FutureDBA-
asked on
Cisco ASA - Firewall issue within LAN (Denied ICMP type=0, from laddr 192.168.16.19 on interface data to 192.168.16.50: no matching session)
I have a very weird issue on my LAN which I cannot pinpoint what the root cause is.
I have a printer on my lan with IP address of 192.168.16.19
My computer is 192.168.16.50
My second computer is 192.168.16.51
All machines have a gateway of 192.168.16.254 (Cisco ASA 5515-X)
... From Computer 1 (.50) whenever I try to ping the printer. sometimes it will ping successfully, other times, it will not ping at all.
... From Computer 2 (.51) I can ping successfully 100% of the time
I have ran ping simultaneously from both machines, Computer 1, no ping, Computer 2 can ping. at the same time.
I was under the impression that because both machines are locally on the same lan, they would not have to go through the firewall, even though they both use it as a gateway.
When i look at my ASA logs via ASDM..
I get this error message here
4 Nov 23 2014 18:38:46 Denied ICMP type=0, from laddr 192.168.16.19 on interface data to 192.168.16.50: no matching session
over and over while i run the ping.
I made sure that my host is not shunned, and have disabled threat detection scanning and blocking.
This is my ASA config, I blocked out any public IP address information.
Thanks in advanced.
I have a printer on my lan with IP address of 192.168.16.19
My computer is 192.168.16.50
My second computer is 192.168.16.51
All machines have a gateway of 192.168.16.254 (Cisco ASA 5515-X)
... From Computer 1 (.50) whenever I try to ping the printer. sometimes it will ping successfully, other times, it will not ping at all.
... From Computer 2 (.51) I can ping successfully 100% of the time
I have ran ping simultaneously from both machines, Computer 1, no ping, Computer 2 can ping. at the same time.
I was under the impression that because both machines are locally on the same lan, they would not have to go through the firewall, even though they both use it as a gateway.
When i look at my ASA logs via ASDM..
I get this error message here
4 Nov 23 2014 18:38:46 Denied ICMP type=0, from laddr 192.168.16.19 on interface data to 192.168.16.50: no matching session
over and over while i run the ping.
I made sure that my host is not shunned, and have disabled threat detection scanning and blocking.
This is my ASA config, I blocked out any public IP address information.
Thanks in advanced.
: Saved
:
ASA Version 9.1(2)
!
hostname asa5515
domain-name somedomain.local
enable password M82a6Pogb3RUeDkW encrypted
names
ip local pool vpn-pool 192.168.18.10-192.168.18.100 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address *.*.214.110 255.255.255.240
!
interface GigabitEthernet0/1
nameif data
security-level 100
ip address 192.168.16.254 255.255.255.0
!
interface GigabitEthernet0/2
nameif voice
security-level 100
ip address 192.168.20.254 255.255.255.0
!
interface GigabitEthernet0/3
nameif video
security-level 100
ip address 192.168.22.254 255.255.255.0
!
interface GigabitEthernet0/4
nameif clients
security-level 100
ip address 192.168.24.254 255.255.255.0
!
interface GigabitEthernet0/5
nameif dmz
security-level 10
ip address 192.168.26.254 255.255.255.0
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name somedomain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside-subnet
subnet 192.168.16.0 255.255.255.0
object network voice-subnet
subnet 192.168.20.0 255.255.255.0
object network dns-server
host 192.168.16.30
object network Elmhurst
subnet 10.0.0.0 255.0.0.0
description Elmhurst
object network mstsc
host 192.168.16.119
object service RDP
service tcp source eq 3389 destination eq 3389
description Remote Desktop Connection
object network apex
host 192.168.16.40
object network *.*.214.109
host *.*.214.109
object network reports
host 192.168.16.40
object network reports-internal
host 192.168.16.40
object network obj-192.168.16.40
host 192.168.16.40
object network obj-192.168.16.201
host 192.168.16.201
object network obj-192.168.16.194
host 192.168.16.194
object network rails
host 192.168.16.194
object network ssh-ruby
host 192.168.16.194
object network NETWORK_OBJ_10.0.0.0_8
subnet 10.0.0.0 255.0.0.0
