?
Solved

Cannot ping from DMZ to Inside of Cisco ASA

Posted on 2011-10-05
15
Medium Priority
?
612 Views
Last Modified: 2012-05-12
Hi,

Below is the topology diagram on which i have question:


10.240.37.xLAN-----L3Sw----DMZASAFW----CISCORTR1----CISCORTR2----L3SW---172.10.10.x

What is required

10.240.37.x LAN  should be able to ping remote LAN 172.10.x

Points to note

172.10.x is NATd on the ASAFW as below -- 172.11.10.x ~ 172.10.10.x, ACL allows this traffic

What is happening

I can telnet from 10.240.37.x LAN to 172.10.10.x

What is not happening

i cannot ping from 172.10.10.x  from 10.240.37.x LAN

ASA logs show that icmp connection is being built and torned down.

All upstream and return routes are correct in all the intermediate hops but still no icmp.

Any ideas, greatly appreciated.

genseek

0
Comment
Question by:genseek
  • 9
  • 5
15 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36919576
No ping.......

If you do a tracert (traceroute), how far do you get?
0
 
LVL 3

Expert Comment

by:lwalcher
ID: 36919626
This is a pretty common problem on PIX/ASA. The outbound ICMP Echo is usually allowed but the return Echo Reply is blocked (since ICMP/UDP--depending on the client you're using--are both connectionless). Here is the document from Cisco that walks you through configuring your outside interface to allow the Echo Reply to successfully return:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Please let us know if this works for you!
0
 

Author Comment

by:genseek
ID: 36919862
Hi

thanks for the prompt response.

As i said, traffic is hitting the ASA as i can see in the logs icmp conneciton is built and torn down.

Also, i can see icmp CONN in the connection table, but getting torn down after default 2 secs, which tells me that icmp connection is timing out for the fact that there is no reply reaching to the ASA.

But am not able to see where it is getting dropped of as all routing is correct.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 3

Expert Comment

by:lwalcher
ID: 36920176
Correct, the ICMP Echo is going out successfully, but the Echo Reply gets blocked by the implicit default deny on the outside interface. This will not show in the log.

You are correct that the Echo Reply is not successfully returning. If you follow the Cisco doc I sent, it will show you how to allow the Echo Reply to return successfully.
0
 

Author Comment

by:genseek
ID: 36921591
Echo is being sent from DMZ to inside, hence, Echo reply is not coming in from the inside interface ...and not from outside.

As the the traffic flow is between DMZ to Inside, lower to higher securit interface, therefore there is no question of implicit deny but rather it should be a case of implicit permit.
0
 

Author Comment

by:genseek
ID: 36921610

Also, please see the diagram that i have expanded below:

10.240.37.xLAN-----L3Sw----DMZASAFW----CISCORTR1----CISCORTR2----L3SW---172.10.10.x
                                                                               |
                                                                               |
                                                                         170.10.106.x

170.10.106.x is the network directly attached to the inside of ASA and CISCORTR1, there are other desktops in this network, which can be successfully reached from 10.240.37.x LAN, BUT NOT

to 172.10.10.x which is a remote LAN 3, hops away as shown above.

0
 
LVL 3

Expert Comment

by:lwalcher
ID: 36924353
Ah, thanks for the clarification and the expanded diagram. My understanding of your network layout was backward. So...let me restate the question: you want to ping from source network 10.240.37.x in the ASA's DMZ interface to destination network 172.10.10.x on the ASA's Inside interface, correct?

In the original post you mentioned there is a NAT rule on the Inside interface NAT'ing 172.10.10.x outbound to 172.10.11.x on the DMZ interface. Is this still the case? If so, from the perspective of the source in the DMZ you are actually trying to ping "destination" network 172.10.11.x, correct? If so, is there an ACL on the DMZ interface allowing ICMP Echo from source network 10.240.37.x to destination network 172.10.11.x? And is there an ACE on the Inside interface allowing outbound ICMP Echo Reply to the DMZ?

