From: Hashiru Aminu (hashng@gmail.com)
Date: Mon Jun 16 2008 - 04:13:44 ART
Hi,
I would advice to look at the logs on the ASA with "show logging" command
and see if the traffic is coming back from the switch and equally try and to
enable icmp permit <the IP address of the icmp reply from the switch> for
the inside interface...I presume you are trying to ping the inside interface
from your mail. From the from the log as long as you have all the rules logs
the traffic you will surely see what you are missing.
HTH
Hash
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Luan
Nguyen
Sent: Monday, June 16, 2008 7:38 AM
To: Dane Newman
Cc: Cisco certification
Subject: Re: what Am I missing?
Do you have something behind the ASA to ping to? instead of the interface
itself?
Logging console debugging doesn't show anything without logging enable.
try to do: packet-tracer input outside icmp 132.1.137.7 8 0
204.12.6.13detail and then packet-tracer input outside icmp
132.1.137.7 8 0 132.1.137.113 <http://204.12.6.13/> detail and see what's
going on.
Also turn on debug icmp trace.
then change back to single mode and do the same thing.
Maybe you just can't ping the inside interface like that.
-Luan
On Sun, Jun 15, 2008 at 4:11 PM, Dane Newman <dane.newman@gmail.com> wrote:
> I have ASA2 configured with two contexts. ContextA and B both share
> the outside interface of ASA2. I made sure to put in the system
> context mac-address auto command. ASA2 is directly connected to switch1
on fa0/15.
> I am able to ping the outside interface of contextA from switch 1 but
> not able to ping the inside interface of contextA as shown in the output
below.
> Could someone suggest what I am missing?
>
>
> Rack1SW1#ping 204.12.6.13
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 204.12.6.13, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
>
> Rack1ASA2/ContextA# show run
> : Saved
> :
> ASA Version 7.2(3) <context>
> !
> hostname ContextA
> domain-name internetworkexpert.com
> enable password 8Ry2YjIyt7RRXU24 encrypted names !
> interface outsideA
> nameif outside
> security-level 0
> ip address 132.1.137.113 255.255.255.0 !
> interface insideA
> nameif Inside
> security-level 100
> ip address 204.12.6.13 255.255.255.0
> !
> passwd 2KFQnbNIdI.2KYOU encrypted
> dns server-group DefaultDNS
> domain-name internetworkexpert.com
> access-list OUTSIDE_IN extended permit icmp any any log access-list
> OUTSIDE_IN extended permit icmp any any echo access-list OUTSIDE_IN
> extended permit icmp any any echo-reply access-list OUTSIDE_IN
> extended permit tcp any any eq bgp access-list OUTSIDE_IN extended
> permit tcp any eq bgp any logging console debugging mtu outside 1500
> mtu Inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm
> history enable arp timeout 14400 access-group OUTSIDE_IN in interface
> outside route outside 0.0.0.0 0.0.0.0 132.1.137.7 1 timeout xlate
> 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp
> 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite
> 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute aaa
> authentication ssh console LOCAL no snmp-server location no
> snmp-server contact telnet timeout 5 ssh 132.1.170.0 255.255.255.0
> outside ssh timeout 5 !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map parameters message-length
> maximum 512 policy-map global_policy class inspection_default
> inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect
> h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny
> inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect
> sip inspect xdmcp inspect icmp !
> service-policy global_policy global
> username ADMIN password 0Fiyt7Ojpuvbkp7l encrypted
> Cryptochecksum:4818558e3f200ea02f7b6b397155d9fd
> : end
> Rack1ASA2/ContextA#
>
>
> Rack1SW1#show run
> Building configuration...
> Current configuration : 3297 bytes
> !
> version 12.2
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname Rack1SW1
> !
> enable password cisco
> !
> no aaa new-model
> ip subnet-zero
> ip routing
> !
> no ip domain-lookup
> !
> !
> !
> no file verify auto
> spanning-tree mode pvst
> spanning-tree extend system-id
> !
> !
> !
> vlan internal allocation policy ascending !
> !
> interface Loopback0
> ip address 150.1.7.7 255.255.255.0
> !
> interface FastEthernet0/1
> switchport access vlan 170
> switchport mode access
> !
> interface FastEthernet0/2
> switchport access vlan 29
> switchport mode access
> !
> interface FastEthernet0/3
> switchport access vlan 3
> switchport mode access
> !
> interface FastEthernet0/4
> switchport access vlan 4
> switchport mode access
> !
> interface FastEthernet0/5
> switchport access vlan 115
> switchport mode access
> !
> interface FastEthernet0/6
> switchport access vlan 69
> switchport mode access
> !
> interface FastEthernet0/7
> switchport mode dynamic desirable
> !
> interface FastEthernet0/8
> switchport mode dynamic desirable
> !
> interface FastEthernet0/9
> switchport access vlan 29
> switchport mode access
> !
> interface FastEthernet0/10
> switchport access vlan 170
> switchport mode access
> !
> interface FastEthernet0/11
> switchport access vlan 112
> switchport mode access
> !
> interface FastEthernet0/12
> switchport mode dynamic desirable
> !
> interface FastEthernet0/13
> switchport access vlan 9
> switchport mode access
> !
> interface FastEthernet0/14
> switchport mode dynamic desirable
> !
> interface FastEthernet0/15
> switchport access vlan 133
> switchport mode access
> !
> interface FastEthernet0/16
> switchport mode dynamic desirable
> !
> interface FastEthernet0/17
> switchport mode dynamic desirable
> !
> interface FastEthernet0/18
> switchport mode dynamic desirable
> !
> interface FastEthernet0/19
> switchport mode dynamic desirable
> !
> interface FastEthernet0/20
> switchport access vlan 9
> switchport mode access
> !
> interface FastEthernet0/21
> switchport mode dynamic desirable
> !
> interface FastEthernet0/22
> switchport mode dynamic desirable
> !
> interface FastEthernet0/23
> switchport trunk encapsulation isl
> switchport mode trunk
> !
> interface FastEthernet0/24
> switchport access vlan 133
> switchport mode access
> !
> interface GigabitEthernet0/1
> switchport mode dynamic desirable
> !
> interface GigabitEthernet0/2
> switchport mode dynamic desirable
> !
> interface Vlan1
> no ip address
> shutdown
> !
> interface Vlan137
> ip address 132.1.137.7 255.255.255.0
> !
> interface Vlan170
> ip address 132.1.170.7 255.255.255.0
> !
> router ospf 1
> router-id 150.1.7.7
> log-adjacency-changes
> redistribute connected subnets
> redistribute static subnets
> network 132.1.137.7 0.0.0.0 area 170
> network 132.1.170.7 0.0.0.0 area 170
> network 150.1.7.7 0.0.0.0 area 170
> !
> router bgp 100
> no synchronization
> bgp router-id 150.1.7.7
> bgp log-neighbor-changes
> neighbor 150.1.2.2 remote-as 100
> neighbor 150.1.2.2 update-source Loopback0 neighbor 204.12.6.254
> remote-as 54 neighbor 204.12.6.254 ebgp-multihop 255 no auto-summary
> !
> ip classless
> ip route 132.1.138.0 255.255.255.0 132.1.137.213 ip route 204.12.6.0
> 255.255.255.0 132.1.137.113 ip http server ip http secure-server !
> !
> !
> !
> !
> control-plane
> !
> !
> line con 0
> exec-timeout 0 0
> privilege level 15
> logging synchronous
> line vty 0 4
> password cisco
> login
> line vty 5 15
> password cisco
> login
> !
> !
> end
>
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:21 ART