object network NETWORK_OBJ_192.168.16.0_24
subnet 192.168.16.0 255.255.255.0
object network NETWORK_OBJ_192.168.18.0_25
subnet 192.168.18.0 255.255.255.128
object network *.*.214.105
host *.*.214.105
object network orcl
host 192.168.16.195
object network credit_application
host *.*.214.104
object network obj_104
host *.*.214.104
object network *.*.214.104
host *.*.214.104
object service http_8080
service tcp source eq 8080 destination eq 8080
object network obj-192.168.16.253
host 192.168.16.253
object network obj-192.168.16.118
host 192.168.16.118
object network obj-192.168.16.6
host 192.168.16.6
object network obj-192.168.16.119
host 192.168.16.119
object network NETWORK_OBJ_192.168.24.0_24
subnet 192.168.24.0 255.255.255.0
object network obj-192.168.16.195
host 192.168.16.195
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_TCP_1 tcp
port-object eq 8080
port-object eq ssh
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group service RemoteD tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp destination eq www
object-group service apexreports
object-group network VPNTunnelGroup
network-object 10.0.0.0 255.0.0.0
network-object 192.168.16.0 255.255.255.0
network-object 192.168.0.0 255.255.0.0
object-group protocol DM_INLINE_PROTOCOL_9
protocol-object ip
protocol-object icmp
object-group network video-subnet
network-object 192.168.22.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_acl extended permit tcp any host 192.168.16.253 eq www
access-list outside_acl extended permit tcp any host 192.168.16.6 eq 22014
access-list outside_acl extended permit tcp any host 192.168.16.195 object-group DM_INLINE_TCP_1
access-list dmz_acl extended permit udp any object dns-server eq domain
access-list dmz_acl extended permit object-group DM_INLINE_PROTOCOL_4 any object inside-subnet
access-list dmz_acl extended permit object-group DM_INLINE_PROTOCOL_3 any any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list outside_cryptomap extended permit ip object inside-subnet object Elmhurst
access-list outside_cryptomap_1 extended permit ip 192.168.16.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list ACL-INSIDE-NONAT extended permit ip 192.168.16.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list video_access_in extended permit object-group DM_INLINE_PROTOCOL_9 any object inside-subnet
access-list video_access_in extended permit ip any any
access-list outside_cryptomap_2 extended permit ip 192.168.16.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list split_tunnel standard permit 192.168.16.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 104857
logging buffered debugging
logging trap errors
logging asdm notifications
logging facility 21
logging host data 192.168.16.119
flow-export destination data 192.168.16.119 2055
mtu outside 1500
mtu data 1500
mtu voice 1500
mtu video 1500
mtu clients 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (data,voice) source static inside-subnet inside-subnet destination static voice-subnet voice-subnet
nat (voice,outside) source static voice-subnet voice-subnet destination static Elmhurst Elmhurst no-proxy-arp route-lookup
nat (outside,data) source static *.*.214.109 *.*.214.109 destination static apex apex no-proxy-arp
nat (data,outside) source static VPNTunnelGroup VPNTunnelGroup destination static NETWORK_OBJ_192.168.18.0_25 NETWORK_OBJ_192.168.18.0_25 no-proxy-arp route-lookup
nat (video,data) source static inside-subnet inside-subnet destination static video-subnet video-subnet
nat (data,outside) source static NETWORK_OBJ_192.168.16.0_24 NETWORK_OBJ_192.168.16.0_24 destination static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 no-proxy-arp route-lookup
nat (voice,outside) source static VPNTunnelGroup VPNTunnelGroup destination static NETWORK_OBJ_192.168.18.0_25 NETWORK_OBJ_192.168.18.0_25 no-proxy-arp route-lookup
nat (clients,outside) source static NETWORK_OBJ_192.168.24.0_24 NETWORK_OBJ_192.168.24.0_24 destination static Elmhurst Elmhurst no-proxy-arp route-lookup
nat (clients,outside) source static NETWORK_OBJ_192.168.24.0_24 NETWORK_OBJ_192.168.24.0_24 destination static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 no-proxy-arp route-lookup
!
