?
Solved

How to ping the inside network with Cisco 5505 Firewall

Posted on 2010-08-30
15
Medium Priority
?
505 Views
Last Modified: 2012-08-14
Hi there,
I am having some issues trying to ping the inside network using a Cisco 5505, below I'll post my configuration.
 Any help would be greatly appreciated.

Thanks,
router# sh running-config
: Saved
:
ASA Version 7.2(4)
!
hostname router
domain-name mitre.org
enable password Yn8Esq3NcXIHL35v encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.131.xxx.xxx 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 128.29.xxx.xxx 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name mitre.org
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service web tcp
 description Web Traffic
 port-object eq 8080
 port-object eq www
 port-object eq https
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
access-list v483-cloud-IN extended permit icmp any any
access-list v483-cloud-IN extended permit tcp any 10.131.0.0 255.255.255.0 eq ssh
access-list v483-cloud-IN extended permit udp any 10.131.0.0 255.255.255.0 eq ntp
access-list v483-cloud-IN extended permit tcp any 10.131.0.0 255.255.255.0 object-group web
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit object-group TCPUDP any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group v483-cloud-IN in interface outside
route outside 0.0.0.0 0.0.0.0 128.29.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 128.29.109.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0

username admin password kSXIy6qd1ZTBFL9/ encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:60d9d33d178f732662157806e27a4a27
: end
router#

Open in new window

0
Comment
Question by:ETLAB
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
15 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 33559823
Trying to ping from the ASA to a host on the inside?

If so, add this:

conf t
icmp permit any inside
0
 

Expert Comment

by:RulonA
ID: 33559829
Hi, where are you trying to ping from?  Are you able to ping the inside host from the ASA itself?  Check the arp table (show arp) and also see if any hits have accrued on the access-lists (show access-list)
0
 
LVL 1

Expert Comment

by:krejci_420
ID: 33559877
Are you trying to ping from the internet/outside to an inside host? If so you'll need to add static mapping entries assigning single outside public IP addresses to single inside IP addresses also known as one to one mappings or nat. If not a little more details will be necessary.
0
Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

 

Author Comment

by:ETLAB
ID: 33560277
All,
I am on a network 128.29.xxx.xxx and they just created another subnet which has been advertised 10.131.xxx.xxx the outside network is 128.29.xxx.xxx and the inside new subnet is 10.131.xxx.xxx What I am trying to reach is the inside 10.131.xxx.xxx from the outside.  inside the cisco 5505 I can ping all the interfaces 128.29.xxx.xxx and the 10.131.xxx.xxx plus a host that is connected to the PIX with an IP of 10.131.xxx.2, but I am unable to reach the 10.131.xxx.2 from the outside.
0
 
LVL 1

Expert Comment

by:krejci_420
ID: 33560398
As I indicated you will need to add a static mapping to be able to ping from the internet to an inside host. To be able to add a static mapping you will need additional IP addresses which it looks like you  are on a full class C network. Assuming the entire block has been assigned to you to use then you should be able to use any not yet in use elsewhere.

static (inside,outside) 128.29.xxx.xxx 10.131.xxx.xxx netmask 255.255.255.255
0
 

Author Comment

by:ETLAB
ID: 33560509
Krejci 420:

I tried static (inside,outside) 128.29.xxx.0 10.131.xxx.0 netmask 255.255.255.255 and did not worked.
0
 
LVL 1

Expert Comment

by:krejci_420
ID: 33560560
Using .0 is not allowed in most scenarios. The firewall knows that is the "subnet" address. Try using something between .1 and .254 that is not already in use. Note the last octet does not have to be identical on the outside and the inside.

Now if you want to use the whole class C range and map to the internal IP addresses you can use the same static entry as above but then change the netmask number to 255.255.255.0 and it will map all of the IP addresses thru in a one-to-one mapping with that single line.
0
 

Author Comment

by:ETLAB
ID: 33560750
krejci_420,
I tried both ways with no luck.
0
 
LVL 1

Expert Comment

by:krejci_420
ID: 33560868
What is happening? Are the commands giving errors or are you just unable to ping thru? You may need to clear the translation table (clear xlate) after putting in the static mapping config.

It may be easier to focus on one single IP.
Add the config obviously replacing the X and Y for unused address on the outside and a real host on the inside. Then you should be good. Obviously need to make sure the inside host is allowing ICMP as well in whatever host firewall software you're using if any and it has a default gateway pointing at the firewall. I presume you've already got the gateway correctly setup but it never hurts to ask and make sure it is not a simple mistake like that.

I'd also recommend enabling logging on the firewall in general but you can enable full debug logging to the buffer which is very verbose but useful in troubleshooting odd issues.
conf t
static (inside,outside) 128.29.x.y 10.131.x.y netmask 255.255.255.255
clear xlate

Open in new window

0
 

Author Comment

by:ETLAB
ID: 33561032
krejci_420,

Here is what I tried:

static (inside,outside) 128.29.109.0 10.131.0.0 netmask 255.255.255.255
clear xlate
And still is not working
0
 

Author Comment

by:ETLAB
ID: 33561052
Krejci_420,

I created an access-list if you see in the configuration that I attach using the command line, but then I created another access-list using the ASDM, Do you think that this might conflict?:

access-list v483-cloud-IN extended permit icmp any any
access-list v483-cloud-IN extended permit tcp any 10.131.0.0 255.255.255.0 eq ssh
access-list v483-cloud-IN extended permit udp any 10.131.0.0 255.255.255.0 eq ntp
access-list v483-cloud-IN extended permit tcp any 10.131.0.0 255.255.255.0 object-group we
0
 
LVL 1

Expert Comment

by:krejci_420
ID: 33561493
From your config in the initial question the ACL looks fine as it is applied via the access-group config.

You cant use a .0 in the IP addresses with a 255.255.255.255 in the netmask for this topology. Use a specific IP for a specific host and try it.

one example:
static (inside,outside) 128.29.109.50 10.131.0.50 netmask 255.255.255.255
0
 

Author Comment

by:ETLAB
ID: 33561543
Krejci_420,

Nope, did not worked.
0
 
LVL 1

Accepted Solution

by:
krejci_420 earned 1500 total points
ID: 33563226
You have access to use the whole 128.29.109.0 network? If the IP in question you tried to add to the static mapping is in use on another device outside of your firewall then the gateway router device will have an ARP conflict with your firewall and the other device. Does the gateway router device (your firewall's default gateway) have any ACLs or filtering? You can start up a packet capture on the ASA to watch for traffic destined for that IP address and verify traffic is reaching your firewall.

access-list capture-test permit ip any host 128.29.109.X
capture capture-test interface outside access-list capture-test real

that will show in real time packets on the outside interface that are destined for that IP in question.
0
 

Author Closing Comment

by:ETLAB
ID: 33702308
Inconclusive
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question