Solved

Cisco ASA - Firewall issue within LAN (Denied ICMP type=0, from laddr 192.168.16.19 on interface data to 192.168.16.50: no matching session)

Posted on 2014-11-23
14
5,001 Views
Last Modified: 2016-05-04
I have a very weird issue on my LAN which I cannot pinpoint what the root cause is.

I have a printer on my lan with IP address of 192.168.16.19

My computer is 192.168.16.50

My second computer is 192.168.16.51

All machines have a gateway of 192.168.16.254 (Cisco ASA 5515-X)

... From Computer 1 (.50) whenever I try to ping the printer. sometimes it will ping successfully, other times, it will not ping at all.
... From Computer 2 (.51) I can ping successfully 100% of the time

I have ran ping simultaneously from both machines, Computer 1, no ping, Computer 2 can ping. at the same time.

I was under the impression that because both machines are locally on the same lan, they would not have to go through the firewall, even though they both use it as a gateway.

When i look at my ASA logs via ASDM..

I get this error message here

4      Nov 23 2014      18:38:46                                    Denied ICMP type=0, from laddr 192.168.16.19 on interface data to 192.168.16.50: no matching session

over and over while i run the ping.

I made sure that my host is not shunned, and have disabled threat detection scanning and blocking.

This is my ASA config, I blocked out any public IP address information.

