Re: what Am I missing?

From: Luan Nguyen (luan.m.nguyen@gmail.com)
Date: Tue Jun 17 2008 - 00:06:46 ART

that command doesn't change anything. You still cannot ping the inside
interface from outside. You cannot ping the outside interface from inside.
You just cannot ping the interfaces that are not directly connected.

On Mon, Jun 16, 2008 at 10:54 PM, saheed Balogun <saheedb@gmail.com> wrote:

> you have not added the command:
>
> *icmp permit <network> <mask> inside *just specify the your switch network
> or 'any' network.
> This command is different from the Access-list command
>
>
>
> On 6/17/08, Dane Newman <dane.newman@gmail.com> wrote:
>>
>> Rack1ASA2/ContextA(config)# access-group INSIDE_IN in inter inside
>>
>>
>> access-list INSIDE_IN extended permit ip any any
>> access-list INSIDE_IN extended permit icmp any any
>>
>> Rack1SW1#ping 204.12.6.13
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 204.12.6.13, timeout is 2 seconds:
>> .....
>> Success rate is 0 percent (0/5)
>> Rack1SW1#ping 204.12.6.254
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 204.12.6.254, timeout is 2 seconds:
>> !!!!!
>> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
>> Rack1SW1#
>>
>> Stil not able to ping? ;( but I can still ping beyond the ASA
>>
>> On Mon, Jun 16, 2008 at 9:54 PM, saheed Balogun <saheedb@gmail.com>
>> wrote:
>>
>>> Hi Dane,
>>>
>>> You need this command:
>>> *icmp permit <network> <mask> inside
>>> *The PIX/ASA by default would not allow you to ping its interfaces
>>> except you are connected through that interface.
>>> R1 ------- inside |*ASA*| outside -------R2
>>> R1 can ping inside but would not be able to ping outside by default.
>>>
>>>
>>>
>>> On 6/17/08, Dane Newman <dane.newman@gmail.com> wrote:
>>>
>>>> On Mon, Jun 16, 2008 at 7:21 PM, Dane Newman <dane.newman@gmail.com>
>>>> wrote:
>>>>
>>>> > Sadly I have tried that removed all the NAT and verified no
>>>> nat-control was
>>>> > on (it does not show up in the config because its default) but I could
>>>> not
>>>> > ping ;(
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > On Mon, Jun 16, 2008 at 1:52 PM, Luan Nguyen <luan.m.nguyen@gmail.com
>>>> >
>>>> > wrote:
>>>> >
>>>> >> If you remove all the global, nat, and static, and put in a no
>>>> nat-control
>>>> >> (on by default if no nat..etc statements), then you should be able to
>>>> ping
>>>> >> the BB3 router from the SW1 using the OUTSIDE_IN ACL.
>>>> >>
>>>> >>
>>>> >>
>>>> >> On Mon, Jun 16, 2008 at 9:50 AM, Dane Newman <dane.newman@gmail.com>
>>>> >> wrote:
>>>> >>
>>>> >>> When i do a capture I get
>>>> >>>
>>>> >>>
>>>> >>> Rack1ASA2/ContextA(config)# sh cap TEST
>>>> >>> 5 packets captured
>>>> >>> 1: 23:11:27.681315 132.1.137.7 > 204.12.6.13: icmp: echo request
>>>> >>> 2: 23:11:29.681223 132.1.137.7 > 204.12.6.13: icmp: echo request
>>>> >>> 3: 23:11:31.681544 132.1.137.7 > 204.12.6.13: icmp: echo request
>>>> >>> 4: 23:11:33.682276 132.1.137.7 > 204.12.6.13: icmp: echo request
>>>> >>> 5: 23:11:35.682169 132.1.137.7 > 204.12.6.13: icmp: echo request
>>>> >>> 5 packets shown
>>>> >>>
>>>> >>> So they are getting to the interface
>>>> >>>
>>>> >>> I should see them sending an echo reply if everything was working
>>>> out
>>>> >>> of the capture right?
>>>> >>>
>>>> >>> BB3 is directly connected to the ASA on vlan 113. I thought I
>>>> >>> should be able to ping the BB3 interface that is on vlan 113 which
>>>> ip
>>>> >>> is 204.12.6.254 but it would not ping. The ASA has a default route
>>>> to
>>>> >>> SW1.
