From: Dane Newman (dane.newman@gmail.com)
Date: Mon Jun 16 2008 - 20:21:45 ART
On Mon, Jun 16, 2008 at 7:21 PM, Dane Newman <dane.newman@gmail.com> wrote:
> Sadly I have tried that removed all the NAT and verified no nat-control was
> on (it does not show up in the config because its default) but I could not
> ping ;(
>
>
>
>
> On Mon, Jun 16, 2008 at 1:52 PM, Luan Nguyen <luan.m.nguyen@gmail.com>
> wrote:
>
>> If you remove all the global, nat, and static, and put in a no nat-control
>> (on by default if no nat..etc statements), then you should be able to ping
>> the BB3 router from the SW1 using the OUTSIDE_IN ACL.
>>
>>
>>
>> On Mon, Jun 16, 2008 at 9:50 AM, Dane Newman <dane.newman@gmail.com>
>> wrote:
>>
>>> When i do a capture I get
>>>
>>>
>>> Rack1ASA2/ContextA(config)# sh cap TEST
>>> 5 packets captured
>>> 1: 23:11:27.681315 132.1.137.7 > 204.12.6.13: icmp: echo request
>>> 2: 23:11:29.681223 132.1.137.7 > 204.12.6.13: icmp: echo request
>>> 3: 23:11:31.681544 132.1.137.7 > 204.12.6.13: icmp: echo request
>>> 4: 23:11:33.682276 132.1.137.7 > 204.12.6.13: icmp: echo request
>>> 5: 23:11:35.682169 132.1.137.7 > 204.12.6.13: icmp: echo request
>>> 5 packets shown
>>>
>>> So they are getting to the interface
>>>
>>> I should see them sending an echo reply if everything was working out
>>> of the capture right?
>>>
>>> BB3 is directly connected to the ASA on vlan 113. I thought I
>>> should be able to ping the BB3 interface that is on vlan 113 which ip
>>> is 204.12.6.254 but it would not ping. The ASA has a default route to
>>> SW1.
>>>
>>> I had to add the following and oddly enough I could then ping
>>> 204.12.6.254
>>>
>>> global (Inside) 1 interface
>>> nat (outside) 1 0.0.0.0 0.0.0.0 outside
>>> static (Inside,outside) 204.12.6.254 204.12.6.254 netmask
>>> 255.255.255.255
>>>
>>>
>>> I then tried to add this but i still could not ping the address
>>> static (Inside,outside) 204.12.6.13 204.12.6.13 netmask 255.255.255.255
>>>
>>> On Mon, Jun 16, 2008 at 3:13 AM, Hashiru Aminu <hashng@gmail.com>
>>> wrote:
>>>
>>>>
>>>> Hi,
>>>>
>>>> I would advice to look at the logs on the ASA with "show logging"
>>>> command
>>>> and see if the traffic is coming back from the switch and equally try
>>>> and to
>>>> enable icmp permit <the IP address of the icmp reply from the switch>
>>>> for
>>>> the inside interface...I presume you are trying to ping the inside
>>>> interface
>>>> from your mail. From the from the log as long as you have all the rules
>>>> logs
>>>> the traffic you will surely see what you are missing.
>>>>
>>>> HTH
>>>>
>>>> Hash
>>>>
>>>> -----Original Message-----
>>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>>>> Luan
>>>> Nguyen
>>>> Sent: Monday, June 16, 2008 7:38 AM
>>>> To: Dane Newman
>>>> Cc: Cisco certification
>>>> Subject: Re: what Am I missing?
>>>>
>>>> Do you have something behind the ASA to ping to? instead of the
>>>> interface
>>>> itself?
>>>> Logging console debugging doesn't show anything without logging enable.
>>>> try to do: packet-tracer input outside icmp 132.1.137.7 8 0
>>>> 204.12.6.13detail and then packet-tracer input outside icmp
>>>> 132.1.137.7 8 0 132.1.137.113 <http://204.12.6.13/> detail and see
>>>> what's
>>>> going on.
>>>> Also turn on debug icmp trace.
>>>> then change back to single mode and do the same thing.
>>>> Maybe you just can't ping the inside interface like that.
>>>>
>>>> -Luan
>>>>
>>>>
>>>> On Sun, Jun 15, 2008 at 4:11 PM, Dane Newman <dane.newman@gmail.com>
>>>> wrote:
>>>>
>>>> > I have ASA2 configured with two contexts. ContextA and B both share
>>>> > the outside interface of ASA2. I made sure to put in the system
>>>> > context mac-address auto command. ASA2 is directly connected to
>>>> switch1
>>>> on fa0/15.