Also, since you have several hops in the mix, I also am interesting in your answer to erniebeek's question above? How far does the traceroute get?
0
 

Author Comment

by:genseek
ID: 36925249

Plz see below:

Iwalcher - you want to ping from source network 10.240.37.x in the ASA's DMZ interface to destination network 172.10.10.x on the ASA's Inside interface, correct?

genseek - yes

Iwalcher - there is a NAT rule on the Inside interface NAT'ing 172.10.10.x outbound to 172.10.11.x on the DMZ interface. Is this still the case?

genseek - i said there is a NAT rule on DMZ that NATs 172.10.10.x to 172.10.11.x, this still holds

Iwalcher - If so, from the perspective of the source in the DMZ you are actually trying to ping "destination" network 172.10.11.x, correct?

genseek - yes

Iwalcher -  If so, is there an ACL on the DMZ interface allowing ICMP Echo from source network 10.240.37.x to destination network 172.10.11.x?

genseek -yes, there is . i can also see the traffic hitting this ACL

Iwalcher - And is there an ACE on the Inside interface allowing outbound ICMP Echo Reply to the DMZ?

genseek - Not sure, why we need this ACE.

Trace drops before the ASA.

When initiating ping echo, i captured packets and found echo packets going from source to destn but there is no reply packets, as i said, all routing is correct.









0
 

Author Comment

by:genseek
ID: 36925300
On the ASA, i have routing for the destination network as

route inside 172.10.0.0 255.255.0.0 next hp ip

could this be causing any kind of unexpected issue? Should i make the routing more specific like

route inside 172.10.10.0 255.255.255.0 next hp ip
0
 
LVL 3

Expert Comment

by:lwalcher
ID: 36925767
Thanks for the updates. I agree with you that the routing doesn't seem to be the issue, so I don't think you will need to make the routing more specific based on your network diagram. All traffic to 172.10.0.0/16 SHOULD go to your next hop router CISCORTR1 based on your diagram. At this point there are two possibilites I can see based on your info:

1) I suppose it's possible the NAT rule is backwards based on the wording above. The NAT rule should look like this according to Cisco:

static (inside,dmz) 172.16.11.0 172.16.10.0 netmask 255.255.255.0
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html#wp1080960

2) If you have defined an ACL at all on the Inside interface, then you will definitely need to configure a rule to allow the ICMP Echo Reply to return as the implicit PERMIT will no longer apply once that ACL is defined:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/int5505.html#wp1043290

Do either of these resolve the issue?
0
 

Author Comment

by:genseek
ID: 36925821

Neither of the possibilities are of help, as wordings are correct for option1 and there are NO ACLs on the inside interface.
0
 

Author Comment

by:genseek
ID: 36925870
currently, the static NAT on the ASA was as below:

static (inside,dmz) 172.11.10.x 172.10.10.x netmask 255.255.255.255

ACL permit any any is applied on the DMZ interface

Just to check, i made the static NATng specific i.e. IP to IP..as below

static (inside,dmz) 172.11.10.100 172.10.10.100 netmask 255.255.255.255

I found a strange log that puzzled me...it says

no route from 10.240.37.x to the destionation 172.10.10.100

as i mentioned routing is clearly defined in the ASA as mentioned

route inside 172.10.0.0 255.255.0.0 next hp ip

When i saw the  strange log, i made the routing the specific now as below

route inside 172.10.10.x 255.255.0.0 next hp ip...........and

IT WORKED now.

I was able to ping 172.10.10.100 using NAT IP 172.11.10.100 from 10.240.37.34

Strange..very strange..to me..not able to understand why this should work .

Any ideas..from your experience that you may have had that explains this?


0
 
LVL 3

Accepted Solution

by:
lwalcher earned 1600 total points
ID: 36926449
Cool, glad that your test worked! That is progress!! First thing I noticed was that the NAT you posted will only work for a given IP address X:
static (inside,dmz) 172.11.10.X 172.10.10.X netmask 255.255.255.255

If you want to static NAT the whole 172.10.10.X/24 outbound from the inside to the DMZ you will need a netmask of 255.255.255.0

As far as that routing change, assuming there are no typos above it actually isn't a change (ASDM would even throw an error and keep you from entering it) because the netmask didn't change. Strangeness indeed...some kind of caching issue...maybe?!? If you fix the NAT netmask, do all the other IP's work now too? Or were you only needing one IP address for this?
0
 

Author Comment

by:genseek
ID: 36934931

Actually, it was a typo in the netmask that i posted for the NAT of whole network.

Now i can reach the whole range.

Thank you for your patience and prompt support. I will award the points.
0
 

Author Closing Comment

by:genseek
ID: 36934935
The solution was as i expected.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question