>>>> >>>
>>>> >>> I had to add the following and oddly enough I could then ping
>>>> >>> 204.12.6.254
>>>> >>>
>>>> >>> global (Inside) 1 interface
>>>> >>> nat (outside) 1 0.0.0.0 0.0.0.0 outside
>>>> >>> static (Inside,outside) 204.12.6.254 204.12.6.254 netmask
>>>> >>> 255.255.255.255
>>>> >>>
>>>> >>>
>>>> >>> I then tried to add this but i still could not ping the address
>>>> >>> static (Inside,outside) 204.12.6.13 204.12.6.13 netmask
>>>> 255.255.255.255
>>>> >>>
>>>> >>> On Mon, Jun 16, 2008 at 3:13 AM, Hashiru Aminu <hashng@gmail.com>
>>>> >>> wrote:
>>>> >>>
>>>> >>>>
>>>> >>>> Hi,
>>>> >>>>
>>>> >>>> I would advice to look at the logs on the ASA with "show logging"
>>>> >>>> command
>>>> >>>> and see if the traffic is coming back from the switch and equally
>>>> try
>>>> >>>> and to
>>>> >>>> enable icmp permit <the IP address of the icmp reply from the
>>>> switch>
>>>> >>>> for
>>>> >>>> the inside interface...I presume you are trying to ping the inside
>>>> >>>> interface
>>>> >>>> from your mail. From the from the log as long as you have all the
>>>> rules
>>>> >>>> logs
>>>> >>>> the traffic you will surely see what you are missing.
>>>> >>>>
>>>> >>>> HTH
>>>> >>>>
>>>> >>>> Hash
>>>> >>>>
>>>> >>>> -----Original Message-----
>>>> >>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
>>>> Behalf Of
>>>> >>>> Luan
>>>> >>>> Nguyen
>>>> >>>> Sent: Monday, June 16, 2008 7:38 AM
>>>> >>>> To: Dane Newman
>>>> >>>> Cc: Cisco certification
>>>> >>>> Subject: Re: what Am I missing?
>>>> >>>>
>>>> >>>> Do you have something behind the ASA to ping to? instead of the
>>>> >>>> interface
>>>> >>>> itself?
>>>> >>>> Logging console debugging doesn't show anything without logging
>>>> enable.
>>>> >>>> try to do: packet-tracer input outside icmp 132.1.137.7 8 0
>>>> >>>> 204.12.6.13detail and then packet-tracer input outside icmp
>>>> >>>> 132.1.137.7 8 0 132.1.137.113 <http://204.12.6.13/> detail and see
>>>> >>>> what's
>>>> >>>> going on.
>>>> >>>> Also turn on debug icmp trace.
>>>> >>>> then change back to single mode and do the same thing.
>>>> >>>> Maybe you just can't ping the inside interface like that.
>>>> >>>>
>>>> >>>> -Luan
>>>> >>>>
>>>> >>>>
>>>> >>>> On Sun, Jun 15, 2008 at 4:11 PM, Dane Newman <
>>>> dane.newman@gmail.com>
>>>> >>>> wrote:
>>>> >>>>
>>>> >>>> > I have ASA2 configured with two contexts. ContextA and B both
>>>> share
>>>> >>>> > the outside interface of ASA2. I made sure to put in the system
>>>> >>>> > context mac-address auto command. ASA2 is directly connected to
>>>> >>>> switch1
>>>> >>>> on fa0/15.
>>>> >>>> > I am able to ping the outside interface of contextA from switch 1
>>>> but
>>>> >>>> > not able to ping the inside interface of contextA as shown in the
>>>> >>>> output
>>>> >>>> below.
>>>> >>>> > Could someone suggest what I am missing?
>>>> >>>> >
>>>> >>>> >
>>>> >>>> > Rack1SW1#ping 204.12.6.13
>>>> >>>> > Type escape sequence to abort.
>>>> >>>> > Sending 5, 100-byte ICMP Echos to 204.12.6.13, timeout is 2
>>>> seconds:
>>>> >>>> > .....
>>>> >>>> > Success rate is 0 percent (0/5)
>>>> >>>> >
>>>> >>>> > Rack1ASA2/ContextA# show run
>>>> >>>> > : Saved
>>>> >>>> > :
>>>> >>>> > ASA Version 7.2(3) <context>
>>>> >>>> > !
>>>> >>>> > hostname ContextA
>>>> >>>> > domain-name internetworkexpert.com
>>>> >>>> > enable password 8Ry2YjIyt7RRXU24 encrypted names !
>>>> >>>> > interface outsideA
>>>> >>>> > nameif outside
>>>> >>>> > security-level 0
>>>> >>>> > ip address 132.1.137.113 255.255.255.0 !
>>>> >>>> > interface insideA
>>>> >>>> > nameif Inside
>>>> >>>> > security-level 100
>>>> >>>> > ip address 204.12.6.13 255.255.255.0
>>>> >>>> > !