>>>> > I am able to ping the outside interface of contextA from switch 1 but
>>>> > not able to ping the inside interface of contextA as shown in the
>>>> output
>>>> below.
>>>> > Could someone suggest what I am missing?
>>>> >
>>>> >
>>>> > Rack1SW1#ping 204.12.6.13
>>>> > Type escape sequence to abort.
>>>> > Sending 5, 100-byte ICMP Echos to 204.12.6.13, timeout is 2 seconds:
>>>> > .....
>>>> > Success rate is 0 percent (0/5)
>>>> >
>>>> > Rack1ASA2/ContextA# show run
>>>> > : Saved
>>>> > :
>>>> > ASA Version 7.2(3) <context>
>>>> > !
>>>> > hostname ContextA
>>>> > domain-name internetworkexpert.com
>>>> > enable password 8Ry2YjIyt7RRXU24 encrypted names !
>>>> > interface outsideA
>>>> > nameif outside
>>>> > security-level 0
>>>> > ip address 132.1.137.113 255.255.255.0 !
>>>> > interface insideA
>>>> > nameif Inside
>>>> > security-level 100
>>>> > ip address 204.12.6.13 255.255.255.0
>>>> > !
>>>> > passwd 2KFQnbNIdI.2KYOU encrypted
>>>> > dns server-group DefaultDNS
>>>> > domain-name internetworkexpert.com
>>>> > access-list OUTSIDE_IN extended permit icmp any any log access-list
>>>> > OUTSIDE_IN extended permit icmp any any echo access-list OUTSIDE_IN
>>>> > extended permit icmp any any echo-reply access-list OUTSIDE_IN
>>>> > extended permit tcp any any eq bgp access-list OUTSIDE_IN extended
>>>> > permit tcp any eq bgp any logging console debugging mtu outside 1500
>>>> > mtu Inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm
>>>> > history enable arp timeout 14400 access-group OUTSIDE_IN in interface
>>>> > outside route outside 0.0.0.0 0.0.0.0 132.1.137.7 1 timeout xlate
>>>> > 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp
>>>> > 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
>>>> > mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite
>>>> > 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute aaa
>>>> > authentication ssh console LOCAL no snmp-server location no
>>>> > snmp-server contact telnet timeout 5 ssh 132.1.170.0 255.255.255.0
>>>> > outside ssh timeout 5 !
>>>> > class-map inspection_default
>>>> > match default-inspection-traffic
>>>> > !
>>>> > !
>>>> > policy-map type inspect dns preset_dns_map parameters message-length
>>>> > maximum 512 policy-map global_policy class inspection_default
>>>> > inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect
>>>> > h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny
>>>> > inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect
>>>> > sip inspect xdmcp inspect icmp !
>>>> > service-policy global_policy global
>>>> > username ADMIN password 0Fiyt7Ojpuvbkp7l encrypted
>>>> > Cryptochecksum:4818558e3f200ea02f7b6b397155d9fd
>>>> > : end
>>>> > Rack1ASA2/ContextA#
>>>> >
>>>> >
>>>> > Rack1SW1#show run
>>>> > Building configuration...
>>>> > Current configuration : 3297 bytes
>>>> > !
>>>> > version 12.2
>>>> > no service pad
>>>> > service timestamps debug uptime
>>>> > service timestamps log uptime
>>>> > no service password-encryption
>>>> > !
>>>> > hostname Rack1SW1
>>>> > !
>>>> > enable password cisco
>>>> > !
>>>> > no aaa new-model
>>>> > ip subnet-zero
>>>> > ip routing
>>>> > !
>>>> > no ip domain-lookup
>>>> > !
>>>> > !
>>>> > !
>>>> > no file verify auto
>>>> > spanning-tree mode pvst
>>>> > spanning-tree extend system-id
>>>> > !
>>>> > !
>>>> > !
>>>> > vlan internal allocation policy ascending !
>>>> > !
>>>> > interface Loopback0
>>>> > ip address 150.1.7.7 255.255.255.0
>>>> > !
>>>> > interface FastEthernet0/1
>>>> > switchport access vlan 170
>>>> > switchport mode access
>>>> > !
>>>> > interface FastEthernet0/2
>>>> > switchport access vlan 29
>>>> > switchport mode access
>>>> > !
>>>> > interface FastEthernet0/3
>>>> > switchport access vlan 3
>>>> > switchport mode access
>>>> > !
>>>> > interface FastEthernet0/4
>>>> > switchport access vlan 4
>>>> > switchport mode access
>>>> > !
