Re: what Am I missing?

From: Luan Nguyen (luan.m.nguyen@gmail.com)
Date: Mon Jun 16 2008 - 14:52:34 ART

• Next message: Luan Nguyen: "Re: Entering the last two months"
• Previous message: shiran guez: "Re: How I could see the VTP command that I enter in the"
• Maybe in reply to: Dane Newman: "what Am I missing?"
• Next in thread: Dane Newman: "Re: what Am I missing?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

If you remove all the global, nat, and static, and put in a no nat-control
(on by default if no nat..etc statements), then you should be able to ping
the BB3 router from the SW1 using the OUTSIDE_IN ACL.

On Mon, Jun 16, 2008 at 9:50 AM, Dane Newman <dane.newman@gmail.com> wrote:

> When i do a capture I get
>
>
> Rack1ASA2/ContextA(config)# sh cap TEST
> 5 packets captured
> 1: 23:11:27.681315 132.1.137.7 > 204.12.6.13: icmp: echo request
> 2: 23:11:29.681223 132.1.137.7 > 204.12.6.13: icmp: echo request
> 3: 23:11:31.681544 132.1.137.7 > 204.12.6.13: icmp: echo request
> 4: 23:11:33.682276 132.1.137.7 > 204.12.6.13: icmp: echo request
> 5: 23:11:35.682169 132.1.137.7 > 204.12.6.13: icmp: echo request
> 5 packets shown
>
> So they are getting to the interface
>
> I should see them sending an echo reply if everything was working out
> of the capture right?
>
> BB3 is directly connected to the ASA on vlan 113. I thought I
> should be able to ping the BB3 interface that is on vlan 113 which ip
> is 204.12.6.254 but it would not ping. The ASA has a default route to
> SW1.
>
> I had to add the following and oddly enough I could then ping 204.12.6.254
>
> global (Inside) 1 interface
> nat (outside) 1 0.0.0.0 0.0.0.0 outside
> static (Inside,outside) 204.12.6.254 204.12.6.254 netmask 255.255.255.255
>
>
> I then tried to add this but i still could not ping the address
> static (Inside,outside) 204.12.6.13 204.12.6.13 netmask 255.255.255.255
>
> On Mon, Jun 16, 2008 at 3:13 AM, Hashiru Aminu <hashng@gmail.com> wrote:
>
>>
>> Hi,
>>
>> I would advice to look at the logs on the ASA with "show logging" command
>> and see if the traffic is coming back from the switch and equally try and
>> to
>> enable icmp permit <the IP address of the icmp reply from the switch> for
>> the inside interface...I presume you are trying to ping the inside
>> interface
>> from your mail. From the from the log as long as you have all the rules
>> logs
>> the traffic you will surely see what you are missing.
>>
>> HTH
>>
>> Hash
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> Luan
>> Nguyen
>> Sent: Monday, June 16, 2008 7:38 AM
>> To: Dane Newman
>> Cc: Cisco certification
>> Subject: Re: what Am I missing?
>>
>> Do you have something behind the ASA to ping to? instead of the interface
>> itself?
>> Logging console debugging doesn't show anything without logging enable.
>> try to do: packet-tracer input outside icmp 132.1.137.7 8 0
>> 204.12.6.13detail and then packet-tracer input outside icmp
>> 132.1.137.7 8 0 132.1.137.113 <http://204.12.6.13/> detail and see what's
>> going on.
>> Also turn on debug icmp trace.
>> then change back to single mode and do the same thing.
>> Maybe you just can't ping the inside interface like that.
>>
>> -Luan
>>
>>
>> On Sun, Jun 15, 2008 at 4:11 PM, Dane Newman <dane.newman@gmail.com>
>> wrote:
>>
>> > I have ASA2 configured with two contexts. ContextA and B both share
>> > the outside interface of ASA2. I made sure to put in the system
>> > context mac-address auto command. ASA2 is directly connected to switch1
>> on fa0/15.
>> > I am able to ping the outside interface of contextA from switch 1 but
