Re: what Am I missing?

From: Dane Newman (dane.newman@gmail.com)
Date: Sun Jun 15 2008 - 18:41:05 ART

Thanks for the Reply Joseph.
I added that and it still does not ping
"same-security-traffic permit intra-interface" on contextA

where access-list ping-reply permit icmp host 204.12.6.13 any

access-list OUTSIDE_IN extended permit icmp any any log
access-list OUTSIDE_IN extended permit icmp any any echo
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit tcp any any eq bgp
access-list OUTSIDE_IN extended permit tcp any eq bgp any
This would not surfice?

On Sun, Jun 15, 2008 at 5:00 PM, Joseph Brunner <joe@affirmedsystems.com>
wrote:

> I suggest you pick up a copy of the "cisco asa, pix and fwsm firewall
> handbook" by David Hucaby
>
> I would check out the chapter on address translation.
>
> I don't have my asa's with me, but try
>
> "same-security-traffic permit intra-interface" on contextA
>
> also look at nat 0 access-list ping-reply
>
> where access-list ping-reply permit icmp host 204.12.6.13 any
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Dane
> Newman
> Sent: Sunday, June 15, 2008 4:11 PM
> To: Cisco certification
> Subject: what Am I missing?
>
> I have ASA2 configured with two contexts. ContextA and B both share the
> outside interface of ASA2. I made sure to put in the system context
> mac-address auto command. ASA2 is directly connected to switch1 on fa0/15.
> I am able to ping the outside interface of contextA from switch 1 but not
> able to ping the inside interface of contextA as shown in the output below.
> Could someone suggest what I am missing?
>
>
> Rack1SW1#ping 204.12.6.13
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 204.12.6.13, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
>
> Rack1ASA2/ContextA# show run
> : Saved
> :
> ASA Version 7.2(3) <context>
> !
> hostname ContextA
> domain-name internetworkexpert.com
> enable password 8Ry2YjIyt7RRXU24 encrypted
> names
> !
> interface outsideA
> nameif outside
> security-level 0
> ip address 132.1.137.113 255.255.255.0
> !
> interface insideA
> nameif Inside
> security-level 100
> ip address 204.12.6.13 255.255.255.0
> !
> passwd 2KFQnbNIdI.2KYOU encrypted
> dns server-group DefaultDNS
> domain-name internetworkexpert.com
> access-list OUTSIDE_IN extended permit icmp any any log
> access-list OUTSIDE_IN extended permit icmp any any echo
> access-list OUTSIDE_IN extended permit icmp any any echo-reply
> access-list OUTSIDE_IN extended permit tcp any any eq bgp
> access-list OUTSIDE_IN extended permit tcp any eq bgp any
> logging console debugging
> mtu outside 1500
> mtu Inside 1500
> icmp unreachable rate-limit 1 burst-size 1
> no asdm history enable
> arp timeout 14400
> access-group OUTSIDE_IN in interface outside
> route outside 0.0.0.0 0.0.0.0 132.1.137.7 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> aaa authentication ssh console LOCAL
> no snmp-server location
> no snmp-server contact
> telnet timeout 5
> ssh 132.1.170.0 255.255.255.0 outside
> ssh timeout 5
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum 512
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect netbios
> inspect rsh
> inspect rtsp
> inspect skinny
> inspect esmtp
> inspect sqlnet
> inspect sunrpc
> inspect tftp
> inspect sip
> inspect xdmcp
> inspect icmp
> !
> service-policy global_policy global
> username ADMIN password 0Fiyt7Ojpuvbkp7l encrypted
> Cryptochecksum:4818558e3f200ea02f7b6b397155d9fd
> : end
> Rack1ASA2/ContextA#
>
>
> Rack1SW1#show run
> Building configuration...
> Current configuration : 3297 bytes
