Avatar of pjmcdougall
pjmcdougall
Flag for Australia asked on

ASA5520 Cannot ping from inside to dmz

I am pinging from 2 different desktop computers (10.0.110.10 and 10.0.10.200) both on the inside lan to the DMZ interface 10.100.21.253 .  Both computers cannot ping. Sample output from ASA logs:

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302021: Teardown ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302020: Built outbound ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302021: Teardown ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302020: Built outbound ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0

ASA Version 8.0(5)
!
hostname FBNECOLO5520-01
names
!
interface GigabitEthernet0/0
 description Internet interface
 nameif outside
 security-level 0
 ip address 100.1.1.1 255.255.255.0
 ospf database-filter all out
!
interface GigabitEthernet0/1
 description Redundant physical interface bound to logical interface "redundant 1"
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 description Redundant physical interface bound to logical interface "redundant 1"
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 description SBNECOLO4506-01 gi2/24
 nameif inside
 security-level 100
 ip address 10.100.15.249 255.255.255.0
 ospf retransmit-interval 2
 ospf hello-interval 1
 ospf dead-interval 15
 ospf message-digest-key 1 md5 <removed>
 ospf authentication message-digest
!
interface Management0/0
 no nameif
 no security-level
 no ip address
!
interface Redundant1
 member-interface GigabitEthernet0/1
 member-interface GigabitEthernet0/2
 nameif web-dmz
 security-level 50
 ip address 10.100.21.253 255.255.255.0
!
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.0.110.0 255.255.255.0
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.100.15.0 255.255.255.0
!
ip verify reverse-path interface web-dmz
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any outside
icmp permit any inside
icmp permit any web-dmz
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,web-dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group web-dmz_access_in in interface web-dmz
!
router ospf 10
 router-id 10.100.15.249
 network 10.100.15.249 255.255.255.255 area 0
 network 10.100.21.0 255.255.255.0 area 0
 area 0 authentication message-digest
 timers spf 10 500
 log-adj-changes detail
 redistribute connected subnets
!
route outside 0.0.0.0  0.0.0.0  100.1.1.2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
: end
Cisco

Avatar of undefined
Last Comment
Ernie Beek

8/22/2022 - Mon
Ernie Beek

and if you add: access-list web-dmz_access_in extended permit icmp any any ?
pjmcdougall

ASKER
I thought "ip" covered icmp?  Anyway I have now added it but no luck.  As you can see I can ping the inside interface but not the dmz interface:


C:\WINDOWS>ping 10.100.15.249

Pinging 10.100.15.249 with 32 bytes of data:

Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253

Ping statistics for 10.100.15.249:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\WINDOWS>ping 10.100.21.253

Pinging 10.100.21.253 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.100.21.253:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
pjmcdougall

ASKER
Just incase someone ask me is the routing ok for this subnet on my lan.  The below output is from the ASA and it clearly shows the subnets in question:

FBNECOLO5520-01(config)# sh ospf database

       OSPF Router with ID (10.100.15.249) (Process ID 10)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
10.100.15.249 10.100.15.249 1607            0x80000051 0x 554 2
192.168.255.25  192.168.255.25  1556        0x800003ca 0x69cf 4
192.168.255.26  192.168.255.26  1136        0x8000036d 0x9194 2

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.100.15.252   192.168.255.25  1556        0x80000008 0x48f3

                Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
10.0.2.0        192.168.255.26  1136        0x8000034e 0x 3bd 0
10.0.3.0        192.168.255.26  1136        0x80000279 0xa4f0 0
10.0.4.0        192.168.255.26  1136        0x80000279 0x99fa 0
10.0.5.0        192.168.255.26  1136        0x80000279 0x8e05 0
10.0.6.0        192.168.255.26  1136        0x80000279 0x830f 0
10.0.7.0        192.168.255.26  1136        0x80000279 0x7819 0
10.0.8.0        192.168.255.26  1136        0x8000034a 0xc8f5 0
10.0.10.0       192.168.255.26  1136        0x8000034f 0xa80f 0
10.0.12.0       192.168.255.26  1136        0x8000034f 0x9223 0
10.0.13.0       192.168.255.26  1136        0x8000034f 0x872d 0
10.0.14.0       192.168.255.26  1136        0x8000034c 0x8234 0
10.0.15.0       192.168.255.26  1136        0x8000034a 0x7b3c 0
10.0.16.0       192.168.255.26  1136        0x8000034a 0x7046 0
10.0.17.0       192.168.255.26  1136        0x8000034f 0x5b55 0
10.0.40.0       192.168.255.26  1136        0x80000349 0x96b7 0
10.0.41.0       192.168.255.26  1136        0x80000349 0x8bc1 0
10.0.42.0       192.168.255.26  1136        0x80000349 0x80cb 0
10.0.43.0       192.168.255.26  1136        0x80000349 0x75d5 0
10.0.44.0       192.168.255.26  1136        0x80000349 0x6adf 0
10.0.100.0      192.168.255.26  1136        0x80000279 0x75be 0
10.0.101.0      192.168.255.26  1136        0x8000034a 0xc59b 0
10.0.102.0      192.168.255.26  1136        0x8000034d 0xb4a8 0
10.0.103.0      192.168.255.26  1136        0x8000034f 0xa5b4 0
10.0.104.0      192.168.255.26  1136        0x8000034f 0x9abe 0
10.0.105.0      192.168.255.26  1136        0x8000034f 0x8fc8 0
10.0.106.0      192.168.255.26  1136        0x8000034e 0x86d1 0
10.0.107.0      192.168.255.26  1136        0x8000034b 0x81d8 0
10.0.108.0      192.168.255.26  1136        0x8000034a 0x78e1 0
10.0.109.0      192.168.255.26  1136        0x8000034a 0x6deb 0
10.0.110.0      192.168.255.26  1136        0x8000034f 0x58fa 0
10.0.120.0      192.168.255.26  1136        0x80000279 0x9887 0
---- cut ----

Thks for looking :)
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Ernie Beek

Well I noticed that sometimes it might help, but not in this case.

I saw something else in your config:
static (inside,web-dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

You might want to change that:
static (inside,web-dmz) 10.100.15.0 10.100.15.0 netmask 255.255.255.0
pjmcdougall

ASKER
My head gets a bit fried with these nats.  My lan has 3 subnets:

10.0.10.0/24
10.0.110.0/24
10.100.15.0/24

Should the inside address in your above example cover all 3 subnets?  Remember I am pinging from the computers 10.0.10.200 and 10.0.110.10.   My 10.100.15.0 subnet is only a management subnet for all my cisco kit.

cheers,
paul
pjmcdougall

ASKER
A bit more info.  This is a ping from the ASA to my PC.  As expected the web-dmz source failed:

Standard Ping:
FBNECOLO5520-01(config)# ping 10.0.110.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.110.10, timeout is 2 seconds:
!!!!!

Extended Ping:
FBNECOLO5520-01(config)# ping
Interface: web-dmz
Target IP address: 10.0.110.10
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.110.10, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
pjmcdougall

ASKER
Hey erniebeek, I tried your suggestion and now there seems to be a portmap translation error thrown into the mix.  Cheers for giving it a go, anything else we can try?

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-3-305006: portmap translation creation failed for icmp src inside:10.0.110.10 dst web-dmz:10.100.21.1 (type 8, code 0)
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
Ernie Beek

That's correct, you tried to ping from an address for which we haven't created one yet :)

So try adding:
static (inside,web-dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0
static (inside,web-dmz) 10.0.110.0 10.0.110.0 netmask 255.255.255.0


as well
pjmcdougall

ASKER
Hi erniebeek, it doesn't seem to have made any difference :(

My nats are configured as:

global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,web-dmz) 10.100.15.0 10.100.15.0 netmask 255.255.255.0
static (inside,web-dmz) 10.0.110.0 10.0.110.0 netmask 255.255.255.0
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Ernie Beek

Still missing the
static (inside,web-dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0

Then the translations should be ok. Otherwise let me know what shows up in the logs then.
pjmcdougall

ASKER
Here's something interesting.  If I plug a laptop into the DMZ I can ping my PC 10.0.110.10.

