Re: what Am I missing?

From: Dane Newman (dane.newman@gmail.com)
Date: Sun Jun 15 2008 - 20:11:38 ART

Can I ask what would be the thinking behind putting that? I say in a
further problem there was a static nat entry for 204.12.6.254 (the
backbone router) but that's after we added

nat (outside) 1 0.0.0.0 0.0.0.0 outside
global (inside) 1 interface

Rack1ASA2/ContextA(config)# static (inside,outside) 204.12.6.13 204.12.6.13 ne$
Rack1ASA2/ContextA(config)#
SCRack6AS>7
[Resuming connection 7 to SW1 ... ]

Rack1SW1#
Rack1SW1#show ip route 204.12.6.13
Routing entry for 204.12.6.0/24
  Known via "static", distance 1, metric 0
  Redistributing via ospf 1
  Advertised by ospf 1 subnets
  Routing Descriptor Blocks:
  * 132.1.137.113
      Route metric is 0, traffic share count is 1

Rack1SW1#ping 204.12.6.13

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.12.6.13, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Rack1SW1#

On 6/15/08, Joseph Brunner <joe@affirmedsystems.com> wrote:
> try this
>
> static (inside, outside) 204.12.6.13 204.12.6.13 netmask 255.255.255.255
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Dane
> Newman
> Sent: Sunday, June 15, 2008 6:10 PM
> To: Joseph Brunner
> Cc: Cisco certification
> Subject: Re: what Am I missing?
>
> Forgive my confusion? but I am not trying to nat? in the ASA config I
> didn't have any NAT configured. I can sucessfully ping each connected
> interface. The ASA has a default route pointing to switch1's vlan
> interface 137. When I debug ip packet on the switch1 after I try to
> ping the inside interface of the ASA I can see it sending the packet's
> to the ASA (132.1.137.113) Im sure this is something really dumb I am
> missing here ;(
>
> On 6/15/08, Joseph Brunner <joe@affirmedsystems.com> wrote:
>> debug and look for the connection failing nat is required unless its
>> exempted with nat 0, identity nat, etc.
>>
>>
>>
>> if you want to safari the book, check pages 323 to 327
>>
>>
>>
>> _____
>>
>> From: Dane Newman [mailto:dane.newman@gmail.com]
>> Sent: Sunday, June 15, 2008 5:41 PM
>> To: Joseph Brunner
>> Cc: Cisco certification
>> Subject: Re: what Am I missing?
>>
>>
>>
>> Thanks for the Reply Joseph.
>>
>> I added that and it still does not ping
>>
>> "same-security-traffic permit intra-interface" on contextA
>>
>> where access-list ping-reply permit icmp host 204.12.6.13
>> <http://204.12.6.13/> any
>>
>>
>>
>> access-list OUTSIDE_IN extended permit icmp any any log
>> access-list OUTSIDE_IN extended permit icmp any any echo
>> access-list OUTSIDE_IN extended permit icmp any any echo-reply
>> access-list OUTSIDE_IN extended permit tcp any any eq bgp
>> access-list OUTSIDE_IN extended permit tcp any eq bgp any
>>
>> This would not surfice?
>>
>> On Sun, Jun 15, 2008 at 5:00 PM, Joseph Brunner <joe@affirmedsystems.com>
>> wrote:
>>
>> I suggest you pick up a copy of the "cisco asa, pix and fwsm firewall
>> handbook" by David Hucaby
>>
>> I would check out the chapter on address translation.
>>
>> I don't have my asa's with me, but try
>>
>> "same-security-traffic permit intra-interface" on contextA
>>
>> also look at nat 0 access-list ping-reply
>>
>> where access-list ping-reply permit icmp host 204.12.6.13
>> <http://204.12.6.13/> any
>>
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Dane
>> Newman
>> Sent: Sunday, June 15, 2008 4:11 PM
>> To: Cisco certification
>> Subject: what Am I missing?
>>
>> I have ASA2 configured with two contexts. ContextA and B both share the
>> outside interface of ASA2. I made sure to put in the system context
>> mac-address auto command. ASA2 is directly connected to switch1 on
> fa0/15.