Thanks in advanced.
: Saved
:
ASA Version 9.1(2) 
!
hostname asa5515
domain-name somedomain.local
enable password M82a6Pogb3RUeDkW encrypted
names
ip local pool vpn-pool 192.168.18.10-192.168.18.100 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address *.*.214.110 255.255.255.240 
!
interface GigabitEthernet0/1
 nameif data
 security-level 100
 ip address 192.168.16.254 255.255.255.0 
!
interface GigabitEthernet0/2
 nameif voice
 security-level 100
 ip address 192.168.20.254 255.255.255.0 
!
interface GigabitEthernet0/3
 nameif video
 security-level 100
 ip address 192.168.22.254 255.255.255.0 
!
interface GigabitEthernet0/4
 nameif clients
 security-level 100
 ip address 192.168.24.254 255.255.255.0 
!
interface GigabitEthernet0/5
 nameif dmz
 security-level 10
 ip address 192.168.26.254 255.255.255.0 
!
interface Management0/0
 management-only
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns server-group DefaultDNS
 domain-name somedomain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside-subnet
 subnet 192.168.16.0 255.255.255.0
object network voice-subnet
 subnet 192.168.20.0 255.255.255.0
object network dns-server
 host 192.168.16.30
object network Elmhurst
 subnet 10.0.0.0 255.0.0.0
 description Elmhurst
object network mstsc
 host 192.168.16.119
object service RDP
 service tcp source eq 3389 destination eq 3389 
 description Remote Desktop Connection
object network apex
 host 192.168.16.40
object network *.*.214.109
 host *.*.214.109
object network reports
 host 192.168.16.40
object network reports-internal
 host 192.168.16.40
object network obj-192.168.16.40
 host 192.168.16.40
object network obj-192.168.16.201
 host 192.168.16.201
object network obj-192.168.16.194
 host 192.168.16.194
object network rails
 host 192.168.16.194
object network ssh-ruby
 host 192.168.16.194
object network NETWORK_OBJ_10.0.0.0_8
 subnet 10.0.0.0 255.0.0.0
object network NETWORK_OBJ_192.168.16.0_24
 subnet 192.168.16.0 255.255.255.0
object network NETWORK_OBJ_192.168.18.0_25
 subnet 192.168.18.0 255.255.255.128
object network *.*.214.105
 host *.*.214.105
object network orcl
 host 192.168.16.195
object network credit_application
 host *.*.214.104
object network obj_104
 host *.*.214.104
object network *.*.214.104
 host *.*.214.104
object service http_8080
 service tcp source eq 8080 destination eq 8080 
object network obj-192.168.16.253
 host 192.168.16.253
object network obj-192.168.16.118
 host 192.168.16.118
object network obj-192.168.16.6
 host 192.168.16.6
object network obj-192.168.16.119
 host 192.168.16.119
object network NETWORK_OBJ_192.168.24.0_24
 subnet 192.168.24.0 255.255.255.0
object network obj-192.168.16.195
 host 192.168.16.195
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 8080
 port-object eq ssh
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
 protocol-object ip
 protocol-object icmp
object-group service RemoteD tcp
 port-object eq 3389
object-group service DM_INLINE_SERVICE_1
 service-object ip 
 service-object tcp destination eq www 
object-group service apexreports
object-group network VPNTunnelGroup
 network-object 10.0.0.0 255.0.0.0
 network-object 192.168.16.0 255.255.255.0
 network-object 192.168.0.0 255.255.0.0
object-group protocol DM_INLINE_PROTOCOL_9
 protocol-object ip
 protocol-object icmp
object-group network video-subnet
 network-object 192.168.22.0 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_acl extended permit tcp any host 192.168.16.253 eq www 
access-list outside_acl extended permit tcp any host 192.168.16.6 eq 22014 
access-list outside_acl extended permit tcp any host 192.168.16.195 object-group DM_INLINE_TCP_1 
access-list dmz_acl extended permit udp any object dns-server eq domain 
access-list dmz_acl extended permit object-group DM_INLINE_PROTOCOL_4 any object inside-subnet 
access-list dmz_acl extended permit object-group DM_INLINE_PROTOCOL_3 any any 
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any 
access-list outside_cryptomap extended permit ip object inside-subnet object Elmhurst 
access-list outside_cryptomap_1 extended permit ip 192.168.16.0 255.255.255.0 10.0.0.0 255.0.0.0 
access-list ACL-INSIDE-NONAT extended permit ip 192.168.16.0 255.255.255.0 10.0.0.0 255.0.0.0 
access-list video_access_in extended permit object-group DM_INLINE_PROTOCOL_9 any object inside-subnet 
access-list video_access_in extended permit ip any any 
access-list outside_cryptomap_2 extended permit ip 192.168.16.0 255.255.255.0 10.0.0.0 255.0.0.0 
access-list split_tunnel standard permit 192.168.16.0 255.255.255.0 
pager lines 24
logging enable
logging timestamp
logging buffer-size 104857
logging buffered debugging
logging trap errors
logging asdm notifications
logging facility 21
