RE: what Am I missing?

From: Joseph Brunner (joe@affirmedsystems.com)
Date: Sun Jun 15 2008 - 19:44:13 ART

try this

static (inside, outside) 204.12.6.13 204.12.6.13 netmask 255.255.255.255

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Dane
Newman
Sent: Sunday, June 15, 2008 6:10 PM
To: Joseph Brunner
Cc: Cisco certification
Subject: Re: what Am I missing?

Forgive my confusion? but I am not trying to nat? in the ASA config I
didn't have any NAT configured. I can sucessfully ping each connected
interface. The ASA has a default route pointing to switch1's vlan
interface 137. When I debug ip packet on the switch1 after I try to
ping the inside interface of the ASA I can see it sending the packet's
to the ASA (132.1.137.113) Im sure this is something really dumb I am
missing here ;(

On 6/15/08, Joseph Brunner <joe@affirmedsystems.com> wrote:
> debug and look for the connection failing nat is required unless its
> exempted with nat 0, identity nat, etc.
>
>
>
> if you want to safari the book, check pages 323 to 327
>
>
>
> _____
>
> From: Dane Newman [mailto:dane.newman@gmail.com]
> Sent: Sunday, June 15, 2008 5:41 PM
> To: Joseph Brunner
> Cc: Cisco certification
> Subject: Re: what Am I missing?
>
>
>
> Thanks for the Reply Joseph.
>
> I added that and it still does not ping
>
> "same-security-traffic permit intra-interface" on contextA
>
> where access-list ping-reply permit icmp host 204.12.6.13
> <http://204.12.6.13/> any
>
>
>
> access-list OUTSIDE_IN extended permit icmp any any log
> access-list OUTSIDE_IN extended permit icmp any any echo
> access-list OUTSIDE_IN extended permit icmp any any echo-reply
> access-list OUTSIDE_IN extended permit tcp any any eq bgp
> access-list OUTSIDE_IN extended permit tcp any eq bgp any
>
> This would not surfice?
>
> On Sun, Jun 15, 2008 at 5:00 PM, Joseph Brunner <joe@affirmedsystems.com>
> wrote:
>
> I suggest you pick up a copy of the "cisco asa, pix and fwsm firewall
> handbook" by David Hucaby
>
> I would check out the chapter on address translation.
>
> I don't have my asa's with me, but try
>
> "same-security-traffic permit intra-interface" on contextA
>
> also look at nat 0 access-list ping-reply
>
> where access-list ping-reply permit icmp host 204.12.6.13
> <http://204.12.6.13/> any
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Dane
> Newman
> Sent: Sunday, June 15, 2008 4:11 PM
> To: Cisco certification
> Subject: what Am I missing?
>
> I have ASA2 configured with two contexts. ContextA and B both share the
> outside interface of ASA2. I made sure to put in the system context
> mac-address auto command. ASA2 is directly connected to switch1 on
fa0/15.
> I am able to ping the outside interface of contextA from switch 1 but not
> able to ping the inside interface of contextA as shown in the output
below.
> Could someone suggest what I am missing?
>
>
> Rack1SW1#ping 204.12.6.13 <http://204.12.6.13/>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 204.12.6.13 <http://204.12.6.13/> ,
> timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
>
> Rack1ASA2/ContextA# show run
> : Saved
> :
> ASA Version 7.2(3) <context>
> !
> hostname ContextA
> domain-name internetworkexpert.com <http://internetworkexpert.com/>
> enable password 8Ry2YjIyt7RRXU24 encrypted
> names
> !
> interface outsideA
> nameif outside
> security-level 0
> ip address 132.1.137.113 <http://132.1.137.113/> 255.255.255.0
> <http://255.255.255.0/>
> !
> interface insideA
> nameif Inside
> security-level 100
> ip address 204.12.6.13 <http://204.12.6.13/> 255.255.255.0
> <http://255.255.255.0/>
> !
> passwd 2KFQnbNIdI.2KYOU encrypted
> dns server-group DefaultDNS
> domain-name internetworkexpert.com <http://internetworkexpert.com/>
> access-list OUTSIDE_IN extended permit icmp any any log
> access-list OUTSIDE_IN extended permit icmp any any echo
> access-list OUTSIDE_IN extended permit icmp any any echo-reply
> access-list OUTSIDE_IN extended permit tcp any any eq bgp
> access-list OUTSIDE_IN extended permit tcp any eq bgp any
> logging console debugging
> mtu outside 1500
> mtu Inside 1500
> icmp unreachable rate-limit 1 burst-size 1
> no asdm history enable
> arp timeout 14400
> access-group OUTSIDE_IN in interface outside
> route outside 0.0.0.0 <http://0.0.0.0/> 0.0.0.0 <http://0.0.0.0/>
> 132.1.137.7 <http://132.1.137.7/> 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> aaa authentication ssh console LOCAL
> no snmp-server location
> no snmp-server contact
> telnet timeout 5
> ssh 132.1.170.0 <http://132.1.170.0/> 255.255.255.0
<http://255.255.255.0/>
> outside
> ssh timeout 5
