Solved

ASA5520 Cannot ping from inside to dmz

Posted on 2011-03-09
28
4,371 Views
Last Modified: 2012-05-11
I am pinging from 2 different desktop computers (10.0.110.10 and 10.0.10.200) both on the inside lan to the DMZ interface 10.100.21.253 .  Both computers cannot ping. Sample output from ASA logs:

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302021: Teardown ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302020: Built outbound ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302021: Teardown ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302020: Built outbound ICMP connection for faddr 10.100.21.1/0 gaddr 10.0.110.10/512 laddr 10.0.110.10/512
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0

ASA Version 8.0(5)
!
hostname FBNECOLO5520-01
names
!
interface GigabitEthernet0/0
 description Internet interface
 nameif outside
 security-level 0
 ip address 100.1.1.1 255.255.255.0
 ospf database-filter all out
!
interface GigabitEthernet0/1
 description Redundant physical interface bound to logical interface "redundant 1"
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 description Redundant physical interface bound to logical interface "redundant 1"
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 description SBNECOLO4506-01 gi2/24
 nameif inside
 security-level 100
 ip address 10.100.15.249 255.255.255.0
 ospf retransmit-interval 2
 ospf hello-interval 1
 ospf dead-interval 15
 ospf message-digest-key 1 md5 <removed>
 ospf authentication message-digest
!
interface Management0/0
 no nameif
 no security-level
 no ip address
!
interface Redundant1
 member-interface GigabitEthernet0/1
 member-interface GigabitEthernet0/2
 nameif web-dmz
 security-level 50
 ip address 10.100.21.253 255.255.255.0
!
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.0.110.0 255.255.255.0
access-list web-dmz_access_in extended permit ip 10.100.21.0 255.255.255.0 10.100.15.0 255.255.255.0
!
ip verify reverse-path interface web-dmz
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any outside
icmp permit any inside
icmp permit any web-dmz
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,web-dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group web-dmz_access_in in interface web-dmz
!
router ospf 10
 router-id 10.100.15.249
 network 10.100.15.249 255.255.255.255 area 0
 network 10.100.21.0 255.255.255.0 area 0
 area 0 authentication message-digest
 timers spf 10 500
 log-adj-changes detail
 redistribute connected subnets
!
route outside 0.0.0.0  0.0.0.0  100.1.1.2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
: end
0
Comment
Question by:pjmcdougall
  • 16
  • 11
28 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35082676
and if you add: access-list web-dmz_access_in extended permit icmp any any ?
0
 

Author Comment

by:pjmcdougall
ID: 35082751
I thought "ip" covered icmp?  Anyway I have now added it but no luck.  As you can see I can ping the inside interface but not the dmz interface:


C:\WINDOWS>ping 10.100.15.249

Pinging 10.100.15.249 with 32 bytes of data:

Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253
Reply from 10.100.15.249: bytes=32 time<1ms TTL=253

Ping statistics for 10.100.15.249:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\WINDOWS>ping 10.100.21.253

Pinging 10.100.21.253 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.100.21.253:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
0
 

Author Comment

by:pjmcdougall
ID: 35082831
Just incase someone ask me is the routing ok for this subnet on my lan.  The below output is from the ASA and it clearly shows the subnets in question:

FBNECOLO5520-01(config)# sh ospf database

       OSPF Router with ID (10.100.15.249) (Process ID 10)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
10.100.15.249 10.100.15.249 1607            0x80000051 0x 554 2
192.168.255.25  192.168.255.25  1556        0x800003ca 0x69cf 4
192.168.255.26  192.168.255.26  1136        0x8000036d 0x9194 2

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.100.15.252   192.168.255.25  1556        0x80000008 0x48f3

                Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
10.0.2.0        192.168.255.26  1136        0x8000034e 0x 3bd 0
10.0.3.0        192.168.255.26  1136        0x80000279 0xa4f0 0
10.0.4.0        192.168.255.26  1136        0x80000279 0x99fa 0
10.0.5.0        192.168.255.26  1136        0x80000279 0x8e05 0
10.0.6.0        192.168.255.26  1136        0x80000279 0x830f 0
10.0.7.0        192.168.255.26  1136        0x80000279 0x7819 0
10.0.8.0        192.168.255.26  1136        0x8000034a 0xc8f5 0
10.0.10.0       192.168.255.26  1136        0x8000034f 0xa80f 0
10.0.12.0       192.168.255.26  1136        0x8000034f 0x9223 0
10.0.13.0       192.168.255.26  1136        0x8000034f 0x872d 0
10.0.14.0       192.168.255.26  1136        0x8000034c 0x8234 0
10.0.15.0       192.168.255.26  1136        0x8000034a 0x7b3c 0
10.0.16.0       192.168.255.26  1136        0x8000034a 0x7046 0
10.0.17.0       192.168.255.26  1136        0x8000034f 0x5b55 0
10.0.40.0       192.168.255.26  1136        0x80000349 0x96b7 0
10.0.41.0       192.168.255.26  1136        0x80000349 0x8bc1 0
10.0.42.0       192.168.255.26  1136        0x80000349 0x80cb 0
10.0.43.0       192.168.255.26  1136        0x80000349 0x75d5 0
10.0.44.0       192.168.255.26  1136        0x80000349 0x6adf 0
10.0.100.0      192.168.255.26  1136        0x80000279 0x75be 0
10.0.101.0      192.168.255.26  1136        0x8000034a 0xc59b 0
10.0.102.0      192.168.255.26  1136        0x8000034d 0xb4a8 0
10.0.103.0      192.168.255.26  1136        0x8000034f 0xa5b4 0
10.0.104.0      192.168.255.26  1136        0x8000034f 0x9abe 0
10.0.105.0      192.168.255.26  1136        0x8000034f 0x8fc8 0
10.0.106.0      192.168.255.26  1136        0x8000034e 0x86d1 0
10.0.107.0      192.168.255.26  1136        0x8000034b 0x81d8 0
10.0.108.0      192.168.255.26  1136        0x8000034a 0x78e1 0
10.0.109.0      192.168.255.26  1136        0x8000034a 0x6deb 0
10.0.110.0      192.168.255.26  1136        0x8000034f 0x58fa 0
10.0.120.0      192.168.255.26  1136        0x80000279 0x9887 0
---- cut ----

Thks for looking :)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35082857
Well I noticed that sometimes it might help, but not in this case.

I saw something else in your config:
static (inside,web-dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

You might want to change that:
static (inside,web-dmz) 10.100.15.0 10.100.15.0 netmask 255.255.255.0
0
 

Author Comment

by:pjmcdougall
ID: 35082952
My head gets a bit fried with these nats.  My lan has 3 subnets:

10.0.10.0/24
10.0.110.0/24
10.100.15.0/24

Should the inside address in your above example cover all 3 subnets?  Remember I am pinging from the computers 10.0.10.200 and 10.0.110.10.   My 10.100.15.0 subnet is only a management subnet for all my cisco kit.

cheers,
paul
0
 

Author Comment

by:pjmcdougall
ID: 35083061
A bit more info.  This is a ping from the ASA to my PC.  As expected the web-dmz source failed:

Standard Ping:
FBNECOLO5520-01(config)# ping 10.0.110.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.110.10, timeout is 2 seconds:
!!!!!

Extended Ping:
FBNECOLO5520-01(config)# ping
Interface: web-dmz
Target IP address: 10.0.110.10
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.110.10, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
0
 

Author Comment

by:pjmcdougall
ID: 35083128
Hey erniebeek, I tried your suggestion and now there seems to be a portmap translation error thrown into the mix.  Cheers for giving it a go, anything else we can try?

%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-3-305006: portmap translation creation failed for icmp src inside:10.0.110.10 dst web-dmz:10.100.21.1 (type 8, code 0)
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
%ASA-6-302020: Built inbound ICMP connection for faddr 10.0.110.10/512 gaddr 10.100.21.253/0 laddr 10.100.21.253/0
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35083264
That's correct, you tried to ping from an address for which we haven't created one yet :)

So try adding:
static (inside,web-dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0
static (inside,web-dmz) 10.0.110.0 10.0.110.0 netmask 255.255.255.0


as well
0
 

Author Comment

by:pjmcdougall
ID: 35083365
Hi erniebeek, it doesn't seem to have made any difference :(

My nats are configured as:

global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,web-dmz) 10.100.15.0 10.100.15.0 netmask 255.255.255.0
static (inside,web-dmz) 10.0.110.0 10.0.110.0 netmask 255.255.255.0
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35083423
Still missing the
static (inside,web-dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0

Then the translations should be ok. Otherwise let me know what shows up in the logs then.
0
 

Author Comment

by:pjmcdougall
ID: 35083426
Here's something interesting.  If I plug a laptop into the DMZ I can ping my PC 10.0.110.10.