logging host data 192.168.16.119
flow-export destination data 192.168.16.119 2055
mtu outside 1500
mtu data 1500
mtu voice 1500
mtu video 1500
mtu clients 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (data,voice) source static inside-subnet inside-subnet destination static voice-subnet voice-subnet
nat (voice,outside) source static voice-subnet voice-subnet destination static Elmhurst Elmhurst no-proxy-arp route-lookup
nat (outside,data) source static *.*.214.109 *.*.214.109 destination static apex apex no-proxy-arp
nat (data,outside) source static VPNTunnelGroup VPNTunnelGroup destination static NETWORK_OBJ_192.168.18.0_25 NETWORK_OBJ_192.168.18.0_25 no-proxy-arp route-lookup
nat (video,data) source static inside-subnet inside-subnet destination static video-subnet video-subnet
nat (data,outside) source static NETWORK_OBJ_192.168.16.0_24 NETWORK_OBJ_192.168.16.0_24 destination static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 no-proxy-arp route-lookup
nat (voice,outside) source static VPNTunnelGroup VPNTunnelGroup destination static NETWORK_OBJ_192.168.18.0_25 NETWORK_OBJ_192.168.18.0_25 no-proxy-arp route-lookup
nat (clients,outside) source static NETWORK_OBJ_192.168.24.0_24 NETWORK_OBJ_192.168.24.0_24 destination static Elmhurst Elmhurst no-proxy-arp route-lookup
nat (clients,outside) source static NETWORK_OBJ_192.168.24.0_24 NETWORK_OBJ_192.168.24.0_24 destination static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 no-proxy-arp route-lookup
!
object network inside-subnet
 nat (data,outside) dynamic interface
object network voice-subnet
 nat (voice,outside) dynamic interface
object network obj-192.168.16.253
 nat (data,outside) static *.*.214.100
object network obj-192.168.16.6
 nat (data,outside) static *.*.214.102
object network obj-192.168.16.195
 nat (data,outside) static *.*.214.104
access-group outside_acl in interface outside
access-group inside_access_in in interface data
access-group dmz_acl in interface voice
access-group video_access_in in interface video
route outside 0.0.0.0 0.0.0.0 *.*.214.97 1
route outside 10.0.0.0 255.0.0.0 *.*.178.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAPSERVER protocol ldap
aaa-server LDAPSERVER (data) host 192.168.16.31
 ldap-base-dn DC=somedomain,DC=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=John Terrero,OU=Users,OU=_Doras,DC=somedomain,DC=local
 server-type microsoft
no user-identity enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http 192.168.16.201 255.255.255.255 data
http 192.168.16.0 255.255.255.0 data
http 0.0.0.0 0.0.0.0 data
http 0.0.0.0 0.0.0.0 outside
snmp-server group Authentication&Encryption v3 priv 
snmp-server user johnt Authentication&Encryption v3 encrypted auth md5 87:40:72:55:60:71:15:4f:8c:f4:db:11:ea:94:61:cb priv 3des 87:40:72:55:60:71:15:4f:8c:f4:db:11:ea:94:61:cb:c6:09:3e:d8:31:0a:4a:14:b6:9e:23:32:33:67:d8:a8 
snmp-server host data 192.168.16.31 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer *.*.178.2 
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-128-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 1 set security-association lifetime kilobytes unlimited
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer *.*.178.2 
crypto map outside_map 60 match address outside_cryptomap_1
crypto map outside_map 60 set peer *.*.178.2 
crypto map outside_map 60 set ikev1 transform-set ESP-AES-256-MD5
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 subject-name CN=asa5515.somedomain.local,O=somedomain,C=US
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment terminal
 subject-name CN=asa5515.somedomain.local,O=somedomain,C=us
 crl configure
crypto ca trustpoint self
 enrollment self
 subject-name cn=192.168.16.254
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 subject-name CN=192.168.16.254,CN=asa5515
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
 enrollment self
 subject-name CN=192.168.16.254,CN=asa5515
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_2
 enrollment self
 subject-name CN=192.168.16.254,CN=asa5515
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_3
 enrollment self
 subject-name CN=192.168.16.254,CN=asa5515
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 enrollment terminal
 subject-name CN=asa5515.somedomain.local,O=somedomain,C=us
 crl configure
crypto ca trustpool policy
crypto ca certificate chain self
 certificate 48ff5954
    30820201 3082016a a0030201 02020448 ff595430 0d06092a 864886f7 0d010105 
    05003045 31173015 06035504 03130e31 39322e31 36382e31 362e3235 34312a30 
    2806092a 864886f7 0d010902 161b6173 61353531 352e646f 7261736e 61747572 
    616c732e 6c6f6361 6c301e17 0d313431 31303631 39333930 395a170d 32343131 