>> I am able to ping the outside interface of contextA from switch 1 but not
>> able to ping the inside interface of contextA as shown in the output
> below.
>> Could someone suggest what I am missing?
>>
>>
>> Rack1SW1#ping 204.12.6.13 <http://204.12.6.13/>
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 204.12.6.13 <http://204.12.6.13/> ,
>> timeout is 2 seconds:
>> .....
>> Success rate is 0 percent (0/5)
>>
>> Rack1ASA2/ContextA# show run
>> : Saved
>> :
>> ASA Version 7.2(3) <context>
>> !
>> hostname ContextA
>> domain-name internetworkexpert.com <http://internetworkexpert.com/>
>> enable password 8Ry2YjIyt7RRXU24 encrypted
>> names
>> !
>> interface outsideA
>> nameif outside
>> security-level 0
>> ip address 132.1.137.113 <http://132.1.137.113/> 255.255.255.0
>> <http://255.255.255.0/>
>> !
>> interface insideA
>> nameif Inside
>> security-level 100
>> ip address 204.12.6.13 <http://204.12.6.13/> 255.255.255.0
>> <http://255.255.255.0/>
>> !
>> passwd 2KFQnbNIdI.2KYOU encrypted
>> dns server-group DefaultDNS
>> domain-name internetworkexpert.com <http://internetworkexpert.com/>
>> access-list OUTSIDE_IN extended permit icmp any any log
>> access-list OUTSIDE_IN extended permit icmp any any echo
>> access-list OUTSIDE_IN extended permit icmp any any echo-reply
>> access-list OUTSIDE_IN extended permit tcp any any eq bgp
>> access-list OUTSIDE_IN extended permit tcp any eq bgp any
>> logging console debugging
>> mtu outside 1500
>> mtu Inside 1500
>> icmp unreachable rate-limit 1 burst-size 1
>> no asdm history enable
>> arp timeout 14400
>> access-group OUTSIDE_IN in interface outside
>> route outside 0.0.0.0 <http://0.0.0.0/> 0.0.0.0 <http://0.0.0.0/>
>> 132.1.137.7 <http://132.1.137.7/> 1
>> timeout xlate 3:00:00
>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
>> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
>> 0:05:00
>> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
>> 0:02:00
>> timeout uauth 0:05:00 absolute
>> aaa authentication ssh console LOCAL
>> no snmp-server location
>> no snmp-server contact
>> telnet timeout 5
>> ssh 132.1.170.0 <http://132.1.170.0/> 255.255.255.0
> <http://255.255.255.0/>
>> outside
>> ssh timeout 5
>> !
>> class-map inspection_default
>> match default-inspection-traffic
>> !
>> !
>> policy-map type inspect dns preset_dns_map
>> parameters
>> message-length maximum 512
>> policy-map global_policy
>> class inspection_default
>> inspect dns preset_dns_map
>> inspect ftp
>> inspect h323 h225
>> inspect h323 ras
>> inspect netbios
>> inspect rsh
>> inspect rtsp
>> inspect skinny
>> inspect esmtp
>> inspect sqlnet
>> inspect sunrpc
>> inspect tftp
>> inspect sip
>> inspect xdmcp
>> inspect icmp
>> !
>> service-policy global_policy global
>> username ADMIN password 0Fiyt7Ojpuvbkp7l encrypted
>> Cryptochecksum:4818558e3f200ea02f7b6b397155d9fd
>> : end
>> Rack1ASA2/ContextA#
>>
>>
>> Rack1SW1#show run
>> Building configuration...
>> Current configuration : 3297 bytes
>> !
>> version 12.2
>> no service pad
>> service timestamps debug uptime
>> service timestamps log uptime
>> no service password-encryption
>> !
>> hostname Rack1SW1
>> !
>> enable password cisco
>> !
>> no aaa new-model
>> ip subnet-zero
>> ip routing
>> !
>> no ip domain-lookup
>> !
>> !
>> !
>> no file verify auto
>> spanning-tree mode pvst
>> spanning-tree extend system-id
>> !
>> !
>> !
>> vlan internal allocation policy ascending
>> !
>> !
>> interface Loopback0
>> ip address 150.1.7.7 <http://150.1.7.7/> 255.255.255.0
>> <http://255.255.255.0/>
>> !
>> interface FastEthernet0/1
>> switchport access vlan 170
>> switchport mode access
>> !
>> interface FastEthernet0/2
>> switchport access vlan 29
