended permit icmp any any echo-reply 
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.22.0 255.255.255.0 any 
access-list outside_access_in extended permit icmp any 192.168.22.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.22.0 255.255.255.0 inside
http home 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ToATL esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer home 
crypto map outside_map 1 set transform-set ToATL
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.22.150-192.168.22.160 inside
dhcpd dns 68.87.68.162 68.87.68.166 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group yyy.yyy.yyy.yyy type ipsec-l2l
tunnel-group yyy.yyy.yyy.yyy ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:7202a83f47d19f816055f604a6263afb
: end

Open in new window

0
Comment
Question by:wsg2
  • 4
  • 3
  • 2
9 Comments
 
LVL 3

Expert Comment

by:simprix
ID: 26164545
what does show access-list <acl_name> show for all your acls ?
0
 

Author Comment

by:wsg2
ID: 26164552
Hello. Thanks for the reply. See below:


access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list inside_nat0_outbound; 1 elements; name hash: 0x467c8ce4
access-list inside_nat0_outbound line 1 extended permit ip 192.168.22.0 255.255.255.0 any (hitcnt=0) 0x6e8faa69
access-list inside_nat0_outbound_1; 1 elements; name hash: 0x9992f87f
access-list inside_nat0_outbound_1 line 1 extended permit ip 192.168.22.0 255.255.255.0 10.1.1.0 255.255.255.0 (hitcnt=0) 0xd5e9448d
access-list outside_1_cryptomap; 1 elements; name hash: 0xcf826bcb
access-list outside_1_cryptomap line 1 extended permit ip 192.168.22.0 255.255.255.0 10.1.1.0 255.255.255.0 (hitcnt=808) 0xb2daf88f
access-list outside_in; 1 elements; name hash: 0xc5896c24
access-list outside_in line 1 extended permit icmp any any echo-reply (hitcnt=0) 0x46105ee8
access-list inside_access_in; 2 elements; name hash: 0x433a1af1
access-list inside_access_in line 1 extended permit object-group DM_INLINE_PROTOCOL_1 192.168.22.0 255.255.255.0 any 0xfd6c05c9
  access-list inside_access_in line 1 extended permit ip 192.168.22.0 255.255.255.0 any (hitcnt=14638) 0xbf60ec23
  access-list inside_access_in line 1 extended permit icmp 192.168.22.0 255.255.255.0 any (hitcnt=0) 0x56d8a4cf
access-list outside_access_in; 1 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit icmp any 192.168.22.0 255.255.255.0 (hitcnt=0) 0xee369220


0
 
LVL 3

Expert Comment

by:simprix
ID: 26164583
Do this on your inside to outside acl.

permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable

You then are going to want to edit your policy map.

policy-map global_policy
 class inspection_default
   inspect icmp
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 32

Expert Comment

by:rsivanandan
ID: 26164742
>access-list outside_access_in extended permit icmp any 192.168.22.0 255.255.255.0

The above is the only access-list you have for traffic coming from internet, you need to change it;

>access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.22.0 255.255.255.0 any

Similarly the above is the only access-list that you have which allows for traffic to go from inside to internet, you need to better this;

So do this;

object-group icmp-type icmp-allowed
  icmp-object echo
  icmp-object time-exceeded

access-list inside_access_in extended permit  192.168.22.0 255.255.255.0 object-group icmp-allowed

The above should take care of letting the icmp traffic go out; then;

>access-list outside_access_in extended permit icmp any 192.168.22.0 255.255.255.0

Instead of the above, add this;

access-list outside_access_in extended permit icmp any 192.168.22.0 255.255.255.0 echo-reply
access-list outside_access_in extended permit icmp any 192.168.22.0 255.255.255.0 source-quench
access-list outside_access_in extended permit icmp any 192.168.22.0 255.255.255.0 unreachable
access-list outside_access_in extended permit icmp any 192.168.22.0 255.255.255.0 time-exceeded

This should take care of reply messages coming in.

Cheers,
rsivanandan

0
 

Author Comment

by:wsg2
ID: 26165607
Thanks.

"access-list inside_access_in extended permit  192.168.22.0 255.255.255.0 object-group icmp-allowed " would not execute. Still no success.

Attached is the latest config.

ASA Version 8.2(1) 
!
hostname bna

enable password X/rb/gIw.fvCCPS5 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.22.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
boot system disk0:/asdm-623.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 68.87.68.166
 name-server 68.87.68.162
 domain-name gawsys.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type icmp-allowed
 icmp-object echo
 icmp-object time-exceeded
object-group service DM_INLINE_SERVICE_1
 service-object ip 
 service-object icmp 
 service-object icmp echo
 service-object icmp echo-reply
 service-object icmp information-request
access-list inside_nat0_outbound extended permit ip 192.168.22.0 255.255.255.0 any 
access-list inside_nat0_outbound_1 extended permit ip 192.168.22.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list outside_1_cryptomap extended permit ip 192.168.22.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list outside_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit icmp any 192.168.22.0 255.255.255.0 echo-reply 
access-list outside_access_in extended permit icmp any 192.168.22.0 255.255.255.0 source-quench 
access-list outside_access_in extended permit icmp any 192.168.22.0 255.255.255.0 unreachable 
access-list outside_access_in extended permit icmp any 192.168.22.0 255.255.255.0 time-exceeded 
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.22.0 255.255.255.0 inside
http 97.81.18.30 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ToATL esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer yyy.yyy.yyy.yyy 
crypto map outside_map 1 set transform-set ToATL
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.22.150-192.168.22.160 inside
dhcpd dns 68.87.68.162 68.87.68.166 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group yyy.yyy.yyy.yyy type ipsec-l2l
tunnel-group yyy.yyy.yyy.yyy ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:7202a83f47d19f816055f604a6263afb
: end

Open in new window

0
 
LVL 3

Expert Comment

by:simprix
ID: 26165877
You need to edit the policy map.

policy-map global_policy
 class inspection_default
   inspect icmp

0
 

Author Comment

by:wsg2
ID: 26165924
It's there. Still no success....


policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp


0
 
LVL 3

Expert Comment

by:simprix
ID: 26166093
Do this:

access-list inside_access_in extended permit icmp 192.168.22.0 255.255.255.0 any object-group object-group icmp-allowed
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 200 total points
ID: 26168082
>access-list inside_access_in extended permit  192.168.22.0 255.255.255.0 object-group icmp-allowed

The protocol parameter is missing in there.

access-list inside_access_in extended permit  icmp 192.168.22.0 255.255.255.0 object-group icmp-allowed

Try now.

Cheers,
rsivanandan
0

Featured Post

How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month14 days, 9 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question