>> > not able to ping the inside interface of contextA as shown in the output
>> below.
>> > Could someone suggest what I am missing?
>> >
>> >
>> > Rack1SW1#ping 204.12.6.13
>> > Type escape sequence to abort.
>> > Sending 5, 100-byte ICMP Echos to 204.12.6.13, timeout is 2 seconds:
>> > .....
>> > Success rate is 0 percent (0/5)
>> >
>> > Rack1ASA2/ContextA# show run
>> > : Saved
>> > :
>> > ASA Version 7.2(3) <context>
>> > !
>> > hostname ContextA
>> > domain-name internetworkexpert.com
>> > enable password 8Ry2YjIyt7RRXU24 encrypted names !
>> > interface outsideA
>> > nameif outside
>> > security-level 0
>> > ip address 132.1.137.113 255.255.255.0 !
>> > interface insideA
>> > nameif Inside
>> > security-level 100
>> > ip address 204.12.6.13 255.255.255.0
>> > !
>> > passwd 2KFQnbNIdI.2KYOU encrypted
>> > dns server-group DefaultDNS
>> > domain-name internetworkexpert.com
>> > access-list OUTSIDE_IN extended permit icmp any any log access-list
>> > OUTSIDE_IN extended permit icmp any any echo access-list OUTSIDE_IN
>> > extended permit icmp any any echo-reply access-list OUTSIDE_IN
>> > extended permit tcp any any eq bgp access-list OUTSIDE_IN extended
>> > permit tcp any eq bgp any logging console debugging mtu outside 1500
>> > mtu Inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm
>> > history enable arp timeout 14400 access-group OUTSIDE_IN in interface
>> > outside route outside 0.0.0.0 0.0.0.0 132.1.137.7 1 timeout xlate
>> > 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp
>> > 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
>> > mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite
>> > 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute aaa
>> > authentication ssh console LOCAL no snmp-server location no
>> > snmp-server contact telnet timeout 5 ssh 132.1.170.0 255.255.255.0
>> > outside ssh timeout 5 !
>> > class-map inspection_default
>> > match default-inspection-traffic
>> > !
>> > !
>> > policy-map type inspect dns preset_dns_map parameters message-length
>> > maximum 512 policy-map global_policy class inspection_default
>> > inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect
>> > h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny
>> > inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect
>> > sip inspect xdmcp inspect icmp !
>> > service-policy global_policy global
>> > username ADMIN password 0Fiyt7Ojpuvbkp7l encrypted
>> > Cryptochecksum:4818558e3f200ea02f7b6b397155d9fd
>> > : end
>> > Rack1ASA2/ContextA#
>> >
>> >
>> > Rack1SW1#show run
>> > Building configuration...
>> > Current configuration : 3297 bytes
>> > !
>> > version 12.2
>> > no service pad
>> > service timestamps debug uptime
>> > service timestamps log uptime
>> > no service password-encryption
>> > !
>> > hostname Rack1SW1
>> > !
>> > enable password cisco
>> > !
>> > no aaa new-model
>> > ip subnet-zero
>> > ip routing
>> > !
>> > no ip domain-lookup
>> > !
>> > !
>> > !
>> > no file verify auto
>> > spanning-tree mode pvst
>> > spanning-tree extend system-id
>> > !
>> > !
>> > !
>> > vlan internal allocation policy ascending !
>> > !
>> > interface Loopback0
>> > ip address 150.1.7.7 255.255.255.0
>> > !
>> > interface FastEthernet0/1
>> > switchport access vlan 170
>> > switchport mode access
>> > !
>> > interface FastEthernet0/2
>> > switchport access vlan 29
>> > switchport mode access
>> > !
>> > interface FastEthernet0/3
>> > switchport access vlan 3
>> > switchport mode access
>> > !
>> > interface FastEthernet0/4
>> > switchport access vlan 4
>> > switchport mode access
>> > !