>>>> >>>> > passwd 2KFQnbNIdI.2KYOU encrypted
>>>> >>>> > dns server-group DefaultDNS
>>>> >>>> > domain-name internetworkexpert.com
>>>> >>>> > access-list OUTSIDE_IN extended permit icmp any any log
>>>> access-list
>>>> >>>> > OUTSIDE_IN extended permit icmp any any echo access-list
>>>> OUTSIDE_IN
>>>> >>>> > extended permit icmp any any echo-reply access-list OUTSIDE_IN
>>>> >>>> > extended permit tcp any any eq bgp access-list OUTSIDE_IN
>>>> extended
>>>> >>>> > permit tcp any eq bgp any logging console debugging mtu outside
>>>> 1500
>>>> >>>> > mtu Inside 1500 icmp unreachable rate-limit 1 burst-size 1 no
>>>> asdm
>>>> >>>> > history enable arp timeout 14400 access-group OUTSIDE_IN in
>>>> interface
>>>> >>>> > outside route outside 0.0.0.0 0.0.0.0 132.1.137.7 1 timeout
>>>> xlate
>>>> >>>> > 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp
>>>> >>>> > 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp
>>>> 0:05:00
>>>> >>>> > mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite
>>>> >>>> > 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute aaa
>>>> >>>> > authentication ssh console LOCAL no snmp-server location no
>>>> >>>> > snmp-server contact telnet timeout 5 ssh 132.1.170.0
>>>> 255.255.255.0
>>>> >>>> > outside ssh timeout 5 !
>>>> >>>> > class-map inspection_default
>>>> >>>> > match default-inspection-traffic
>>>> >>>> > !
>>>> >>>> > !
>>>> >>>> > policy-map type inspect dns
>>>> preset_dns_map parameters message-length
>>>> >>>> > maximum 512 policy-map global_policy class inspection_default
>>>> >>>> > inspect dns preset_dns_map inspect ftp inspect h323
>>>> h225 inspect
>>>> >>>> > h323 ras inspect netbios inspect rsh inspect rtsp inspect
>>>> skinny
>>>> >>>> > inspect esmtp inspect sqlnet inspect sunrpc inspect
>>>> tftp inspect
>>>> >>>> > sip inspect xdmcp inspect icmp !
>>>> >>>> > service-policy global_policy global
>>>> >>>> > username ADMIN password 0Fiyt7Ojpuvbkp7l encrypted
>>>> >>>> > Cryptochecksum:4818558e3f200ea02f7b6b397155d9fd
>>>> >>>> > : end
>>>> >>>> > Rack1ASA2/ContextA#
>>>> >>>> >
>>>> >>>> >
>>>> >>>> > Rack1SW1#show run
>>>> >>>> > Building configuration...
>>>> >>>> > Current configuration : 3297 bytes
>>>> >>>> > !
>>>> >>>> > version 12.2
>>>> >>>> > no service pad
>>>> >>>> > service timestamps debug uptime
>>>> >>>> > service timestamps log uptime
>>>> >>>> > no service password-encryption
>>>> >>>> > !
>>>> >>>> > hostname Rack1SW1
>>>> >>>> > !
>>>> >>>> > enable password cisco
>>>> >>>> > !
>>>> >>>> > no aaa new-model
>>>> >>>> > ip subnet-zero
>>>> >>>> > ip routing
>>>> >>>> > !
>>>> >>>> > no ip domain-lookup
>>>> >>>> > !
>>>> >>>> > !
>>>> >>>> > !
>>>> >>>> > no file verify auto
>>>> >>>> > spanning-tree mode pvst
>>>> >>>> > spanning-tree extend system-id
>>>> >>>> > !
>>>> >>>> > !
>>>> >>>> > !
>>>> >>>> > vlan internal allocation policy ascending !
>>>> >>>> > !
