Solved

How to ping the inside network with Cisco 5505 Firewall

Posted on 2010-08-30
15
487 Views
Last Modified: 2012-08-14
Hi there,
I am having some issues trying to ping the inside network using a Cisco 5505, below I'll post my configuration.
 Any help would be greatly appreciated.

Thanks,
router# sh running-config

: Saved

:

ASA Version 7.2(4)

!

hostname router

domain-name mitre.org

enable password Yn8Esq3NcXIHL35v encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.131.xxx.xxx 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 128.29.xxx.xxx 255.255.255.0

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

 domain-name mitre.org

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group service web tcp

 description Web Traffic

 port-object eq 8080

 port-object eq www

 port-object eq https

object-group protocol DM_INLINE_PROTOCOL_1

 protocol-object udp

 protocol-object tcp

access-list v483-cloud-IN extended permit icmp any any

access-list v483-cloud-IN extended permit tcp any 10.131.0.0 255.255.255.0 eq ssh

access-list v483-cloud-IN extended permit udp any 10.131.0.0 255.255.255.0 eq ntp

access-list v483-cloud-IN extended permit tcp any 10.131.0.0 255.255.255.0 object-group web

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit object-group TCPUDP any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

access-group v483-cloud-IN in interface outside

route outside 0.0.0.0 0.0.0.0 128.29.xxx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 128.29.109.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0



username admin password kSXIy6qd1ZTBFL9/ encrypted

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:60d9d33d178f732662157806e27a4a27

: end

router#

Open in new window

0
Comment
Question by:ETLAB
15 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 33559823
Trying to ping from the ASA to a host on the inside?

If so, add this:

conf t
icmp permit any inside
0
 

Expert Comment

by:RulonA
ID: 33559829
Hi, where are you trying to ping from?  Are you able to ping the inside host from the ASA itself?  Check the arp table (show arp) and also see if any hits have accrued on the access-lists (show access-list)
0
 
LVL 1

Expert Comment

by:krejci_420
ID: 33559877
Are you trying to ping from the internet/outside to an inside host? If so you'll need to add static mapping entries assigning single outside public IP addresses to single inside IP addresses also known as one to one mappings or nat. If not a little more details will be necessary.
0
 

Author Comment

by:ETLAB
ID: 33560277
All,
I am on a network 128.29.xxx.xxx and they just created another subnet which has been advertised 10.131.xxx.xxx the outside network is 128.29.xxx.xxx and the inside new subnet is 10.131.xxx.xxx What I am trying to reach is the inside 10.131.xxx.xxx from the outside.  inside the cisco 5505 I can ping all the interfaces 128.29.xxx.xxx and the 10.131.xxx.xxx plus a host that is connected to the PIX with an IP of 10.131.xxx.2, but I am unable to reach the 10.131.xxx.2 from the outside.
0
 
LVL 1

Expert Comment

by:krejci_420
ID: 33560398
As I indicated you will need to add a static mapping to be able to ping from the internet to an inside host. To be able to add a static mapping you will need additional IP addresses which it looks like you  are on a full class C network. Assuming the entire block has been assigned to you to use then you should be able to use any not yet in use elsewhere.

static (inside,outside) 128.29.xxx.xxx 10.131.xxx.xxx netmask 255.255.255.255
0
 

Author Comment

by:ETLAB
ID: 33560509
Krejci 420:

I tried static (inside,outside) 128.29.xxx.0 10.131.xxx.0 netmask 255.255.255.255 and did not worked.
0
 
LVL 1

Expert Comment

by:krejci_420
ID: 33560560
Using .0 is not allowed in most scenarios. The firewall knows that is the "subnet" address. Try using something between .1 and .254 that is not already in use. Note the last octet does not have to be identical on the outside and the inside.

Now if you want to use the whole class C range and map to the internal IP addresses you can use the same static entry as above but then change the netmask number to 255.255.255.0 and it will map all of the IP addresses thru in a one-to-one mapping with that single line.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:ETLAB
ID: 33560750
krejci_420,
I tried both ways with no luck.
0
 
LVL 1

Expert Comment

by:krejci_420
ID: 33560868
What is happening? Are the commands giving errors or are you just unable to ping thru? You may need to clear the translation table (clear xlate) after putting in the static mapping config.

It may be easier to focus on one single IP.
Add the config obviously replacing the X and Y for unused address on the outside and a real host on the inside. Then you should be good. Obviously need to make sure the inside host is allowing ICMP as well in whatever host firewall software you're using if any and it has a default gateway pointing at the firewall. I presume you've already got the gateway correctly setup but it never hurts to ask and make sure it is not a simple mistake like that.

I'd also recommend enabling logging on the firewall in general but you can enable full debug logging to the buffer which is very verbose but useful in troubleshooting odd issues.
conf t
static (inside,outside) 128.29.x.y 10.131.x.y netmask 255.255.255.255
clear xlate

Open in new window

0
 

Author Comment

by:ETLAB
ID: 33561032
krejci_420,

Here is what I tried:

static (inside,outside) 128.29.109.0 10.131.0.0 netmask 255.255.255.255
clear xlate
And still is not working
0
 

Author Comment

by:ETLAB
ID: 33561052
Krejci_420,

I created an access-list if you see in the configuration that I attach using the command line, but then I created another access-list using the ASDM, Do you think that this might conflict?:

access-list v483-cloud-IN extended permit icmp any any
access-list v483-cloud-IN extended permit tcp any 10.131.0.0 255.255.255.0 eq ssh
access-list v483-cloud-IN extended permit udp any 10.131.0.0 255.255.255.0 eq ntp
access-list v483-cloud-IN extended permit tcp any 10.131.0.0 255.255.255.0 object-group we
0
 
LVL 1

Expert Comment

by:krejci_420
ID: 33561493
From your config in the initial question the ACL looks fine as it is applied via the access-group config.

You cant use a .0 in the IP addresses with a 255.255.255.255 in the netmask for this topology. Use a specific IP for a specific host and try it.

one example:
static (inside,outside) 128.29.109.50 10.131.0.50 netmask 255.255.255.255
0
 

Author Comment

by:ETLAB
ID: 33561543
Krejci_420,

Nope, did not worked.
0
 
LVL 1

Accepted Solution

by:
krejci_420 earned 500 total points
ID: 33563226
You have access to use the whole 128.29.109.0 network? If the IP in question you tried to add to the static mapping is in use on another device outside of your firewall then the gateway router device will have an ARP conflict with your firewall and the other device. Does the gateway router device (your firewall's default gateway) have any ACLs or filtering? You can start up a packet capture on the ASA to watch for traffic destined for that IP address and verify traffic is reaching your firewall.

access-list capture-test permit ip any host 128.29.109.X
capture capture-test interface outside access-list capture-test real

that will show in real time packets on the outside interface that are destined for that IP in question.
0
 

Author Closing Comment

by:ETLAB
ID: 33702308
Inconclusive
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now