object network inside-subnet
nat (data,outside) dynamic interface
object network voice-subnet
nat (voice,outside) dynamic interface
object network obj-192.168.16.253
nat (data,outside) static *.*.214.100
object network obj-192.168.16.6
nat (data,outside) static *.*.214.102
object network obj-192.168.16.195
nat (data,outside) static *.*.214.104
access-group outside_acl in interface outside
access-group inside_access_in in interface data
access-group dmz_acl in interface voice
access-group video_access_in in interface video
route outside 0.0.0.0 0.0.0.0 *.*.214.97 1
route outside 10.0.0.0 255.0.0.0 *.*.178.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAPSERVER protocol ldap
aaa-server LDAPSERVER (data) host 192.168.16.31
ldap-base-dn DC=somedomain,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=John Terrero,OU=Users,OU=_Doras,DC=somedomain,DC=local
server-type microsoft
no user-identity enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.16.201 255.255.255.255 data
http 192.168.16.0 255.255.255.0 data
http 0.0.0.0 0.0.0.0 data
http 0.0.0.0 0.0.0.0 outside
snmp-server group Authentication&Encryption v3 priv
snmp-server user johnt Authentication&Encryption v3 encrypted auth md5 87:40:72:55:60:71:15:4f:8c:f4:db:11:ea:94:61:cb priv 3des 87:40:72:55:60:71:15:4f:8c:f4:db:11:ea:94:61:cb:c6:09:3e:d8:31:0a:4a:14:b6:9e:23:32:33:67:d8:a8
snmp-server host data 192.168.16.31 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer *.*.178.2
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-128-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 1 set security-association lifetime kilobytes unlimited
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer *.*.178.2
crypto map outside_map 60 match address outside_cryptomap_1
crypto map outside_map 60 set peer *.*.178.2
crypto map outside_map 60 set ikev1 transform-set ESP-AES-256-MD5
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=asa5515.somedomain.local,O=somedomain,C=US
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject-name CN=asa5515.somedomain.local,O=somedomain,C=us
crl configure
crypto ca trustpoint self
enrollment self
subject-name cn=192.168.16.254
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
subject-name CN=192.168.16.254,CN=asa5515
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
enrollment self
subject-name CN=192.168.16.254,CN=asa5515
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_2
enrollment self
subject-name CN=192.168.16.254,CN=asa5515
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_3
enrollment self
subject-name CN=192.168.16.254,CN=asa5515
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
subject-name CN=asa5515.somedomain.local,O=somedomain,C=us
crl configure
crypto ca trustpool policy
crypto ca certificate chain self
certificate 48ff5954
30820201 3082016a a0030201 02020448 ff595430 0d06092a 864886f7 0d010105
05003045 31173015 06035504 03130e31 39322e31 36382e31 362e3235 34312a30
2806092a 864886f7 0d010902 161b6173 61353531 352e646f 7261736e 61747572
616c732e 6c6f6361 6c301e17 0d313431 31303631 39333930 395a170d 32343131
30333139 33393039 5a304531 17301506 03550403 130e3139 322e3136 382e3136
2e323534 312a3028 06092a86 4886f70d 01090216 1b617361 35353135 2e646f72
61736e61 74757261 6c732e6c 6f63616c 30819f30 0d06092a 864886f7 0d010101
05000381 8d003081 89028181 00c1670c bdd9aab0 94450e21 fda9e6ba 45a4fa8b
dab0cb36 540d769b 58aa0c34 343b9aa1 5cd40bfa 3ba4f872 f9550803 902ec3bc
42f2b06d ce6bbb1d a78591d6 a7a159e2 f8eef18a 0d93ffec 40a7d3c3 8696c676
c3809695 02dd8297 ad498b91 ebd74615 73759614 e8a69992 332498f2 0b080171
d37fde23 d226e99b a842f286 f3020301 0001300d 06092a86 4886f70d 01010505
00038181 00c019e6 f55b2678 b44c08f6 a575b463 b9abc06a 90f408a4 774a16ea
7fac34de 2e5472f5 bac39292 0d2f3131 e48b0cb7 2e1c9c5c e904b2d8 941e59ab
f0c16aa5 e7244ce4 2ef0ef48 978ffe01 8236b635 08931dec dbe0637e 9b5e84c6
b152e48a b100c497 749dfacf 94ec1e6e c04f308b 44b678da 049d988f 1e8632f6
e61d3e22 d0
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 49ff5954
30820225 3082018e a0030201 02020449 ff595430 0d06092a 864886f7 0d010105
