?
Solved

Can only ping one way through ASA, NAT issue?

Posted on 2014-11-25
9
Medium Priority
?
626 Views
Last Modified: 2014-11-26
Hello, over the last couple of days I have been setting up a test network that I am going to use for penetration testing but have gotten stuck completing the final connection.

I have full connectivity between all areas of the network except the Workstation (10.3.1.50) cannot ping to any of the internal servers (Domain Controller, Syslog, SQL, etc).  However, when issuing pings from the internal servers to the Workstation, all of them succeed.  All of the OS Firewalls have been disabled no I am pretty sure that is not causing the problem.  Any help or suggestions would be greatly appreciated.

Network Topology
Successful ping from Domain Controller (10.3.2.4) to Workstation (10.3.1.50)
http://s30.postimg.org/u5p5077xd/dcping.jpg

Failed ping from Workstation (10.3.1.50) to Domain Controller (10.3.2.4)
[img]http://s12.postimg.org/5vs7hddal/pingfail.jpg[/img]


ASA1 Configuration
ASA Version 8.4(2)
!
hostname ASA
enable password
!
interface GigabitEthernet0
 nameif workstations
 security-level 100
 ip address 10.3.1.2 255.255.255.0
!
interface GigabitEthernet1
 nameif outside
 security-level 100
 ip address 172.1.0.3 255.255.255.0
!
interface GigabitEthernet2
 nameif DMZ
 security-level 100
 ip address 10.4.2.3 255.255.255.0
!
interface GigabitEthernet3
 nameif inside
 security-level 100
 ip address 172.17.0.3 255.255.255.0
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network dmz-net
 subnet 10.4.2.0 255.255.255.0
object network workstations
 subnet 10.3.1.0 255.255.255.0
object network internal-out
 subnet 172.17.0.0 255.255.255.0
access-list outside_access_in extended permit ip any any
pager lines 24
mtu workstations 1500
mtu outside 1500
mtu DMZ 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network dmz-net
 nat (DMZ,outside) dynamic interface
object network workstations
 nat (workstations,outside) dynamic interface
object network internal-out
 nat (inside,outside) dynamic interface
access-group outside_access_in global
route outside 0.0.0.0 0.0.0.0 172.1.0.2 1
route outside 10.3.2.0 255.255.255.0 172.17.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 10
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable

SW1 Configuration
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VLAN_SW1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
no ip routing
no ip icmp rate-limit unreachable
no ip cef
!
no ip domain lookup
!
multilink bundle-name authenticated
!
vtp mode transparent
archive
 log config
  hidekeys
!
vlan 3,6,99
!
ip tcp synwait-time 5
ip ssh version 1
!
interface FastEthernet0/0
 no ip address
 no ip route-cache
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 no ip route-cache
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
 switchport mode trunk
 speed 100
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
 switchport mode trunk
 speed 100
!
interface FastEthernet1/15
 switchport mode trunk
 speed 100
!
interface Vlan1
 no ip address
 no ip route-cache
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.17.0.3
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
control-plane
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
end

ASA2 Configuration
ASA Version 8.4(2)
!
hostname ASA2
!
interface GigabitEthernet0
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0.1
 vlan 6
 nameif vlan6
 security-level 100
 ip address 10.3.2.2 255.255.255.0
!
interface GigabitEthernet0.2
 vlan 4
 nameif vlan4
 security-level 100
 ip address 10.4.1.2 255.255.255.0
!
interface GigabitEthernet0.3
 vlan 99
 nameif vlan99
 security-level 100
 ip address 10.99.1.2 255.255.255.0
!
interface GigabitEthernet1
 nameif outside
 security-level 100
 ip address 172.17.0.2 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network core-servers
 subnet 10.3.2.0 255.255.255.0
object network dist-servers
 subnet 10.4.1.0 255.255.255.0
object network management
 subnet 10.99.1.0 255.255.255.0
object network workstations
 subnet 10.3.1.0 255.255.255.0
access-list outside_access_in extended permit ip any any
pager lines 24
mtu vlan6 1500
mtu vlan4 1500
mtu vlan99 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network core-servers
 nat (vlan6,outside) dynamic interface
object network dist-servers
 nat (vlan4,outside) dynamic interface
object network management
 nat (vlan99,outside) dynamic interface
access-group outside_access_in global
route outside 0.0.0.0 0.0.0.0 172.17.0.3 1
route outside 10.3.1.0 255.255.255.0 172.17.0.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.99.1.0 255.255.255.0 vlan99
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.99.1.0 255.255.255.0 vlan99
ssh timeout 10
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:9eae54d930f4597bb9335da9ef7e98cc
: end