    30333139 33393039 5a304531 17301506 03550403 130e3139 322e3136 382e3136 
    2e323534 312a3028 06092a86 4886f70d 01090216 1b617361 35353135 2e646f72 
    61736e61 74757261 6c732e6c 6f63616c 30819f30 0d06092a 864886f7 0d010101 
    05000381 8d003081 89028181 00c1670c bdd9aab0 94450e21 fda9e6ba 45a4fa8b 
    dab0cb36 540d769b 58aa0c34 343b9aa1 5cd40bfa 3ba4f872 f9550803 902ec3bc 
    42f2b06d ce6bbb1d a78591d6 a7a159e2 f8eef18a 0d93ffec 40a7d3c3 8696c676 
    c3809695 02dd8297 ad498b91 ebd74615 73759614 e8a69992 332498f2 0b080171 
    d37fde23 d226e99b a842f286 f3020301 0001300d 06092a86 4886f70d 01010505 
    00038181 00c019e6 f55b2678 b44c08f6 a575b463 b9abc06a 90f408a4 774a16ea 
    7fac34de 2e5472f5 bac39292 0d2f3131 e48b0cb7 2e1c9c5c e904b2d8 941e59ab 
    f0c16aa5 e7244ce4 2ef0ef48 978ffe01 8236b635 08931dec dbe0637e 9b5e84c6 
    b152e48a b100c497 749dfacf 94ec1e6e c04f308b 44b678da 049d988f 1e8632f6 
    e61d3e22 d0
  quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate 49ff5954
    30820225 3082018e a0030201 02020449 ff595430 0d06092a 864886f7 0d010105 
    05003057 3110300e 06035504 03130761 73613535 31353117 30150603 55040313 
    0e313932 2e313638 2e31362e 32353431 2a302806 092a8648 86f70d01 0902161b 
    61736135 3531352e 646f7261 736e6174 7572616c 732e6c6f 63616c30 1e170d31 
    34313131 36313130 3931315a 170d3234 31313133 31313039 31315a30 57311030 
    0e060355 04031307 61736135 35313531 17301506 03550403 130e3139 322e3136 
    382e3136 2e323534 312a3028 06092a86 4886f70d 01090216 1b617361 35353135 
    2e646f72 61736e61 74757261 6c732e6c 6f63616c 30819f30 0d06092a 864886f7 
    0d010101 05000381 8d003081 89028181 00c1670c bdd9aab0 94450e21 fda9e6ba 
    45a4fa8b dab0cb36 540d769b 58aa0c34 343b9aa1 5cd40bfa 3ba4f872 f9550803 
    902ec3bc 42f2b06d ce6bbb1d a78591d6 a7a159e2 f8eef18a 0d93ffec 40a7d3c3 
    8696c676 c3809695 02dd8297 ad498b91 ebd74615 73759614 e8a69992 332498f2 
    0b080171 d37fde23 d226e99b a842f286 f3020301 0001300d 06092a86 4886f70d 
    01010505 00038181 0055eb55 dcbcde5c c35c0f84 8e34d735 88e91ff0 5f7a8f9b 
    c3ac0780 b0fce5fe 2d3b9d3c 2e360f33 4b2a8630 978dc8eb c2139aa8 f4917fa4 
    1112765e d2ad5000 90af0f83 2c755f5f 88685180 13e67408 4a7815aa 503de98a 
    8561d38c b4f77d06 15deea67 4c2c9914 d4d02331 b05d7c9e 793e5a84 949bb641 
    cd1db3ff 3d08bad7 90
  quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_1
 certificate 4aff5954
    30820225 3082018e a0030201 0202044a ff595430 0d06092a 864886f7 0d010105 
    05003057 3110300e 06035504 03130761 73613535 31353117 30150603 55040313 
    0e313932 2e313638 2e31362e 32353431 2a302806 092a8648 86f70d01 0902161b 
    61736135 3531352e 646f7261 736e6174 7572616c 732e6c6f 63616c30 1e170d31 
    34313131 37313733 3935355a 170d3234 31313134 31373339 35355a30 57311030 
    0e060355 04031307 61736135 35313531 17301506 03550403 130e3139 322e3136 
    382e3136 2e323534 312a3028 06092a86 4886f70d 01090216 1b617361 35353135 
    2e646f72 61736e61 74757261 6c732e6c 6f63616c 30819f30 0d06092a 864886f7 
    0d010101 05000381 8d003081 89028181 00c1670c bdd9aab0 94450e21 fda9e6ba 
    45a4fa8b dab0cb36 540d769b 58aa0c34 343b9aa1 5cd40bfa 3ba4f872 f9550803 
    902ec3bc 42f2b06d ce6bbb1d a78591d6 a7a159e2 f8eef18a 0d93ffec 40a7d3c3 
    8696c676 c3809695 02dd8297 ad498b91 ebd74615 73759614 e8a69992 332498f2 
    0b080171 d37fde23 d226e99b a842f286 f3020301 0001300d 06092a86 4886f70d 
    01010505 00038181 004b34fd 5b065c1f 19788daf d8632ce7 d105f443 13105ad3 
    019fe4ab d84018b3 2c70563f 5a44c454 0f4475b6 0ff12c29 c7cbd5b2 b1c769fb 
    2ff1681b b9cf9e90 60c1bbf6 401274ef 3668a557 0216ffc5 025db05b 7da5518f 
    f43fd309 9e9cd3ad 62fbd883 c93285bb 035dbe55 d6b39966 f7b3ec5f 06e3f066 
    682dc0e4 6aa9bffd f0
  quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_2
 certificate 4bff5954
    30820225 3082018e a0030201 0202044b ff595430 0d06092a 864886f7 0d010105 
    05003057 3110300e 06035504 03130761 73613535 31353117 30150603 55040313 
    0e313932 2e313638 2e31362e 32353431 2a302806 092a8648 86f70d01 0902161b 
    61736135 3531352e 646f7261 736e6174 7572616c 732e6c6f 63616c30 1e170d31 
    34313131 38313333 3235355a 170d3234 31313135 31333332 35355a30 57311030 
    0e060355 04031307 61736135 35313531 17301506 03550403 130e3139 322e3136 
    382e3136 2e323534 312a3028 06092a86 4886f70d 01090216 1b617361 35353135 
    2e646f72 61736e61 74757261 6c732e6c 6f63616c 30819f30 0d06092a 864886f7 
    0d010101 05000381 8d003081 89028181 00c1670c bdd9aab0 94450e21 fda9e6ba 
    45a4fa8b dab0cb36 540d769b 58aa0c34 343b9aa1 5cd40bfa 3ba4f872 f9550803 
    902ec3bc 42f2b06d ce6bbb1d a78591d6 a7a159e2 f8eef18a 0d93ffec 40a7d3c3 
    8696c676 c3809695 02dd8297 ad498b91 ebd74615 73759614 e8a69992 332498f2 