05003057 3110300e 06035504 03130761 73613535 31353117 30150603 55040313
0e313932 2e313638 2e31362e 32353431 2a302806 092a8648 86f70d01 0902161b
61736135 3531352e 646f7261 736e6174 7572616c 732e6c6f 63616c30 1e170d31
34313131 36313130 3931315a 170d3234 31313133 31313039 31315a30 57311030
0e060355 04031307 61736135 35313531 17301506 03550403 130e3139 322e3136
382e3136 2e323534 312a3028 06092a86 4886f70d 01090216 1b617361 35353135
2e646f72 61736e61 74757261 6c732e6c 6f63616c 30819f30 0d06092a 864886f7
0d010101 05000381 8d003081 89028181 00c1670c bdd9aab0 94450e21 fda9e6ba
45a4fa8b dab0cb36 540d769b 58aa0c34 343b9aa1 5cd40bfa 3ba4f872 f9550803
902ec3bc 42f2b06d ce6bbb1d a78591d6 a7a159e2 f8eef18a 0d93ffec 40a7d3c3
8696c676 c3809695 02dd8297 ad498b91 ebd74615 73759614 e8a69992 332498f2
0b080171 d37fde23 d226e99b a842f286 f3020301 0001300d 06092a86 4886f70d
01010505 00038181 0055eb55 dcbcde5c c35c0f84 8e34d735 88e91ff0 5f7a8f9b
c3ac0780 b0fce5fe 2d3b9d3c 2e360f33 4b2a8630 978dc8eb c2139aa8 f4917fa4
1112765e d2ad5000 90af0f83 2c755f5f 88685180 13e67408 4a7815aa 503de98a
8561d38c b4f77d06 15deea67 4c2c9914 d4d02331 b05d7c9e 793e5a84 949bb641
cd1db3ff 3d08bad7 90
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_1
certificate 4aff5954
30820225 3082018e a0030201 0202044a ff595430 0d06092a 864886f7 0d010105
05003057 3110300e 06035504 03130761 73613535 31353117 30150603 55040313
0e313932 2e313638 2e31362e 32353431 2a302806 092a8648 86f70d01 0902161b
61736135 3531352e 646f7261 736e6174 7572616c 732e6c6f 63616c30 1e170d31
34313131 37313733 3935355a 170d3234 31313134 31373339 35355a30 57311030
0e060355 04031307 61736135 35313531 17301506 03550403 130e3139 322e3136
382e3136 2e323534 312a3028 06092a86 4886f70d 01090216 1b617361 35353135
2e646f72 61736e61 74757261 6c732e6c 6f63616c 30819f30 0d06092a 864886f7
0d010101 05000381 8d003081 89028181 00c1670c bdd9aab0 94450e21 fda9e6ba
45a4fa8b dab0cb36 540d769b 58aa0c34 343b9aa1 5cd40bfa 3ba4f872 f9550803
902ec3bc 42f2b06d ce6bbb1d a78591d6 a7a159e2 f8eef18a 0d93ffec 40a7d3c3
8696c676 c3809695 02dd8297 ad498b91 ebd74615 73759614 e8a69992 332498f2
0b080171 d37fde23 d226e99b a842f286 f3020301 0001300d 06092a86 4886f70d
01010505 00038181 004b34fd 5b065c1f 19788daf d8632ce7 d105f443 13105ad3
019fe4ab d84018b3 2c70563f 5a44c454 0f4475b6 0ff12c29 c7cbd5b2 b1c769fb
2ff1681b b9cf9e90 60c1bbf6 401274ef 3668a557 0216ffc5 025db05b 7da5518f
f43fd309 9e9cd3ad 62fbd883 c93285bb 035dbe55 d6b39966 f7b3ec5f 06e3f066
682dc0e4 6aa9bffd f0
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_2
certificate 4bff5954
30820225 3082018e a0030201 0202044b ff595430 0d06092a 864886f7 0d010105
05003057 3110300e 06035504 03130761 73613535 31353117 30150603 55040313
0e313932 2e313638 2e31362e 32353431 2a302806 092a8648 86f70d01 0902161b
61736135 3531352e 646f7261 736e6174 7572616c 732e6c6f 63616c30 1e170d31
34313131 38313333 3235355a 170d3234 31313135 31333332 35355a30 57311030
0e060355 04031307 61736135 35313531 17301506 03550403 130e3139 322e3136
382e3136 2e323534 312a3028 06092a86 4886f70d 01090216 1b617361 35353135
2e646f72 61736e61 74757261 6c732e6c 6f63616c 30819f30 0d06092a 864886f7
0d010101 05000381 8d003081 89028181 00c1670c bdd9aab0 94450e21 fda9e6ba
45a4fa8b dab0cb36 540d769b 58aa0c34 343b9aa1 5cd40bfa 3ba4f872 f9550803
902ec3bc 42f2b06d ce6bbb1d a78591d6 a7a159e2 f8eef18a 0d93ffec 40a7d3c3
8696c676 c3809695 02dd8297 ad498b91 ebd74615 73759614 e8a69992 332498f2
0b080171 d37fde23 d226e99b a842f286 f3020301 0001300d 06092a86 4886f70d
01010505 00038181 007fca5e e6f75299 a3231268 45e4096f 41ad1afc 2222fc0d
c291cde0 36e2a033 06f9c5ca 5e2258f5 838df342 7be2b710 95dfd89d 11bf5929
469c8164 d08f9664 a11ebd1c bd7955ba fb3f8443 5f3a9e69 c660439e 70ff5052
fd52c329 f7adc5b0 64a01a88 854f5d6f f72e7cd1 d6559709 b669172a bc810048
93edc522 e351c950 1f
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_3
certificate 4cff5954
30820225 3082018e a0030201 0202044c ff595430 0d06092a 864886f7 0d010105
05003057 3110300e 06035504 03130761 73613535 31353117 30150603 55040313
0e313932 2e313638 2e31362e 32353431 2a302806 092a8648 86f70d01 0902161b