> !
> version 12.2
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname Rack1SW1
> !
> enable password cisco
> !
> no aaa new-model
> ip subnet-zero
> ip routing
> !
> no ip domain-lookup
> !
> !
> !
> no file verify auto
> spanning-tree mode pvst
> spanning-tree extend system-id
> !
> !
> !
> vlan internal allocation policy ascending
> !
> !
> interface Loopback0
> ip address 150.1.7.7 255.255.255.0
> !
> interface FastEthernet0/1
> switchport access vlan 170
> switchport mode access
> !
> interface FastEthernet0/2
> switchport access vlan 29
> switchport mode access
> !
> interface FastEthernet0/3
> switchport access vlan 3
> switchport mode access
> !
> interface FastEthernet0/4
> switchport access vlan 4
> switchport mode access
> !
> interface FastEthernet0/5
> switchport access vlan 115
> switchport mode access
> !
> interface FastEthernet0/6
> switchport access vlan 69
> switchport mode access
> !
> interface FastEthernet0/7
> switchport mode dynamic desirable
> !
> interface FastEthernet0/8
> switchport mode dynamic desirable
> !
> interface FastEthernet0/9
> switchport access vlan 29
> switchport mode access
> !
> interface FastEthernet0/10
> switchport access vlan 170
> switchport mode access
> !
> interface FastEthernet0/11
> switchport access vlan 112
> switchport mode access
> !
> interface FastEthernet0/12
> switchport mode dynamic desirable
> !
> interface FastEthernet0/13
> switchport access vlan 9
> switchport mode access
> !
> interface FastEthernet0/14
> switchport mode dynamic desirable
> !
> interface FastEthernet0/15
> switchport access vlan 133
> switchport mode access
> !
> interface FastEthernet0/16
> switchport mode dynamic desirable
> !
> interface FastEthernet0/17
> switchport mode dynamic desirable
> !
> interface FastEthernet0/18
> switchport mode dynamic desirable
> !
> interface FastEthernet0/19
> switchport mode dynamic desirable
> !
> interface FastEthernet0/20
> switchport access vlan 9
> switchport mode access
> !
> interface FastEthernet0/21
> switchport mode dynamic desirable
> !
> interface FastEthernet0/22
> switchport mode dynamic desirable
> !
> interface FastEthernet0/23
> switchport trunk encapsulation isl
> switchport mode trunk
> !
> interface FastEthernet0/24
> switchport access vlan 133
> switchport mode access
> !
> interface GigabitEthernet0/1
> switchport mode dynamic desirable
> !
> interface GigabitEthernet0/2
> switchport mode dynamic desirable
> !
> interface Vlan1
> no ip address
> shutdown
> !
> interface Vlan137
> ip address 132.1.137.7 255.255.255.0
> !
> interface Vlan170
> ip address 132.1.170.7 255.255.255.0
> !
> router ospf 1
> router-id 150.1.7.7
> log-adjacency-changes
> redistribute connected subnets
> redistribute static subnets
> network 132.1.137.7 0.0.0.0 area 170
> network 132.1.170.7 0.0.0.0 area 170
> network 150.1.7.7 0.0.0.0 area 170
> !
> router bgp 100
> no synchronization
> bgp router-id 150.1.7.7
> bgp log-neighbor-changes
> neighbor 150.1.2.2 remote-as 100
> neighbor 150.1.2.2 update-source Loopback0
> neighbor 204.12.6.254 remote-as 54
> neighbor 204.12.6.254 ebgp-multihop 255
> no auto-summary
> !
> ip classless
> ip route 132.1.138.0 255.255.255.0 132.1.137.213
> ip route 204.12.6.0 255.255.255.0 132.1.137.113
> ip http server
> ip http secure-server
> !
> !
> !
> !
> !
> control-plane
> !
> !
> line con 0
> exec-timeout 0 0
> privilege level 15
> logging synchronous
> line vty 0 4
> password cisco
> login
> line vty 5 15
> password cisco
> login
> !
> !
> end
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:21 ART