    0b080171 d37fde23 d226e99b a842f286 f3020301 0001300d 06092a86 4886f70d 
    01010505 00038181 007fca5e e6f75299 a3231268 45e4096f 41ad1afc 2222fc0d 
    c291cde0 36e2a033 06f9c5ca 5e2258f5 838df342 7be2b710 95dfd89d 11bf5929 
    469c8164 d08f9664 a11ebd1c bd7955ba fb3f8443 5f3a9e69 c660439e 70ff5052 
    fd52c329 f7adc5b0 64a01a88 854f5d6f f72e7cd1 d6559709 b669172a bc810048 
    93edc522 e351c950 1f
  quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_3
 certificate 4cff5954
    30820225 3082018e a0030201 0202044c ff595430 0d06092a 864886f7 0d010105 
    05003057 3110300e 06035504 03130761 73613535 31353117 30150603 55040313 
    0e313932 2e313638 2e31362e 32353431 2a302806 092a8648 86f70d01 0902161b 
    61736135 3531352e 646f7261 736e6174 7572616c 732e6c6f 63616c30 1e170d31 
    34313131 38313734 3934335a 170d3234 31313135 31373439 34335a30 57311030 
    0e060355 04031307 61736135 35313531 17301506 03550403 130e3139 322e3136 
    382e3136 2e323534 312a3028 06092a86 4886f70d 01090216 1b617361 35353135 
    2e646f72 61736e61 74757261 6c732e6c 6f63616c 30819f30 0d06092a 864886f7 
    0d010101 05000381 8d003081 89028181 00c1670c bdd9aab0 94450e21 fda9e6ba 
    45a4fa8b dab0cb36 540d769b 58aa0c34 343b9aa1 5cd40bfa 3ba4f872 f9550803 
    902ec3bc 42f2b06d ce6bbb1d a78591d6 a7a159e2 f8eef18a 0d93ffec 40a7d3c3 
    8696c676 c3809695 02dd8297 ad498b91 ebd74615 73759614 e8a69992 332498f2 
    0b080171 d37fde23 d226e99b a842f286 f3020301 0001300d 06092a86 4886f70d 
    01010505 00038181 00a474b3 7ae1cd37 97af5dce 4a0fc2bb a7b12f59 4586f98e 
    a3965727 fb7a5788 b15e28cd 4875bfe4 be70898c 5747a9c4 54196ad2 11a37531 
    522e1f54 777856f3 00e3b5eb a070b6c9 3b9b459a b07ac382 61e1d5bf 601c6ecb 
    5b3e8f33 f415e440 d3da46d9 da06a2c0 ebd26e13 06d61b32 56d29552 d10b68f0 
    5eef98e4 2d1b9479 30
  quit
crypto isakmp identity address 
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 enable data
crypto ikev1 enable outside
crypto ikev1 enable data
crypto ikev1 policy 5
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 15
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.16.119 255.255.255.255 data
ssh 192.168.16.201 255.255.255.255 data
ssh 192.168.16.0 255.255.255.0 data
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access voice
dhcpd address 192.168.20.1-192.168.20.199 voice
dhcpd dns 192.168.16.30 4.2.2.1 interface voice
dhcpd enable voice
!
dhcpd address 192.168.22.10-192.168.22.200 video
dhcpd dns 192.168.16.30 4.2.2.1 interface video
dhcpd enable video
!
dhcpd address 192.168.24.1-192.168.24.200 clients
dhcpd dns 192.168.16.30 4.2.2.1 interface clients
dhcpd enable clients
!
dhcpd address 192.168.26.10-192.168.26.100 dmz
dhcpd dns 192.168.16.30 192.168.16.31 interface dmz
dhcpd enable dmz
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption 3des-sha1 aes256-sha1 dhe-aes256-sha1
ssl trust-point ASDM_Launcher_Access_TrustPoint_3 data vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_3 data
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.05187-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_Anyconnect internal
group-policy GroupPolicy_Anyconnect attributes
 wins-server none
 dns-server value 192.168.16.30 10.16.0.0
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel
 default-domain value somedomain.local
group-policy GroupPolicy_vpn-users internal
group-policy GroupPolicy_vpn-users attributes
 wins-server none
 dns-server value 192.168.16.30
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel
 default-domain value somedomain.local
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1 ikev2 
username dannf password RvGQ92odT9kjOIf8 encrypted
username johnt password Hhe.i9znJjAGRtYw encrypted
username ldiadmin password FnejGv4pwEeHVWJd encrypted
username ncs password xwmp2NT3BYMDFcxh encrypted
username julios password wTmjpIfjCMIBCCGO encrypted
tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
 address-pool vpn-pool
 default-group-policy GroupPolicy_Anyconnect
tunnel-group Anyconnect webvpn-attributes
 group-alias Anyconnect enable
tunnel-group vpn-users type remote-access
tunnel-group vpn-users general-attributes
 address-pool vpn-pool
 authentication-server-group LDAPSERVER LOCAL
 default-group-policy GroupPolicy_vpn-users
tunnel-group vpn-users webvpn-attributes
 group-alias vpn-users enable
tunnel-group *.*.178.2 type ipsec-l2l
tunnel-group *.*.178.2 general-attributes
 default-group-policy GroupPolicy1
tunnel-group *.*.178.2 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 remote-authentication certificate
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:9a0bd1383c57841a01fcefad99dd1a61
: end
asdm image disk0:/asdm-731-101.bin
no asdm history enable