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum 512
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect netbios
> inspect rsh
> inspect rtsp
> inspect skinny
> inspect esmtp
> inspect sqlnet
> inspect sunrpc
> inspect tftp
> inspect sip
> inspect xdmcp
> inspect icmp
> !
> service-policy global_policy global
> username ADMIN password 0Fiyt7Ojpuvbkp7l encrypted
> Cryptochecksum:4818558e3f200ea02f7b6b397155d9fd
> : end
> Rack1ASA2/ContextA#
>
>
> Rack1SW1#show run
> Building configuration...
> Current configuration : 3297 bytes
> !
> version 12.2
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname Rack1SW1
> !
> enable password cisco
> !
> no aaa new-model
> ip subnet-zero
> ip routing
> !
> no ip domain-lookup
> !
> !
> !
> no file verify auto
> spanning-tree mode pvst
> spanning-tree extend system-id
> !
> !
> !
> vlan internal allocation policy ascending
> !
> !
> interface Loopback0
> ip address 150.1.7.7 <http://150.1.7.7/> 255.255.255.0
> <http://255.255.255.0/>
> !
> interface FastEthernet0/1
> switchport access vlan 170
> switchport mode access
> !
> interface FastEthernet0/2
> switchport access vlan 29
> switchport mode access
> !
> interface FastEthernet0/3
> switchport access vlan 3
> switchport mode access
> !
> interface FastEthernet0/4
> switchport access vlan 4
> switchport mode access
> !
> interface FastEthernet0/5
> switchport access vlan 115
> switchport mode access
> !
> interface FastEthernet0/6
> switchport access vlan 69
> switchport mode access
> !
> interface FastEthernet0/7
> switchport mode dynamic desirable
> !
> interface FastEthernet0/8
> switchport mode dynamic desirable
> !
> interface FastEthernet0/9
> switchport access vlan 29
> switchport mode access
> !
> interface FastEthernet0/10
> switchport access vlan 170
> switchport mode access
> !
> interface FastEthernet0/11
> switchport access vlan 112
> switchport mode access
> !
> interface FastEthernet0/12
> switchport mode dynamic desirable
> !
> interface FastEthernet0/13
> switchport access vlan 9
> switchport mode access
> !
> interface FastEthernet0/14
> switchport mode dynamic desirable
> !
> interface FastEthernet0/15
> switchport access vlan 133
> switchport mode access
> !
> interface FastEthernet0/16
> switchport mode dynamic desirable
> !
> interface FastEthernet0/17
> switchport mode dynamic desirable
> !
> interface FastEthernet0/18
> switchport mode dynamic desirable
> !
> interface FastEthernet0/19
> switchport mode dynamic desirable
> !
> interface FastEthernet0/20
> switchport access vlan 9
> switchport mode access
> !
> interface FastEthernet0/21
> switchport mode dynamic desirable
> !
> interface FastEthernet0/22
> switchport mode dynamic desirable
> !
> interface FastEthernet0/23
> switchport trunk encapsulation isl
> switchport mode trunk
> !
> interface FastEthernet0/24
> switchport access vlan 133
> switchport mode access
> !
> interface GigabitEthernet0/1
> switchport mode dynamic desirable
> !
> interface GigabitEthernet0/2
> switchport mode dynamic desirable
> !
> interface Vlan1
> no ip address
> shutdown
> !
> interface Vlan137
> ip address 132.1.137.7 <http://132.1.137.7/> 255.255.255.0
> <http://255.255.255.0/>
> !
> interface Vlan170
> ip address 132.1.170.7 <http://132.1.170.7/> 255.255.255.0
> <http://255.255.255.0/>
> !
> router ospf 1
> router-id 150.1.7.7 <http://150.1.7.7/>
> log-adjacency-changes
> redistribute connected subnets
> redistribute static subnets
> network 132.1.137.7 <http://132.1.137.7/> 0.0.0.0 <http://0.0.0.0/>
area
> 170
> network 132.1.170.7 <http://132.1.170.7/> 0.0.0.0 <http://0.0.0.0/>
area
> 170
> network 150.1.7.7 <http://150.1.7.7/> 0.0.0.0 <http://0.0.0.0/> area
170
> !
> router bgp 100
> no synchronization
> bgp router-id 150.1.7.7 <http://150.1.7.7/>
> bgp log-neighbor-changes
> neighbor 150.1.2.2 <http://150.1.2.2/> remote-as 100
> neighbor 150.1.2.2 <http://150.1.2.2/> update-source Loopback0
> neighbor 204.12.6.254 <http://204.12.6.254/> remote-as 54
> neighbor 204.12.6.254 <http://204.12.6.254/> ebgp-multihop 255
> no auto-summary
> !
> ip classless
> ip route 132.1.138.0 <http://132.1.138.0/> 255.255.255.0
> <http://255.255.255.0/> 132.1.137.213 <http://132.1.137.213/>
> ip route 204.12.6.0 <http://204.12.6.0/> 255.255.255.0
> <http://255.255.255.0/> 132.1.137.113 <http://132.1.137.113/>
> ip http server
> ip http secure-server
> !
> !
> !
> !
> !
> control-plane
> !
> !
> line con 0
> exec-timeout 0 0
> privilege level 15
> logging synchronous
> line vty 0 4
> password cisco
> login
> line vty 5 15
> password cisco
> login
> !
> !
> end
>
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:21 ART