61736135 3531352e 646f7261 736e6174 7572616c 732e6c6f 63616c30 1e170d31
34313131 38313734 3934335a 170d3234 31313135 31373439 34335a30 57311030
0e060355 04031307 61736135 35313531 17301506 03550403 130e3139 322e3136
382e3136 2e323534 312a3028 06092a86 4886f70d 01090216 1b617361 35353135
2e646f72 61736e61 74757261 6c732e6c 6f63616c 30819f30 0d06092a 864886f7
0d010101 05000381 8d003081 89028181 00c1670c bdd9aab0 94450e21 fda9e6ba
45a4fa8b dab0cb36 540d769b 58aa0c34 343b9aa1 5cd40bfa 3ba4f872 f9550803
902ec3bc 42f2b06d ce6bbb1d a78591d6 a7a159e2 f8eef18a 0d93ffec 40a7d3c3
8696c676 c3809695 02dd8297 ad498b91 ebd74615 73759614 e8a69992 332498f2
0b080171 d37fde23 d226e99b a842f286 f3020301 0001300d 06092a86 4886f70d
01010505 00038181 00a474b3 7ae1cd37 97af5dce 4a0fc2bb a7b12f59 4586f98e
a3965727 fb7a5788 b15e28cd 4875bfe4 be70898c 5747a9c4 54196ad2 11a37531
522e1f54 777856f3 00e3b5eb a070b6c9 3b9b459a b07ac382 61e1d5bf 601c6ecb
5b3e8f33 f415e440 d3da46d9 da06a2c0 ebd26e13 06d61b32 56d29552 d10b68f0
5eef98e4 2d1b9479 30
quit
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 enable data
crypto ikev1 enable outside
crypto ikev1 enable data
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.16.119 255.255.255.255 data
ssh 192.168.16.201 255.255.255.255 data
ssh 192.168.16.0 255.255.255.0 data
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access voice
dhcpd address 192.168.20.1-192.168.20.199 voice
dhcpd dns 192.168.16.30 4.2.2.1 interface voice
dhcpd enable voice
!
dhcpd address 192.168.22.10-192.168.22.200 video
dhcpd dns 192.168.16.30 4.2.2.1 interface video
dhcpd enable video
!
dhcpd address 192.168.24.1-192.168.24.200 clients
dhcpd dns 192.168.16.30 4.2.2.1 interface clients
dhcpd enable clients
!
dhcpd address 192.168.26.10-192.168.26.100 dmz
dhcpd dns 192.168.16.30 192.168.16.31 interface dmz
dhcpd enable dmz
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption 3des-sha1 aes256-sha1 dhe-aes256-sha1
ssl trust-point ASDM_Launcher_Access_TrustPoint_3 data vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_3 data
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.05187-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_Anyconnect internal
group-policy GroupPolicy_Anyconnect attributes
wins-server none
dns-server value 192.168.16.30 10.16.0.0
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value somedomain.local
group-policy GroupPolicy_vpn-users internal
group-policy GroupPolicy_vpn-users attributes
wins-server none
dns-server value 192.168.16.30
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value somedomain.local
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1 ikev2
username dannf password RvGQ92odT9kjOIf8 encrypted
username johnt password Hhe.i9znJjAGRtYw encrypted
username ldiadmin password FnejGv4pwEeHVWJd encrypted
username ncs password xwmp2NT3BYMDFcxh encrypted
username julios password wTmjpIfjCMIBCCGO encrypted
tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
address-pool vpn-pool
default-group-policy GroupPolicy_Anyconnect
tunnel-group Anyconnect webvpn-attributes
group-alias Anyconnect enable
tunnel-group vpn-users type remote-access
tunnel-group vpn-users general-attributes
address-pool vpn-pool
authentication-server-group LDAPSERVER LOCAL
default-group-policy GroupPolicy_vpn-users
tunnel-group vpn-users webvpn-attributes
group-alias vpn-users enable
tunnel-group *.*.178.2 type ipsec-l2l
tunnel-group *.*.178.2 general-attributes
default-group-policy GroupPolicy1
tunnel-group *.*.178.2 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:9a0bd1383c57841a01fcefad99dd1a61
: end
asdm image disk0:/asdm-731-101.bin
no asdm history enable
Last Comment
Hi,
It seems, there is a problem with the printer, not the ASA,
It seems, there is a problem with the printer, not the ASA,
ASKER
sorry friends.
That is an incorrect assumption.
I have my old juniper router configured with the same internal IP address as the gateway, if i replace the ASA with the juniper, i have zero issues.
it is not just a printer problem, this happens client o client as well..