I give the laptop the following TCP settings:

IP - 10.100.21.1
Mask - 255.255.255.0
Gate - 10.100.21.253

Good one way but not the other - arrrrrgh!
0
 

Author Comment

by:pjmcdougall
ID: 35083482
Hi erniebeek,

Yep your right but I am now limiting my testing to the one subnet of 10.0.110.0/24.  None the less I have also added the other internal subnet as you pointed out:

static (inside,web-dmz) 10.100.15.0 10.100.15.0 netmask 255.255.255.0
static (inside,web-dmz) 10.0.110.0 10.0.110.0 netmask 255.255.255.0
static (inside,web-dmz) 10.0.10.0 10.0.10.0 netmask 255.255.255.0

Logs are still as they were at the beginning of this post.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35083563
Just thinking hard here.

You cannot ping the DMZ interface...... but can you ping anything in the DMZ?
You pinged your station from a laptop in the DMZ, can you ping the laptop from your station?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:pjmcdougall
ID: 35083601
No I tried that.  I cannot ping the laptop from my PC.

PC can ping the inside interface (obviously because I am telneted into the ASA) but cannot ping the DMZ interface or anything behind the DMZ.

0
 

Author Comment

by:pjmcdougall
ID: 35083743
Here is a quick diagram of my topology, hope it helps.
Topology.gif
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35083797
Weird.

I just remembered (I am SO stupid), you can only ping the ASA interface that is facing you....

That still doesn't account for the loss of ping in the DMZ.

Resuming:
-you can ping from the DMZ to the internal network.
-you cannot ping from the internal network to the DMZ
-when you ping from the inside, the only thing you (still) are seeing on the ASA is the built and teardown of the icmp.

Just saw your diagram. What happens if you ping from the router (10.100.15.252) to the DMZ (laptop)?
0
 

Author Comment

by:pjmcdougall
ID: 35083853
Hi erniebeek,

All your assumptions are correct.

Pinging from the core router (cisco 4506) is same as from my PC - nothin!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35083919
Been looking at the logs and see something funny. Do you know what the 10.100.21.1is?
0
 

Author Comment

by:pjmcdougall
ID: 35083944
Yup, it's my laptop in the DMZ remember :)

IP - 10.100.21.1
Mask - 255.255.255.0
Gate - 10.100.21.253

0
 

Author Comment

by:pjmcdougall
ID: 35084078
More info, nothing wrong just an observation:

The attached image is a snap of the ASDM logs (as opposed to the ASA logs) and here you can see the laptop trying to do DNS lookup to 139.130.4.4 and 10.0.2.1.  

The pass to 139.130.4.4 failed because no access-list permitting and the pass to 10.0.2.1 failed because we have not put a nat in for this subnet (yes it's another subnet on the trusted but irrelevant to our problems here)
ASDM-log.gif
0
 

Author Comment

by:pjmcdougall
ID: 35084179
I think we got it !!!

The laptop had it's firewall turned on (damn SOE).  I have since turned it off and I can now ping it from the trusted network.

I still would have been chasing my tail though because I did not know about the "closest interface" rule ie: the one facing you.  First I've heard about that.  This would explain why my pings are still not responding to the DMZ interface of 10.100.21.253.

Is that correct erniebeek?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35084464
That correct, the only exception is when you connect through a vpn and issue ' management-access' on it.
Glad you figured it out (and thanks to MS :-(  ).
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35093208
Pleasure working with you :)

Just one question, did you intend to close the question the way you did?
Though I'm doing this for fun and to steepen my learning curve, points are always nice to have ;)
0
 

Author Comment

by:pjmcdougall
ID: 35105454
Likewise I really appreciated your help.  This was my 1st time on ExpertsExchange (1 month trial), how do I allocate points to you?  Please advise and I would be more than happy to comply with ANY requirement.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35106607
Just ask a moderator.
I'll hit the object button and someone will have a look and help us out.

First time eh? Hope to see you back again :)
0
 

Author Comment

by:pjmcdougall
ID: 35125567
Hi alias99,

I did not see the option "Accept and Award Points" only "Accept Solution".  I would like to award erniebeek 500 points for his trouble.  Without his comment:  "you can only ping the ASA interface that is facing you" + other troubleshooting I may never have solved the issue.

Can you please assist by awarding these points from my account to erniebeek?

Kind Regards,
Paul
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35126599
One way or another we always are able to get things right (with a bit of help from the mods :)

Thx for the points.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now