Cannot ping from DMZ to Inside of Cisco ASA

Hi,

Below is the topology diagram on which i have question:


10.240.37.xLAN-----L3Sw----DMZASAFW----CISCORTR1----CISCORTR2----L3SW---172.10.10.x

What is required

10.240.37.x LAN  should be able to ping remote LAN 172.10.x

Points to note

172.10.x is NATd on the ASAFW as below -- 172.11.10.x ~ 172.10.10.x, ACL allows this traffic

What is happening

I can telnet from 10.240.37.x LAN to 172.10.10.x

What is not happening

i cannot ping from 172.10.10.x  from 10.240.37.x LAN

ASA logs show that icmp connection is being built and torned down.

All upstream and return routes are correct in all the intermediate hops but still no icmp.

Any ideas, greatly appreciated.

genseek

genseekAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ernie BeekExpertCommented:
No ping.......

If you do a tracert (traceroute), how far do you get?
0
lwalcherCommented:
This is a pretty common problem on PIX/ASA. The outbound ICMP Echo is usually allowed but the return Echo Reply is blocked (since ICMP/UDP--depending on the client you're using--are both connectionless). Here is the document from Cisco that walks you through configuring your outside interface to allow the Echo Reply to successfully return:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Please let us know if this works for you!
0
genseekAuthor Commented:
Hi

thanks for the prompt response.

As i said, traffic is hitting the ASA as i can see in the logs icmp conneciton is built and torn down.

Also, i can see icmp CONN in the connection table, but getting torn down after default 2 secs, which tells me that icmp connection is timing out for the fact that there is no reply reaching to the ASA.

But am not able to see where it is getting dropped of as all routing is correct.
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

lwalcherCommented:
Correct, the ICMP Echo is going out successfully, but the Echo Reply gets blocked by the implicit default deny on the outside interface. This will not show in the log.

You are correct that the Echo Reply is not successfully returning. If you follow the Cisco doc I sent, it will show you how to allow the Echo Reply to return successfully.
0
genseekAuthor Commented:
Echo is being sent from DMZ to inside, hence, Echo reply is not coming in from the inside interface ...and not from outside.

As the the traffic flow is between DMZ to Inside, lower to higher securit interface, therefore there is no question of implicit deny but rather it should be a case of implicit permit.
0
genseekAuthor Commented:

Also, please see the diagram that i have expanded below:

10.240.37.xLAN-----L3Sw----DMZASAFW----CISCORTR1----CISCORTR2----L3SW---172.10.10.x
                                                                               |
                                                                               |
                                                                         170.10.106.x

170.10.106.x is the network directly attached to the inside of ASA and CISCORTR1, there are other desktops in this network, which can be successfully reached from 10.240.37.x LAN, BUT NOT

to 172.10.10.x which is a remote LAN 3, hops away as shown above.

0
lwalcherCommented:
Ah, thanks for the clarification and the expanded diagram. My understanding of your network layout was backward. So...let me restate the question: you want to ping from source network 10.240.37.x in the ASA's DMZ interface to destination network 172.10.10.x on the ASA's Inside interface, correct?

In the original post you mentioned there is a NAT rule on the Inside interface NAT'ing 172.10.10.x outbound to 172.10.11.x on the DMZ interface. Is this still the case? If so, from the perspective of the source in the DMZ you are actually trying to ping "destination" network 172.10.11.x, correct? If so, is there an ACL on the DMZ interface allowing ICMP Echo from source network 10.240.37.x to destination network 172.10.11.x? And is there an ACE on the Inside interface allowing outbound ICMP Echo Reply to the DMZ?