>>>> >>>> > interface Loopback0
>>>> >>>> > ip address 150.1.7.7 255.255.255.0
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/1
>>>> >>>> > switchport access vlan 170
>>>> >>>> > switchport mode access
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/2
>>>> >>>> > switchport access vlan 29
>>>> >>>> > switchport mode access
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/3
>>>> >>>> > switchport access vlan 3
>>>> >>>> > switchport mode access
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/4
>>>> >>>> > switchport access vlan 4
>>>> >>>> > switchport mode access
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/5
>>>> >>>> > switchport access vlan 115
>>>> >>>> > switchport mode access
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/6
>>>> >>>> > switchport access vlan 69
>>>> >>>> > switchport mode access
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/7
>>>> >>>> > switchport mode dynamic desirable
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/8
>>>> >>>> > switchport mode dynamic desirable
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/9
>>>> >>>> > switchport access vlan 29
>>>> >>>> > switchport mode access
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/10
>>>> >>>> > switchport access vlan 170
>>>> >>>> > switchport mode access
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/11
>>>> >>>> > switchport access vlan 112
>>>> >>>> > switchport mode access
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/12
>>>> >>>> > switchport mode dynamic desirable
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/13
>>>> >>>> > switchport access vlan 9
>>>> >>>> > switchport mode access
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/14
>>>> >>>> > switchport mode dynamic desirable
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/15
>>>> >>>> > switchport access vlan 133
>>>> >>>> > switchport mode access
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/16
>>>> >>>> > switchport mode dynamic desirable
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/17
>>>> >>>> > switchport mode dynamic desirable
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/18
>>>> >>>> > switchport mode dynamic desirable
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/19
>>>> >>>> > switchport mode dynamic desirable
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/20
>>>> >>>> > switchport access vlan 9
>>>> >>>> > switchport mode access
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/21
>>>> >>>> > switchport mode dynamic desirable
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/22
>>>> >>>> > switchport mode dynamic desirable
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/23
>>>> >>>> > switchport trunk encapsulation isl
>>>> >>>> > switchport mode trunk
>>>> >>>> > !
>>>> >>>> > interface FastEthernet0/24
>>>> >>>> > switchport access vlan 133
>>>> >>>> > switchport mode access
>>>> >>>> > !
>>>> >>>> > interface GigabitEthernet0/1
>>>> >>>> > switchport mode dynamic desirable
>>>> >>>> > !
>>>> >>>> > interface GigabitEthernet0/2
>>>> >>>> > switchport mode dynamic desirable
>>>> >>>> > !
>>>> >>>> > interface Vlan1
>>>> >>>> > no ip address
>>>> >>>> > shutdown
>>>> >>>> > !
>>>> >>>> > interface Vlan137
>>>> >>>> > ip address 132.1.137.7 255.255.255.0
>>>> >>>> > !
>>>> >>>> > interface Vlan170
>>>> >>>> > ip address 132.1.170.7 255.255.255.0
>>>> >>>> > !
>>>> >>>> > router ospf 1
>>>> >>>> > router-id 150.1.7.7
>>>> >>>> > log-adjacency-changes
>>>> >>>> > redistribute connected subnets
>>>> >>>> > redistribute static subnets
>>>> >>>> > network 132.1.137.7 0.0.0.0 area 170
>>>> >>>> > network 132.1.170.7 0.0.0.0 area 170
>>>> >>>> > network 150.1.7.7 0.0.0.0 area 170
>>>> >>>> > !
>>>> >>>> > router bgp 100
>>>> >>>> > no synchronization
>>>> >>>> > bgp router-id 150.1.7.7
>>>> >>>> > bgp log-neighbor-changes
>>>> >>>> > neighbor 150.1.2.2 remote-as 100
>>>> >>>> > neighbor 150.1.2.2 update-source Loopback0 neighbor
>>>> 204.12.6.254
>>>> >>>> > remote-as 54 neighbor 204.12.6.254 ebgp-multihop 255 no
>>>> >>>> auto-summary
>>>> >>>> > !
>>>> >>>> > ip classless
>>>> >>>> > ip route 132.1.138.0 255.255.255.0 132.1.137.213 ip route
>>>> 204.12.6.0
>>>> >>>> > 255.255.255.0 132.1.137.113 ip http server ip http secure-server
>>>> !
>>>> >>>> > !
>>>> >>>> > !
>>>> >>>> > !
>>>> >>>> > !
>>>> >>>> > control-plane
>>>> >>>> > !
>>>> >>>> > !
>>>> >>>> > line con 0
>>>> >>>> > exec-timeout 0 0
>>>> >>>> > privilege level 15
>>>> >>>> > logging synchronous
>>>> >>>> > line vty 0 4
>>>> >>>> > password cisco
>>>> >>>> > login
>>>> >>>> > line vty 5 15
>>>> >>>> > password cisco
>>>> >>>> > login
>>>> >>>> > !
>>>> >>>> > !
>>>> >>>> > end
>>>> >>>> >
>>>> >>>> >
>>>> >>>> >
>>>> ______________________________________________________________________
>>>> >>>> > _ Subscription information may be found at:
>>>> >>>> > http://www.groupstudy.com/list/CCIELab.html
>>>> >>>>
>>>> >>>>
>>>> >>>>
>>>> _______________________________________________________________________
>>>> >>>> Subscription information may be found at:
>>>> >>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:21 ART