>> > interface FastEthernet0/5
>> > switchport access vlan 115
>> > switchport mode access
>> > !
>> > interface FastEthernet0/6
>> > switchport access vlan 69
>> > switchport mode access
>> > !
>> > interface FastEthernet0/7
>> > switchport mode dynamic desirable
>> > !
>> > interface FastEthernet0/8
>> > switchport mode dynamic desirable
>> > !
>> > interface FastEthernet0/9
>> > switchport access vlan 29
>> > switchport mode access
>> > !
>> > interface FastEthernet0/10
>> > switchport access vlan 170
>> > switchport mode access
>> > !
>> > interface FastEthernet0/11
>> > switchport access vlan 112
>> > switchport mode access
>> > !
>> > interface FastEthernet0/12
>> > switchport mode dynamic desirable
>> > !
>> > interface FastEthernet0/13
>> > switchport access vlan 9
>> > switchport mode access
>> > !
>> > interface FastEthernet0/14
>> > switchport mode dynamic desirable
>> > !
>> > interface FastEthernet0/15
>> > switchport access vlan 133
>> > switchport mode access
>> > !
>> > interface FastEthernet0/16
>> > switchport mode dynamic desirable
>> > !
>> > interface FastEthernet0/17
>> > switchport mode dynamic desirable
>> > !
>> > interface FastEthernet0/18
>> > switchport mode dynamic desirable
>> > !
>> > interface FastEthernet0/19
>> > switchport mode dynamic desirable
>> > !
>> > interface FastEthernet0/20
>> > switchport access vlan 9
>> > switchport mode access
>> > !
>> > interface FastEthernet0/21
>> > switchport mode dynamic desirable
>> > !
>> > interface FastEthernet0/22
>> > switchport mode dynamic desirable
>> > !
>> > interface FastEthernet0/23
>> > switchport trunk encapsulation isl
>> > switchport mode trunk
>> > !
>> > interface FastEthernet0/24
>> > switchport access vlan 133
>> > switchport mode access
>> > !
>> > interface GigabitEthernet0/1
>> > switchport mode dynamic desirable
>> > !
>> > interface GigabitEthernet0/2
>> > switchport mode dynamic desirable
>> > !
>> > interface Vlan1
>> > no ip address
>> > shutdown
>> > !
>> > interface Vlan137
>> > ip address 132.1.137.7 255.255.255.0
>> > !
>> > interface Vlan170
>> > ip address 132.1.170.7 255.255.255.0
>> > !
>> > router ospf 1
>> > router-id 150.1.7.7
>> > log-adjacency-changes
>> > redistribute connected subnets
>> > redistribute static subnets
>> > network 132.1.137.7 0.0.0.0 area 170
>> > network 132.1.170.7 0.0.0.0 area 170
>> > network 150.1.7.7 0.0.0.0 area 170
>> > !
>> > router bgp 100
>> > no synchronization
>> > bgp router-id 150.1.7.7
>> > bgp log-neighbor-changes
>> > neighbor 150.1.2.2 remote-as 100
>> > neighbor 150.1.2.2 update-source Loopback0 neighbor 204.12.6.254
>> > remote-as 54 neighbor 204.12.6.254 ebgp-multihop 255 no auto-summary
>> > !
>> > ip classless
>> > ip route 132.1.138.0 255.255.255.0 132.1.137.213 ip route 204.12.6.0
>> > 255.255.255.0 132.1.137.113 ip http server ip http secure-server !
>> > !
>> > !
>> > !
>> > !
>> > control-plane
>> > !
>> > !
>> > line con 0
>> > exec-timeout 0 0
>> > privilege level 15
>> > logging synchronous
>> > line vty 0 4
>> > password cisco
>> > login
>> > line vty 5 15
>> > password cisco
>> > login
>> > !
>> > !
>> > end
>> >
>> >
>> > ______________________________________________________________________
>> > _ Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

• Next message: Luan Nguyen: "Re: Entering the last two months"
• Previous message: shiran guez: "Re: How I could see the VTP command that I enter in the"
• Maybe in reply to: Dane Newman: "what Am I missing?"
• Next in thread: Dane Newman: "Re: what Am I missing?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:21 ART