That is an incorrect assumption.
I have my old juniper router configured with the same internal IP address as the gateway, if i replace the ASA with the juniper, i have zero issues.
it is not just a printer problem, this happens client o client as well..
ASKER
also, the ASA is explicitly telling me that it is denying the icmp packets
4 Nov 23 2014 18:38:46 Denied ICMP type=0, from laddr 192.168.16.19 on interface data to 192.168.16.50: no matching session
4 Nov 23 2014 18:38:46 Denied ICMP type=0, from laddr 192.168.16.19 on interface data to 192.168.16.50: no matching session
If you replace the firewall with a router, you will not have any issues, as a router by default forwards packets, and a firewall by default drops packets.
The issue that I'm concerned about, is that the printer forwards packets for 192.168.16.50 toward the MAC address of the firewall at all. Basic IP routing dictates that, should a destination IP address be in the same subnet than the outgoing interface IP, ARP should be used to obtain the MAC address of the destination IP. Only if the destination IP is in a different subnet than the outgoing interface, should the packet be directed towards the default gateway. (This is specified in RFC1122, section 3, if you really want to bore yourself...)
From the information in your e-mail, the traffic from 192.168.16.50 to 192.168.16.19 is forwarded as it should be (you should see an ARP entry for 192.168.16.19 on the 192.168.16.50 host), but it seems that the return traffic (from 192.168.16.19 to 192.168.16.50) is not sent directly to the 192.168.16.50, but via the default gateway (192.168.16.254) - If this default gateway is any router, it will just change the MAC address and send it back out on the same interface, but if it is a firewall, it will have to pass through some basic checks first, one of which is that the firewall must have seen an ICMP request to allow an ICMP response. At this point the firewall will discard the packet, logging the error you quoted.
To prove that it is not a firewall issue, remove the firewall completely (and don't replace it with a router of any kind) - You will still be able to ping between 192.168.16.51 and the printer, even though there is no firewall to allow the traffic.
So, in my opinion, the only reason you can ping from 192.168.16.51, but not from 192.168.16.50, is because the printer treats the two destinations differently. This is either because the subnet masking is incorrectly set on the printer (causing it to believe that 192.168.16.50 is not directly connected, while 192.168.16.51 is, which will happen with a 255.255.255.1 mask), or if there is a static route configured on the printer for only the 192.168.16.50 address, pointing to the default gateway. To prove this, change the IP address of 192.168.16.50 to 192.168.16.53 (or .49), and check if you can ping the printer then.
There's also the possibility of the LAN segments being different as well (i.e. 192.168.16.19 and 192.168.16.51 on the same LAN segment, but 192.168.16.50 on a different one), but this would cause other symptoms as well (as you won't be able to ping between 192.168.16.50 and 192.168.16.51).
The issue that I'm concerned about, is that the printer forwards packets for 192.168.16.50 toward the MAC address of the firewall at all. Basic IP routing dictates that, should a destination IP address be in the same subnet than the outgoing interface IP, ARP should be used to obtain the MAC address of the destination IP. Only if the destination IP is in a different subnet than the outgoing interface, should the packet be directed towards the default gateway. (This is specified in RFC1122, section 3, if you really want to bore yourself...)
From the information in your e-mail, the traffic from 192.168.16.50 to 192.168.16.19 is forwarded as it should be (you should see an ARP entry for 192.168.16.19 on the 192.168.16.50 host), but it seems that the return traffic (from 192.168.16.19 to 192.168.16.50) is not sent directly to the 192.168.16.50, but via the default gateway (192.168.16.254) - If this default gateway is any router, it will just change the MAC address and send it back out on the same interface, but if it is a firewall, it will have to pass through some basic checks first, one of which is that the firewall must have seen an ICMP request to allow an ICMP response. At this point the firewall will discard the packet, logging the error you quoted.
To prove that it is not a firewall issue, remove the firewall completely (and don't replace it with a router of any kind) - You will still be able to ping between 192.168.16.51 and the printer, even though there is no firewall to allow the traffic.
So, in my opinion, the only reason you can ping from 192.168.16.51, but not from 192.168.16.50, is because the printer treats the two destinations differently. This is either because the subnet masking is incorrectly set on the printer (causing it to believe that 192.168.16.50 is not directly connected, while 192.168.16.51 is, which will happen with a 255.255.255.1 mask), or if there is a static route configured on the printer for only the 192.168.16.50 address, pointing to the default gateway. To prove this, change the IP address of 192.168.16.50 to 192.168.16.53 (or .49), and check if you can ping the printer then.