>> switchport mode access
>> !
>> interface FastEthernet0/3
>> switchport access vlan 3
>> switchport mode access
>> !
>> interface FastEthernet0/4
>> switchport access vlan 4
>> switchport mode access
>> !
>> interface FastEthernet0/5
>> switchport access vlan 115
>> switchport mode access
>> !
>> interface FastEthernet0/6
>> switchport access vlan 69
>> switchport mode access
>> !
>> interface FastEthernet0/7
>> switchport mode dynamic desirable
>> !
>> interface FastEthernet0/8
>> switchport mode dynamic desirable
>> !
>> interface FastEthernet0/9
>> switchport access vlan 29
>> switchport mode access
>> !
>> interface FastEthernet0/10
>> switchport access vlan 170
>> switchport mode access
>> !
>> interface FastEthernet0/11
>> switchport access vlan 112
>> switchport mode access
>> !
>> interface FastEthernet0/12
>> switchport mode dynamic desirable
>> !
>> interface FastEthernet0/13
>> switchport access vlan 9
>> switchport mode access
>> !
>> interface FastEthernet0/14
>> switchport mode dynamic desirable
>> !
>> interface FastEthernet0/15
>> switchport access vlan 133
>> switchport mode access
>> !
>> interface FastEthernet0/16
>> switchport mode dynamic desirable
>> !
>> interface FastEthernet0/17
>> switchport mode dynamic desirable
>> !
>> interface FastEthernet0/18
>> switchport mode dynamic desirable
>> !
>> interface FastEthernet0/19
>> switchport mode dynamic desirable
>> !
>> interface FastEthernet0/20
>> switchport access vlan 9
>> switchport mode access
>> !
>> interface FastEthernet0/21
>> switchport mode dynamic desirable
>> !
>> interface FastEthernet0/22
>> switchport mode dynamic desirable
>> !
>> interface FastEthernet0/23
>> switchport trunk encapsulation isl
>> switchport mode trunk
>> !
>> interface FastEthernet0/24
>> switchport access vlan 133
>> switchport mode access
>> !
>> interface GigabitEthernet0/1
>> switchport mode dynamic desirable
>> !
>> interface GigabitEthernet0/2
>> switchport mode dynamic desirable
>> !
>> interface Vlan1
>> no ip address
>> shutdown
>> !
>> interface Vlan137
>> ip address 132.1.137.7 <http://132.1.137.7/> 255.255.255.0
>> <http://255.255.255.0/>
>> !
>> interface Vlan170
>> ip address 132.1.170.7 <http://132.1.170.7/> 255.255.255.0
>> <http://255.255.255.0/>
>> !
>> router ospf 1
>> router-id 150.1.7.7 <http://150.1.7.7/>
>> log-adjacency-changes
>> redistribute connected subnets
>> redistribute static subnets
>> network 132.1.137.7 <http://132.1.137.7/> 0.0.0.0 <http://0.0.0.0/>
> area
>> 170
>> network 132.1.170.7 <http://132.1.170.7/> 0.0.0.0 <http://0.0.0.0/>
> area
>> 170
>> network 150.1.7.7 <http://150.1.7.7/> 0.0.0.0 <http://0.0.0.0/> area
> 170
>> !
>> router bgp 100
>> no synchronization
>> bgp router-id 150.1.7.7 <http://150.1.7.7/>
>> bgp log-neighbor-changes
>> neighbor 150.1.2.2 <http://150.1.2.2/> remote-as 100
>> neighbor 150.1.2.2 <http://150.1.2.2/> update-source Loopback0
>> neighbor 204.12.6.254 <http://204.12.6.254/> remote-as 54
>> neighbor 204.12.6.254 <http://204.12.6.254/> ebgp-multihop 255
>> no auto-summary
>> !
>> ip classless
>> ip route 132.1.138.0 <http://132.1.138.0/> 255.255.255.0
>> <http://255.255.255.0/> 132.1.137.213 <http://132.1.137.213/>
>> ip route 204.12.6.0 <http://204.12.6.0/> 255.255.255.0
>> <http://255.255.255.0/> 132.1.137.113 <http://132.1.137.113/>
>> ip http server
>> ip http secure-server
>> !
>> !
>> !
>> !
>> !
>> control-plane
>> !
>> !
>> line con 0
>> exec-timeout 0 0
>> privilege level 15
>> logging synchronous
>> line vty 0 4
>> password cisco
>> login
>> line vty 5 15
>> password cisco
>> login
>> !
>> !
>> end
>>
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:21 ART