Open in new window

0
Comment
Question by:FutureDBA-
  • 5
  • 3
  • 2
  • +3
14 Comments
 
LVL 14

Expert Comment

by:Otto_N
ID: 40461621
I don't think the trouble is with the ASA, I think it might be with your printer - Could you check its subnet mask?  If the subnet mask is configured as 255.255.255.1 (instead of 255.255.255.0), it would explain why it thinks that 192.168.16.50 is on a different subnet from its own IP, requiring the traffic to be forwarded to the default gateway.

By the way, you're right in your assumption that, for traffic in the same subnet, it should not be forwarded to the firewall interface.  I assume that the two computers and the printer is all connected to the same VLAN in the switching environment?
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 40461910
Hi,


It seems, there is a problem with the printer, not the ASA,
0
 

Author Comment

by:FutureDBA-
ID: 40461982
sorry friends.

That is an incorrect assumption.

I have my old juniper router configured with the same internal IP address as the gateway, if i replace the ASA with the juniper, i have zero issues.

it is not just a printer problem, this happens client o client as well..
0
 

Author Comment

by:FutureDBA-
ID: 40461987
also, the ASA is explicitly telling me that it is denying the icmp packets

4      Nov 23 2014      18:38:46                                    Denied ICMP type=0, from laddr 192.168.16.19 on interface data to 192.168.16.50: no matching session
0
 
LVL 14

Expert Comment

by:Otto_N
ID: 40462341
If you replace the firewall with a router, you will not have any issues, as a router by default forwards packets, and a firewall by default drops packets.