SW_INT Configuration
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW_INT
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
no ip routing
no ip icmp rate-limit unreachable
no ip cef
!
no ip domain lookup
!
multilink bundle-name authenticated
!
vtp mode transparent
archive
 log config
  hidekeys
!
vlan 3-4,6,99
!
ip tcp synwait-time 5
ip ssh version 1
!
interface FastEthernet0/0
 no ip address
 no ip route-cache
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 no ip route-cache
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
 switchport access vlan 6
 duplex full
 speed 100
!
interface FastEthernet1/4
 switchport access vlan 4
 duplex full
 speed 100
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
 switchport access vlan 99
 duplex full
 speed 100
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
 switchport mode trunk
!
interface Vlan1
 no ip address
 no ip route-cache
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
control-plane
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
end
0
Comment
Question by:Draft2007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40465477
by default ICMP is blocked on the inside interface.

if you want to allow it (and all traffic in is permitted), then you'll need to create and access-list permitting all IP and ICMP and apply it to the inside interface.
0
 

Author Comment

by:Draft2007
ID: 40465724
Thank you for your response.

I have applied the following access-lists to the inside interface (vlan6) and am still not able to ping from Workstation(10.3.1.50) to Domain Controller (10.3.2.4).  I am able to ping from Workstation to ASA2 outside interface (172.17.02) so I know that it is at least reaching the ASA2.

ASA2
access-list workstations_icmp extended permit icmp any any
access-group workstations_imcp in interface vlan6

What has me really confused is that I can ping from the Web Server to the Workstation through ASA1 without any problems.  This is essentially the same direction (from side interface down into an internal subinterface).  In the ASA1 configuration, the only access-list that I have applied is the following:

access-list outside_access_in extended permit ip any any
access-group outside_access_in global

With this access list on ASA1 I am able to ping through both directions, yet I have the same exact access list on ASA2 but can only ping from internal to external systems.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40465746
you cannot ping internal to internal on ASA2?  have you verified that the workstations are not blocking ICMP with [Windows] firewall?
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 

Author Comment

by:Draft2007
ID: 40465789
I am able to ping internal to internal (ex: between SQL and DC) in both directions.  Also, each of the internal systems on ASA2 can reach the workstation but the workstation can't reach any of them.  I have also verified numerous times that none of the Windows firewalls are turned on.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40465802
pinging internally to internally should just work.  have you tried wireshark on workstation to see if the packets are reaching it?
0
 

Author Comment

by:Draft2007
ID: 40465854
When looking at the packets on wireshark, there is no traffic sourced from 10.3.1.50 that reaches the link between ASA2 interface g0.1  and the Domain Controller when pinging the Domain Controller from the Workstation.  The Workstation can reach ASA interface g1 just fine when pinging so I'm thinking the problem has to be related to the transfer between ASA2 g1 and ASA2 g0.1.
0
 

Author Comment

by:Draft2007
ID: 40466136
To attempt to isolate the problem further, I switched out the SW1 with a standard SW that is not configurable (to eliminate all vlans) and moved the Domain controller from behind SW_INT to ASA2 g3.  After configuring the ASA2 g3 to the same ip and nat config as it was previously configured with ASA2 g0.1 I am able to get the same connectivity out from Domain Controller to the Workstation and also to the DMZ.  This has led me to believe that the issue is not VLAN related.

Traffic from the Domain Controller and other internal servers is natted to the outside (g1) interface and shows a source of 172.17.0.2 when pinging to the Workstation.  Traffic from the Workstation is not natted to the ASA2 so I am wondering if maybe the problem is related to NAT?  Also there is no NAT on the traffic in either direction between the Workstation and DMZ.  Again, both the Workstation and DMZ can ping eachother but neither  can ping internally into the Domain Controller.  

I also ran debug icmp on both ASA1 and ASA2 during a failed ping from Workstation (10.3.1.50) to Domain(10.3.2.4)
ASA1
ASA1debug
ASA2
ASA2debug
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 2000 total points
ID: 40467075
Do this and try pinging (on ASA2):

sysopt noproxyarp inside
0
 

Author Comment

by:Draft2007
ID: 40467480
Thank you for your response.  I was able to correct the issue by removing NAT from both of the ASAs and configuring EIGRP to map the correct routes.  I now have full connectivity, thank you for your help!
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month11 days, 18 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question