There's also the possibility of the LAN segments being different as well (i.e. 192.168.16.19 and 192.168.16.51 on the same LAN segment, but 192.168.16.50 on a different one), but this would cause other symptoms as well (as you won't be able to ping between 192.168.16.50 and 192.168.16.51).
ASKER
Below is a faithful representation of my network setup. I built the network from ground up including the ASA configs.
I am decently versed in Cisco and In my 12 years in the industry, I have never bumped into anything like this.
its not just the .50 address that has issues sending icmp traffic to the it's certain nodes connected to the same switch. I have other nodes on the same switch that NEVER have any issues printing or pinging that printer.
I made sure I wasnt having any arp issues and cleared arp on all 3 switches involved (core and 2 lan switches) along with arp table on the ASA.
I have verified multiple times, all nodes in question have a 24 bit mask and have the ASA as the default gateway.
I ran your test and disabled the data interface on the ASA and I am able to ping across the board without any problems. Once I bring the ASA back in to play, I start having the problem.
I double checked and triple checked my configs and I don't see nor configured anything out of the norm that would block the ICMP traffic, even though I absolutely agree with you, that the traffic shouldn't even hit my firewall, routing should happen via ARP tables.
I am decently versed in Cisco and In my 12 years in the industry, I have never bumped into anything like this.
its not just the .50 address that has issues sending icmp traffic to the it's certain nodes connected to the same switch. I have other nodes on the same switch that NEVER have any issues printing or pinging that printer.
I made sure I wasnt having any arp issues and cleared arp on all 3 switches involved (core and 2 lan switches) along with arp table on the ASA.
I have verified multiple times, all nodes in question have a 24 bit mask and have the ASA as the default gateway.
I ran your test and disabled the data interface on the ASA and I am able to ping across the board without any problems. Once I bring the ASA back in to play, I start having the problem.
I double checked and triple checked my configs and I don't see nor configured anything out of the norm that would block the ICMP traffic, even though I absolutely agree with you, that the traffic shouldn't even hit my firewall, routing should happen via ARP tables.
Thanks for the detailed back-ground, it really helps a lot.
I just want to clarify your statement
If you change the IP addresses around between the two computers (i.e. configure .50 on the right-hand computer in your diagram), can you then ping from .50, and not from .51? Or to put it another way, does this affect any device (whatever its IP) that's connected to the right-hand-side access switch? If so, it might be something on the 10GbE Core switch, like MAC filtering. Could you perhaps share the config of your core switch?
One other thing I noticed on your FW config: nat (data,voice) and nat (video,data) does not have the "no-proxy-arp" set, but I know too little about firewalls to tell you that it must be set. But it could explain why the firewall would respond to an ARP request from the printer, causing traffic to hit the firewall...
I just want to clarify your statement
I ran your test and disabled the data interface on the ASA and I am able to ping across the board without any problems.If you disable the FW 'data' interface, you can ping from .50 to .19? Then I agree, it has to be something the firewall does, or perhaps something the 12-port 10GigE switch does as long as the firewall interface is active.
If you change the IP addresses around between the two computers (i.e. configure .50 on the right-hand computer in your diagram), can you then ping from .50, and not from .51? Or to put it another way, does this affect any device (whatever its IP) that's connected to the right-hand-side access switch? If so, it might be something on the 10GbE Core switch, like MAC filtering. Could you perhaps share the config of your core switch?
One other thing I noticed on your FW config: nat (data,voice) and nat (video,data) does not have the "no-proxy-arp" set, but I know too little about firewalls to tell you that it must be set. But it could explain why the firewall would respond to an ARP request from the printer, causing traffic to hit the firewall...
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Hi,
I see there is no problem in ASA config I see problem with hardware RJ45 jack as it sometimes connect and sometimes it won't connect.Could you please replace your CAT5 cable and climp the jack with straight cabling.That is why it sometimes connects and sometimes it disconnects Or you can try this command on ASA as below :
ASA#debug ICMP (soon after pinging gateway from Host with multiple entries as ping 192.168.16.19 -1000).It will give the appropriate answer where the packet is dropping either on host side or ASA.
I see there is no problem in ASA config I see problem with hardware RJ45 jack as it sometimes connect and sometimes it won't connect.Could you please replace your CAT5 cable and climp the jack with straight cabling.That is why it sometimes connects and sometimes it disconnects Or you can try this command on ASA as below :
ASA#debug ICMP (soon after pinging gateway from Host with multiple entries as ping 192.168.16.19 -1000).It will give the appropriate answer where the packet is dropping either on host side or ASA.