Also, since you have several hops in the mix, I also am interesting in your answer to erniebeek's question above? How far does the traceroute get?
0
genseekAuthor Commented:

Plz see below:

Iwalcher - you want to ping from source network 10.240.37.x in the ASA's DMZ interface to destination network 172.10.10.x on the ASA's Inside interface, correct?

genseek - yes

Iwalcher - there is a NAT rule on the Inside interface NAT'ing 172.10.10.x outbound to 172.10.11.x on the DMZ interface. Is this still the case?

genseek - i said there is a NAT rule on DMZ that NATs 172.10.10.x to 172.10.11.x, this still holds

Iwalcher - If so, from the perspective of the source in the DMZ you are actually trying to ping "destination" network 172.10.11.x, correct?

genseek - yes

Iwalcher -  If so, is there an ACL on the DMZ interface allowing ICMP Echo from source network 10.240.37.x to destination network 172.10.11.x?

genseek -yes, there is . i can also see the traffic hitting this ACL

Iwalcher - And is there an ACE on the Inside interface allowing outbound ICMP Echo Reply to the DMZ?

genseek - Not sure, why we need this ACE.

Trace drops before the ASA.

When initiating ping echo, i captured packets and found echo packets going from source to destn but there is no reply packets, as i said, all routing is correct.









0
genseekAuthor Commented:
On the ASA, i have routing for the destination network as

route inside 172.10.0.0 255.255.0.0 next hp ip

could this be causing any kind of unexpected issue? Should i make the routing more specific like

route inside 172.10.10.0 255.255.255.0 next hp ip
0
lwalcherCommented:
Thanks for the updates. I agree with you that the routing doesn't seem to be the issue, so I don't think you will need to make the routing more specific based on your network diagram. All traffic to 172.10.0.0/16 SHOULD go to your next hop router CISCORTR1 based on your diagram. At this point there are two possibilites I can see based on your info:

1) I suppose it's possible the NAT rule is backwards based on the wording above. The NAT rule should look like this according to Cisco:

static (inside,dmz) 172.16.11.0 172.16.10.0 netmask 255.255.255.0
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html#wp1080960

2) If you have defined an ACL at all on the Inside interface, then you will definitely need to configure a rule to allow the ICMP Echo Reply to return as the implicit PERMIT will no longer apply once that ACL is defined:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/int5505.html#wp1043290

Do either of these resolve the issue?
0
genseekAuthor Commented:

Neither of the possibilities are of help, as wordings are correct for option1 and there are NO ACLs on the inside interface.
0
genseekAuthor Commented:
currently, the static NAT on the ASA was as below:

static (inside,dmz) 172.11.10.x 172.10.10.x netmask 255.255.255.255

ACL permit any any is applied on the DMZ interface

Just to check, i made the static NATng specific i.e. IP to IP..as below

static (inside,dmz) 172.11.10.100 172.10.10.100 netmask 255.255.255.255

I found a strange log that puzzled me...it says

no route from 10.240.37.x to the destionation 172.10.10.100

as i mentioned routing is clearly defined in the ASA as mentioned

route inside 172.10.0.0 255.255.0.0 next hp ip

When i saw the  strange log, i made the routing the specific now as below

route inside 172.10.10.x 255.255.0.0 next hp ip...........and

IT WORKED now.

I was able to ping 172.10.10.100 using NAT IP 172.11.10.100 from 10.240.37.34

Strange..very strange..to me..not able to understand why this should work .

Any ideas..from your experience that you may have had that explains this?


0
lwalcherCommented:
Cool, glad that your test worked! That is progress!! First thing I noticed was that the NAT you posted will only work for a given IP address X:
static (inside,dmz) 172.11.10.X 172.10.10.X netmask 255.255.255.255

If you want to static NAT the whole 172.10.10.X/24 outbound from the inside to the DMZ you will need a netmask of 255.255.255.0

As far as that routing change, assuming there are no typos above it actually isn't a change (ASDM would even throw an error and keep you from entering it) because the netmask didn't change. Strangeness indeed...some kind of caching issue...maybe?!? If you fix the NAT netmask, do all the other IP's work now too? Or were you only needing one IP address for this?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
genseekAuthor Commented:

Actually, it was a typo in the netmask that i posted for the NAT of whole network.

Now i can reach the whole range.

Thank you for your patience and prompt support. I will award the points.
0
genseekAuthor Commented:
The solution was as i expected.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.