>>>> > interface FastEthernet0/5
>>>> > switchport access vlan 115
>>>> > switchport mode access
>>>> > !
>>>> > interface FastEthernet0/6
>>>> > switchport access vlan 69
>>>> > switchport mode access
>>>> > !
>>>> > interface FastEthernet0/7
>>>> > switchport mode dynamic desirable
>>>> > !
>>>> > interface FastEthernet0/8
>>>> > switchport mode dynamic desirable
>>>> > !
>>>> > interface FastEthernet0/9
>>>> > switchport access vlan 29
>>>> > switchport mode access
>>>> > !
>>>> > interface FastEthernet0/10
>>>> > switchport access vlan 170
>>>> > switchport mode access
>>>> > !
>>>> > interface FastEthernet0/11
>>>> > switchport access vlan 112
>>>> > switchport mode access
>>>> > !
>>>> > interface FastEthernet0/12
>>>> > switchport mode dynamic desirable
>>>> > !
>>>> > interface FastEthernet0/13
>>>> > switchport access vlan 9
>>>> > switchport mode access
>>>> > !
>>>> > interface FastEthernet0/14
>>>> > switchport mode dynamic desirable
>>>> > !
>>>> > interface FastEthernet0/15
>>>> > switchport access vlan 133
>>>> > switchport mode access
>>>> > !
>>>> > interface FastEthernet0/16
>>>> > switchport mode dynamic desirable
>>>> > !
>>>> > interface FastEthernet0/17
>>>> > switchport mode dynamic desirable
>>>> > !
>>>> > interface FastEthernet0/18
>>>> > switchport mode dynamic desirable
>>>> > !
>>>> > interface FastEthernet0/19
>>>> > switchport mode dynamic desirable
>>>> > !
>>>> > interface FastEthernet0/20
>>>> > switchport access vlan 9
>>>> > switchport mode access
>>>> > !
>>>> > interface FastEthernet0/21
>>>> > switchport mode dynamic desirable
>>>> > !
>>>> > interface FastEthernet0/22
>>>> > switchport mode dynamic desirable
>>>> > !
>>>> > interface FastEthernet0/23
>>>> > switchport trunk encapsulation isl
>>>> > switchport mode trunk
>>>> > !
>>>> > interface FastEthernet0/24
>>>> > switchport access vlan 133
>>>> > switchport mode access
>>>> > !
>>>> > interface GigabitEthernet0/1
>>>> > switchport mode dynamic desirable
>>>> > !
>>>> > interface GigabitEthernet0/2
>>>> > switchport mode dynamic desirable
>>>> > !
>>>> > interface Vlan1
>>>> > no ip address
>>>> > shutdown
>>>> > !
>>>> > interface Vlan137
>>>> > ip address 132.1.137.7 255.255.255.0
>>>> > !
>>>> > interface Vlan170
>>>> > ip address 132.1.170.7 255.255.255.0
>>>> > !
>>>> > router ospf 1
>>>> > router-id 150.1.7.7
>>>> > log-adjacency-changes
>>>> > redistribute connected subnets
>>>> > redistribute static subnets
>>>> > network 132.1.137.7 0.0.0.0 area 170
>>>> > network 132.1.170.7 0.0.0.0 area 170
>>>> > network 150.1.7.7 0.0.0.0 area 170
>>>> > !
>>>> > router bgp 100
>>>> > no synchronization
>>>> > bgp router-id 150.1.7.7
>>>> > bgp log-neighbor-changes
>>>> > neighbor 150.1.2.2 remote-as 100
>>>> > neighbor 150.1.2.2 update-source Loopback0 neighbor 204.12.6.254
>>>> > remote-as 54 neighbor 204.12.6.254 ebgp-multihop 255 no
>>>> auto-summary
>>>> > !
>>>> > ip classless
>>>> > ip route 132.1.138.0 255.255.255.0 132.1.137.213 ip route 204.12.6.0
>>>> > 255.255.255.0 132.1.137.113 ip http server ip http secure-server !
>>>> > !
>>>> > !
>>>> > !
>>>> > !
>>>> > control-plane
>>>> > !
>>>> > !
>>>> > line con 0
>>>> > exec-timeout 0 0
>>>> > privilege level 15
>>>> > logging synchronous
>>>> > line vty 0 4
>>>> > password cisco
>>>> > login
>>>> > line vty 5 15
>>>> > password cisco
>>>> > login
>>>> > !
>>>> > !
>>>> > end
>>>> >
>>>> >
>>>> > ______________________________________________________________________
>>>> > _ Subscription information may be found at:
>>>> > http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:21 ART