@sm_feroz
I disagree with your assessment that the problem might be a cable issue - A cable issue between the printer and switch would affect both hosts (not just one of them), and a cabling issue anywhere else would affect more than just the printer communications. A cabling issue also does not explain the firewall log entry "Denied ICMP type=0, from laddr 192.168.16.19 on interface data to 192.168.16.50: no matching session"
The question the particular firewall log entry raises: Why would an ICMP packet from 192.168.16.19 (Printer) to 192.168.16.50 (Computer1) even be evaluated by the firewall? Surely, since the two devices are on the same broadcast segment, they should be able to find each other's MAC addresses using ARP? (This they do, if the firewall interface gets disabled - then the pings then succeed all the time.)
The answer, in my opinion, lies with Proxy ARP. If Proxy-ARP is enabled on the firewall interface, it will respond to all ARP requests it receives, so the printer could receive two responses to its ARP request - one from the actual host, and another from the firewall. Which one it chooses depends on its code, but it is possible that it can use the first one it receives. Since Computer2 is directly connected to the same switch, its ARP response should reach the printer first, and the printer will reply using the Computer2 MAC address. But since Computer1 is further away, the Firewall's ARP response can reach the Printer first, causing the Printer to use the firewall's MAC address in its ICMP Reply message. This packet will be switched to the firewall, and since the firewall did not see the original ICMP Request, it will drop the packet and generate the log entry above.
Now, proxy ARP is required in some instances, but what I can gather from the architecture provided, this isn't one of them. And, as I quoted in my last comment, this is a known issue when configuring twice NAT without the "no-proxy-arp" keyword.
My suggestion would be to add "no-proxy-arp" to the two NAT rules that doesn't have them configured (although, technically, you only need to add it where "data" is the source):
I disagree with your assessment that the problem might be a cable issue - A cable issue between the printer and switch would affect both hosts (not just one of them), and a cabling issue anywhere else would affect more than just the printer communications. A cabling issue also does not explain the firewall log entry "Denied ICMP type=0, from laddr 192.168.16.19 on interface data to 192.168.16.50: no matching session"
The question the particular firewall log entry raises: Why would an ICMP packet from 192.168.16.19 (Printer) to 192.168.16.50 (Computer1) even be evaluated by the firewall? Surely, since the two devices are on the same broadcast segment, they should be able to find each other's MAC addresses using ARP? (This they do, if the firewall interface gets disabled - then the pings then succeed all the time.)
The answer, in my opinion, lies with Proxy ARP. If Proxy-ARP is enabled on the firewall interface, it will respond to all ARP requests it receives, so the printer could receive two responses to its ARP request - one from the actual host, and another from the firewall. Which one it chooses depends on its code, but it is possible that it can use the first one it receives. Since Computer2 is directly connected to the same switch, its ARP response should reach the printer first, and the printer will reply using the Computer2 MAC address. But since Computer1 is further away, the Firewall's ARP response can reach the Printer first, causing the Printer to use the firewall's MAC address in its ICMP Reply message. This packet will be switched to the firewall, and since the firewall did not see the original ICMP Request, it will drop the packet and generate the log entry above.
Now, proxy ARP is required in some instances, but what I can gather from the architecture provided, this isn't one of them. And, as I quoted in my last comment, this is a known issue when configuring twice NAT without the "no-proxy-arp" keyword.
My suggestion would be to add "no-proxy-arp" to the two NAT rules that doesn't have them configured (although, technically, you only need to add it where "data" is the source):
nat (data,voice) source static inside-subnet inside-subnet destination static voice-subnet voice-subnet no-proxy-arp
nat (video,data) source static inside-subnet inside-subnet destination static video-subnet video-subnet no-proxy-arp
The computer with the .50 address... can you turn it off and try to ping it from the other computer?
It sounds like you have a device with the same IP on the network.
It sounds like you have a device with the same IP on the network.
Hi,
If you have any DNS entries on Computer 2 plz check If so then make changes in computer1 in Network Properties under DNS entry add DNS entries and try once .It will Ping 100 % Successfully.
If you have any DNS entries on Computer 2 plz check If so then make changes in computer1 in Network Properties under DNS entry add DNS entries and try once .It will Ping 100 % Successfully.
This has nothing to do with DNS.
I've been beating my head against the wall for months now at a customer site trying to track this same issue down at a customer site I recently took over. It only affected the printers and one server. I suspected all along it was a NAT statement in the ASA but could not pinpoint the issue or find anyone who had ever seen this issue (I've been in this business for 22 years myself) so we replaced printers, switches, servers, certified data drops, etc., etc. Super easy fix! Thanks Otto_N!
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
By the way, you're right in your assumption that, for traffic in the same subnet, it should not be forwarded to the firewall interface. I assume that the two computers and the printer is all connected to the same VLAN in the switching environment?