I give the laptop the following TCP settings:

IP - 10.100.21.1
Mask - 255.255.255.0
Gate - 10.100.21.253

Good one way but not the other - arrrrrgh!
pjmcdougall

ASKER
Hi erniebeek,

Yep your right but I am now limiting my testing to the one subnet of 10.0.110.0/24.  None the less I have also added the other internal subnet as you pointed out:

static (inside,web-dmz) 10.100.15.0 10.100.15.0 netmask 255.255.255.0
static (inside,web-dmz) 10.0.110.0 10.0.110.0 netmask 255.255.255.0
static (inside,web-dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0

Logs are still as they were at the beginning of this post.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Ernie Beek

Just thinking hard here.

You cannot ping the DMZ interface...... but can you ping anything in the DMZ?
You pinged your station from a laptop in the DMZ, can you ping the laptop from your station?
pjmcdougall

ASKER
No I tried that.  I cannot ping the laptop from my PC.

PC can ping the inside interface (obviously because I am telneted into the ASA) but cannot ping the DMZ interface or anything behind the DMZ.

pjmcdougall

ASKER
Here is a quick diagram of my topology, hope it helps.
Topology.gif
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER CERTIFIED SOLUTION
Ernie Beek

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
pjmcdougall

ASKER
Hi erniebeek,

All your assumptions are correct.

Pinging from the core router (cisco 4506) is same as from my PC - nothin!
Ernie Beek

Been looking at the logs and see something funny. Do you know what the 10.100.21.1is?
pjmcdougall

ASKER
Yup, it's my laptop in the DMZ remember :)

IP - 10.100.21.1
Mask - 255.255.255.0
Gate - 10.100.21.253

⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
pjmcdougall

ASKER
More info, nothing wrong just an observation:

The attached image is a snap of the ASDM logs (as opposed to the ASA logs) and here you can see the laptop trying to do DNS lookup to 139.130.4.4 and 10.0.2.1.  

The pass to 139.130.4.4 failed because no access-list permitting and the pass to 10.0.2.1 failed because we have not put a nat in for this subnet (yes it's another subnet on the trusted but irrelevant to our problems here)
ASDM-log.gif
pjmcdougall

ASKER
I think we got it !!!

The laptop had it's firewall turned on (damn SOE).  I have since turned it off and I can now ping it from the trusted network.

I still would have been chasing my tail though because I did not know about the "closest interface" rule ie: the one facing you.  First I've heard about that.  This would explain why my pings are still not responding to the DMZ interface of 10.100.21.253.

Is that correct erniebeek?
Ernie Beek

That correct, the only exception is when you connect through a vpn and issue ' management-access' on it.
Glad you figured it out (and thanks to MS :-(  ).
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Ernie Beek

Pleasure working with you :)

Just one question, did you intend to close the question the way you did?
Though I'm doing this for fun and to steepen my learning curve, points are always nice to have ;)
pjmcdougall

ASKER
Likewise I really appreciated your help.  This was my 1st time on ExpertsExchange (1 month trial), how do I allocate points to you?  Please advise and I would be more than happy to comply with ANY requirement.
Ernie Beek

Just ask a moderator.
I'll hit the object button and someone will have a look and help us out.

First time eh? Hope to see you back again :)
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
pjmcdougall

ASKER
Hi alias99,

I did not see the option "Accept and Award Points" only "Accept Solution".  I would like to award erniebeek 500 points for his trouble.  Without his comment:  "you can only ping the ASA interface that is facing you" + other troubleshooting I may never have solved the issue.

Can you please assist by awarding these points from my account to erniebeek?

Kind Regards,
Paul
Ernie Beek

One way or another we always are able to get things right (with a bit of help from the mods :)

Thx for the points.