The issue that I'm concerned about, is that the printer forwards packets for 192.168.16.50 toward the MAC address of the firewall at all.  Basic IP routing dictates that, should a destination IP address be in the same subnet than the outgoing interface IP, ARP should be used to obtain the MAC address of the destination IP.  Only if the destination IP is in a different subnet than the outgoing interface, should the packet be directed towards the default gateway.  (This is specified in RFC1122, section 3, if you really want to bore yourself...)

From the information in your e-mail, the traffic from 192.168.16.50 to 192.168.16.19 is forwarded as it should be (you should see an ARP entry for 192.168.16.19 on the 192.168.16.50 host), but it seems that the return traffic (from 192.168.16.19 to 192.168.16.50) is not sent directly to the 192.168.16.50, but via the default gateway (192.168.16.254) - If this default gateway is any router, it will just change the MAC address and send it back out on the same interface, but if it is a firewall, it will have to pass through some basic checks first, one of which is that the firewall must have seen an ICMP request to allow an ICMP response.  At this point the firewall will discard the packet, logging the error you quoted.

To prove that it is not a firewall issue, remove the firewall completely (and don't replace it with a router of any kind) - You will still be able to ping between 192.168.16.51 and the printer, even though there is no firewall to allow the traffic.

So, in my opinion, the only reason you can ping from 192.168.16.51, but not from 192.168.16.50, is because the printer treats the two destinations differently.  This is either because the subnet masking is incorrectly set on the printer (causing it to believe that 192.168.16.50 is not directly connected, while 192.168.16.51 is, which will happen with a 255.255.255.1 mask), or if there is a static route configured on the printer for only the 192.168.16.50 address, pointing to the default gateway.  To prove this, change the IP address of 192.168.16.50 to 192.168.16.53 (or .49), and check if you can ping the printer then.

There's also the possibility of the LAN segments being different as well (i.e. 192.168.16.19 and 192.168.16.51 on the same LAN segment, but 192.168.16.50 on a different one), but this would cause other symptoms as well (as you won't be able to ping between 192.168.16.50 and 192.168.16.51).
0
 

Author Comment

by:FutureDBA-
ID: 40463595
Below is a faithful representation of my network setup. I built the network from ground up including the ASA configs.

I am decently versed in Cisco and In my 12 years in the industry, I have never bumped into anything like this.
 
its not just the .50 address that has issues sending icmp traffic to the it's certain nodes connected to the same switch. I have other nodes on the same switch that NEVER have any issues printing or pinging that printer.

I made sure I wasnt having any arp issues and cleared arp on all 3 switches involved (core and 2 lan switches) along with arp table on the ASA.

I have verified multiple times, all nodes in question have a 24 bit mask and have the ASA as the default gateway.

I ran your test and disabled the data interface on the ASA and I am able to ping across the board without any problems. Once I bring the ASA back in to play, I start having the problem.

I double checked and triple checked my configs and I don't see nor configured anything out of the norm that would block the ICMP traffic, even though I absolutely agree with you, that the traffic shouldn't even hit my firewall, routing should happen via ARP tables.


Network Diagram
0
 
LVL 14

Expert Comment

by:Otto_N
ID: 40464209
Thanks for the detailed back-ground, it really helps a lot.

I just want to clarify your statement
I ran your test and disabled the data interface on the ASA and I am able to ping across the board without any problems.
If you disable the FW 'data' interface, you can ping from .50 to .19?  Then I agree, it has to be something the firewall does, or perhaps something the 12-port 10GigE switch does as long as the firewall interface is active.

If you change the IP addresses around between the two computers (i.e. configure .50 on the right-hand computer in your diagram), can you then ping from .50, and not from .51?  Or to put it another way, does this affect any device (whatever its IP) that's connected to the right-hand-side access switch?  If so, it might be something on the 10GbE Core switch, like MAC filtering.  Could you perhaps share the config of your core switch?

