I am pinging from 2 different desktop computers (10.0.110.10 and 10.0.10.200) both on the inside lan to the DMZ interface 10.100.21.253 . Both computers cannot ping. Sample output from ASA logs:
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302021: Teardown ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302020: Built outbound ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302021: Teardown ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302020: Built outbound ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
ASA Version 8.0(5)
!
hostname FBNECOLO5520-01
names
!
interface GigabitEthernet0/0
description Internet interface
nameif outside
security-level 0
ip address 100.1.1.1 255.255.255.0
ospf database-filter all out
!
interface GigabitEthernet0/1
description Redundant physical interface bound to logical interface "redundant 1"
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description Redundant physical interface bound to logical interface "redundant 1"
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description SBNECOLO4506-01 gi2/24
nameif inside
security-level 100
ip address 10.100.15.249 255.255.255.0
ospf retransmit-interval 2
ospf hello-interval 1
ospf dead-interval 15
ospf message-digest-key 1 md5 <removed>
ospf authentication message-digest
!
interface Management0/0
no nameif
no security-level
no ip address
!
interface Redundant1
member-interface GigabitEthernet0/1
member-interface GigabitEthernet0/2
nameif web-dmz
security-level 50
ip address 10.100.21.253 255.255.255.0
!
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.0.110.0 255.255.255.0
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.100.15.0 255.255.255.0
!
ip verify reverse-path interface web-dmz
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any outside
icmp permit any inside
icmp permit any web-dmz
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,web-dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group web-dmz_access_in in interface web-dmz
!
router ospf 10
router-id 10.100.15.249
network 10.100.15.249 255.255.255.255 area 0
network 10.100.21.0 255.255.255.0 area 0
area 0 authentication message-digest
timers spf 10 500
log-adj-changes detail
redistribute connected subnets
!
route outside 0.0.0.0 0.0.0.0 100.1.1.2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
: end
Cisco
Last Comment
Ernie Beek
8/22/2022 - Mon
Ernie Beek
and if you add: access-list web-dmz_access_in extended permit icmp any any ?
pjmcdougall
ASKER
I thought "ip" covered icmp? Anyway I have now added it but no luck. As you can see I can ping the inside interface but not the dmz interface:
C:\WINDOWS>ping 10.100.15.249
Pinging 10.100.15.249 with 32 bytes of data:
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Ping statistics for 10.100.15.249:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Well I noticed that sometimes it might help, but not in this case.
I saw something else in your config: static (inside,web-dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
You might want to change that: static (inside,web-dmz) 10.100.15.0 10.100.15.0 netmask 255.255.255.0
pjmcdougall
ASKER
My head gets a bit fried with these nats. My lan has 3 subnets:
10.0.10.0/24
10.0.110.0/24
10.100.15.0/24
Should the inside address in your above example cover all 3 subnets? Remember I am pinging from the computers 10.0.10.200 and 10.0.110.10. My 10.100.15.0 subnet is only a management subnet for all my cisco kit.
cheers,
paul
pjmcdougall
ASKER
A bit more info. This is a ping from the ASA to my PC. As expected the web-dmz source failed:
Standard Ping:
FBNECOLO5520-01(config)# ping 10.0.110.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.110.10, timeout is 2 seconds:
!!!!!
Extended Ping:
FBNECOLO5520-01(config)# ping
Interface: web-dmz
Target IP address: 10.0.110.10
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.110.10, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Hey erniebeek, I tried your suggestion and now there seems to be a portmap translation error thrown into the mix. Cheers for giving it a go, anything else we can try?
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-3-305006: portmap translation creation failed for icmp src inside:10.0.110.10 dst web-dmz:10.100.21.1 (type 8, code 0)
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
Ernie Beek
That's correct, you tried to ping from an address for which we haven't created one yet :)
Still missing the static (inside,web-dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0
Then the translations should be ok. Otherwise let me know what shows up in the logs then.
pjmcdougall
ASKER
Here's something interesting. If I plug a laptop into the DMZ I can ping my PC 10.0.110.10.
I give the laptop the following TCP settings:
IP - 10.100.21.1
Mask - 255.255.255.0
Gate - 10.100.21.253
Good one way but not the other - arrrrrgh!
pjmcdougall
ASKER
Hi erniebeek,
Yep your right but I am now limiting my testing to the one subnet of 10.0.110.0/24. None the less I have also added the other internal subnet as you pointed out:
You cannot ping the DMZ interface...... but can you ping anything in the DMZ?
You pinged your station from a laptop in the DMZ, can you ping the laptop from your station?
pjmcdougall
ASKER
No I tried that. I cannot ping the laptop from my PC.
PC can ping the inside interface (obviously because I am telneted into the ASA) but cannot ping the DMZ interface or anything behind the DMZ.
pjmcdougall
ASKER
Here is a quick diagram of my topology, hope it helps. Topology.gif
The attached image is a snap of the ASDM logs (as opposed to the ASA logs) and here you can see the laptop trying to do DNS lookup to 139.130.4.4 and 10.0.2.1.
The pass to 139.130.4.4 failed because no access-list permitting and the pass to 10.0.2.1 failed because we have not put a nat in for this subnet (yes it's another subnet on the trusted but irrelevant to our problems here) ASDM-log.gif
pjmcdougall
ASKER
I think we got it !!!
The laptop had it's firewall turned on (damn SOE). I have since turned it off and I can now ping it from the trusted network.
I still would have been chasing my tail though because I did not know about the "closest interface" rule ie: the one facing you. First I've heard about that. This would explain why my pings are still not responding to the DMZ interface of 10.100.21.253.
Is that correct erniebeek?
Ernie Beek
That correct, the only exception is when you connect through a vpn and issue ' management-access' on it.
Glad you figured it out (and thanks to MS :-( ).
Just one question, did you intend to close the question the way you did?
Though I'm doing this for fun and to steepen my learning curve, points are always nice to have ;)
pjmcdougall
ASKER
Likewise I really appreciated your help. This was my 1st time on ExpertsExchange (1 month trial), how do I allocate points to you? Please advise and I would be more than happy to comply with ANY requirement.
Ernie Beek
Just ask a moderator.
I'll hit the object button and someone will have a look and help us out.
I did not see the option "Accept and Award Points" only "Accept Solution". I would like to award erniebeek 500 points for his trouble. Without his comment: "you can only ping the ASA interface that is facing you" + other troubleshooting I may never have solved the issue.
Can you please assist by awarding these points from my account to erniebeek?
Kind Regards,
Paul
Ernie Beek
One way or another we always are able to get things right (with a bit of help from the mods :)