One other thing I noticed on your FW config: nat (data,voice) and nat (video,data) does not have the "no-proxy-arp" set, but I know too little about firewalls to tell you that it must be set.  But it could explain why the firewall would respond to an ARP request from the printer, causing traffic to hit the firewall...
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 14

Accepted Solution

by:
Otto_N earned 500 total points
ID: 40464563
After some research, I'm now convinced that proxy-ARP is the culprit here - I found the following in CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.1:
Normally for identity NAT, proxy ARP is not required, and in some cases can cause connectivity issues. For example, if you configure a broad identity NAT rule for “any” IP address, then leaving proxy ARP enabled can cause problems for hosts on the network directly-connected to the mapped interface. In this case, when a host on the mapped network wants to communicate with another host on the same network, then the address in the ARP request matches the NAT rule (which matches “any” address). The ASA will then proxy ARP for the address, even though the packet is not actually destined for the ASA. (Note that this problem occurs even if you have a twice NAT rule; although the NAT rule must match both the source and destination addresses, the proxy ARP decision is made only on the “source” address). If the ASA ARP response is received before the actual host ARP response, then traffic will be mistakenly sent to the ASA.
I suspect if you add "no-proxy-arp" to your "nat (video,data)" configuration line, you would fix your problem.
1
 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 40575953
Hi,

I see there is no problem in ASA config I see problem with hardware RJ45 jack as it sometimes connect and sometimes it won't connect.Could you please replace your CAT5 cable and climp the jack with straight cabling.That is why it sometimes connects and sometimes it disconnects Or you can try this command on ASA as below :

ASA#debug ICMP (soon after pinging gateway from Host with multiple entries as ping 192.168.16.19 -1000).It will give the appropriate answer where the packet is dropping either on host side or ASA.
0
 
LVL 14

Expert Comment

by:Otto_N
ID: 40576997
@sm_feroz
I disagree with your assessment that the problem might be a cable issue - A cable issue between the printer and switch would affect both hosts (not just one of them), and a cabling issue anywhere else would affect more than just the printer communications.  A cabling issue also does not explain the firewall log entry "Denied ICMP type=0, from laddr 192.168.16.19 on interface data to 192.168.16.50: no matching session"

The question the particular firewall log entry raises:  Why would an ICMP packet from 192.168.16.19 (Printer) to 192.168.16.50 (Computer1) even be evaluated by the firewall?  Surely, since the two devices are on the same broadcast segment, they should be able to find each other's MAC addresses using ARP?  (This they do, if the firewall interface gets disabled - then the pings then succeed all the time.)

The answer, in my opinion, lies with Proxy ARP.  If Proxy-ARP is enabled on the firewall interface, it will respond to all ARP requests it receives, so the printer could receive two responses to its ARP request - one from the actual host, and another from the firewall.  Which one it chooses depends on its code, but it is possible that it can use the first one it receives.  Since Computer2 is directly connected to the same switch, its ARP response should reach the printer first, and the printer will reply using the Computer2 MAC address.  But since Computer1 is further away, the Firewall's ARP response can reach the Printer first, causing the Printer to use the firewall's MAC address in its ICMP Reply message.  This packet will be switched to the firewall, and since the firewall did not see the original ICMP Request, it will drop the packet and generate the log entry above.

Now, proxy ARP is required in some instances, but what I can gather from the architecture provided, this isn't one of them.  And, as I quoted in my last comment, this is a known issue when configuring twice NAT without the "no-proxy-arp" keyword.

My suggestion would be to add "no-proxy-arp" to the two NAT rules that doesn't have them configured (although, technically, you only need to add it where "data" is the source):
nat (data,voice) source static inside-subnet inside-subnet destination static voice-subnet voice-subnet no-proxy-arp
nat (video,data) source static inside-subnet inside-subnet destination static video-subnet video-subnet no-proxy-arp

Open in new window

0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40580322
The computer with the .50 address... can you turn it off and try to ping it from the other computer?

It sounds like you have a device with the same IP on the network.
0
 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 40592001
Hi,

If you have any DNS entries on Computer 2  plz check If so then make changes in computer1 in Network Properties under DNS entry add DNS entries and try once .It will Ping 100 % Successfully.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40592180
This has nothing to do with DNS.
0
 
LVL 1

Expert Comment

by:JCRussell
ID: 41578674
I've been beating my head against the wall for months now at a customer site trying to track this same issue down at a customer site I recently took over.  It only affected the printers and one server.  I suspected all along it was a NAT statement in the ASA but could not pinpoint the issue or find anyone who had ever seen this issue (I've been in this business for 22 years myself) so we replaced printers, switches, servers, certified data drops, etc., etc.  Super easy fix!  Thanks Otto_N!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now