Re: what Am I missing?

From: Dane Newman (dane.newman@gmail.com)
Date: Tue Jun 17 2008 - 00:17:28 ART

Rack1ASA2/ContextA(config)# icmp permit any inside
Rack1ASA2/ContextA(config)#
SCRack6AS>7
[Resuming connection 7 to SW1 ... ]

Rack1SW1#
Rack1SW1#ping 204.12.6.13

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.12.6.13, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Rack1SW1#

Is that true? you just cant ping interfaces that are not directly connected
wow chasing a ghost ?

On Mon, Jun 16, 2008 at 11:06 PM, Luan Nguyen <luan.m.nguyen@gmail.com>
wrote:

> that command doesn't change anything. You still cannot ping the inside
> interface from outside. You cannot ping the outside interface from inside.
> You just cannot ping the interfaces that are not directly connected.
>
>
>
> On Mon, Jun 16, 2008 at 10:54 PM, saheed Balogun <saheedb@gmail.com>
> wrote:
>
>> you have not added the command:
>>
>> *icmp permit <network> <mask> inside *just specify the your switch
>> network or 'any' network.
>> This command is different from the Access-list command
>>
>>
>>
>> On 6/17/08, Dane Newman <dane.newman@gmail.com> wrote:
>>>
>>> Rack1ASA2/ContextA(config)# access-group INSIDE_IN in inter inside
>>>
>>>
>>> access-list INSIDE_IN extended permit ip any any
>>> access-list INSIDE_IN extended permit icmp any any
>>>
>>> Rack1SW1#ping 204.12.6.13
>>> Type escape sequence to abort.
>>> Sending 5, 100-byte ICMP Echos to 204.12.6.13, timeout is 2 seconds:
>>> .....
>>> Success rate is 0 percent (0/5)
>>> Rack1SW1#ping 204.12.6.254
>>> Type escape sequence to abort.
>>> Sending 5, 100-byte ICMP Echos to 204.12.6.254, timeout is 2 seconds:
>>> !!!!!
>>> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
>>> Rack1SW1#
>>>
>>> Stil not able to ping? ;( but I can still ping beyond the ASA
>>>
>>> On Mon, Jun 16, 2008 at 9:54 PM, saheed Balogun <saheedb@gmail.com>
>>> wrote:
>>>
>>>> Hi Dane,
>>>>
>>>> You need this command:
>>>> *icmp permit <network> <mask> inside
>>>> *The PIX/ASA by default would not allow you to ping its interfaces
>>>> except you are connected through that interface.
>>>> R1 ------- inside |*ASA*| outside -------R2
>>>> R1 can ping inside but would not be able to ping outside by default.
>>>>
>>>>
>>>>
>>>> On 6/17/08, Dane Newman <dane.newman@gmail.com> wrote:
>>>>
>>>>> On Mon, Jun 16, 2008 at 7:21 PM, Dane Newman <dane.newman@gmail.com>
>>>>> wrote:
>>>>>
>>>>> > Sadly I have tried that removed all the NAT and verified no
>>>>> nat-control was
>>>>> > on (it does not show up in the config because its default) but I
>>>>> could not
>>>>> > ping ;(
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > On Mon, Jun 16, 2008 at 1:52 PM, Luan Nguyen <
>>>>> luan.m.nguyen@gmail.com>
>>>>> > wrote:
>>>>> >
>>>>> >> If you remove all the global, nat, and static, and put in a no
>>>>> nat-control
>>>>> >> (on by default if no nat..etc statements), then you should be able
>>>>> to ping
>>>>> >> the BB3 router from the SW1 using the OUTSIDE_IN ACL.
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> On Mon, Jun 16, 2008 at 9:50 AM, Dane Newman <dane.newman@gmail.com
>>>>> >
>>>>> >> wrote:
>>>>> >>
>>>>> >>> When i do a capture I get
>>>>> >>>
>>>>> >>>
>>>>> >>> Rack1ASA2/ContextA(config)# sh cap TEST
>>>>> >>> 5 packets captured
>>>>> >>> 1: 23:11:27.681315 132.1.137.7 > 204.12.6.13: icmp: echo request
>>>>> >>> 2: 23:11:29.681223 132.1.137.7 > 204.12.6.13: icmp: echo request
>>>>> >>> 3: 23:11:31.681544 132.1.137.7 > 204.12.6.13: icmp: echo request
>>>>> >>> 4: 23:11:33.682276 132.1.137.7 > 204.12.6.13: icmp: echo request
>>>>> >>> 5: 23:11:35.682169 132.1.137.7 > 204.12.6.13: icmp: echo request
>>>>> >>> 5 packets shown
>>>>> >>>
>>>>> >>> So they are getting to the interface
>>>>> >>>
>>>>> >>> I should see them sending an echo reply if everything was working
>>>>> out
>>>>> >>> of the capture right?
>>>>> >>>
>>>>> >>> BB3 is directly connected to the ASA on vlan 113. I thought I
>>>>> >>> should be able to ping the BB3 interface that is on vlan 113 which
>>>>> ip
>>>>> >>> is 204.12.6.254 but it would not ping. The ASA has a default
>>>>> route to
>>>>> >>> SW1.
>>>>> >>>
>>>>> >>> I had to add the following and oddly enough I could then ping
>>>>> >>> 204.12.6.254
>>>>> >>>
>>>>> >>> global (Inside) 1 interface
>>>>> >>> nat (outside) 1 0.0.0.0 0.0.0.0 outside
>>>>> >>> static (Inside,outside) 204.12.6.254 204.12.6.254 netmask
>>>>> >>> 255.255.255.255
>>>>> >>>
>>>>> >>>
>>>>> >>> I then tried to add this but i still could not ping the address
>>>>> >>> static (Inside,outside) 204.12.6.13 204.12.6.13 netmask
>>>>> 255.255.255.255
>>>>> >>>
>>>>> >>> On Mon, Jun 16, 2008 at 3:13 AM, Hashiru Aminu <hashng@gmail.com
>>>>> >
>>>>> >>> wrote:
>>>>> >>>
>>>>> >>>>
>>>>> >>>> Hi,
>>>>> >>>>
>>>>> >>>> I would advice to look at the logs on the ASA with "show logging"
>>>>> >>>> command
>>>>> >>>> and see if the traffic is coming back from the switch and equally
>>>>> try
>>>>> >>>> and to
>>>>> >>>> enable icmp permit <the IP address of the icmp reply from the
>>>>> switch>
>>>>> >>>> for
>>>>> >>>> the inside interface...I presume you are trying to ping the inside
>>>>> >>>> interface
>>>>> >>>> from your mail. From the from the log as long as you have all the
>>>>> rules
>>>>> >>>> logs
>>>>> >>>> the traffic you will surely see what you are missing.
>>>>> >>>>
>>>>> >>>> HTH
>>>>> >>>>
>>>>> >>>> Hash
>>>>> >>>>
>>>>> >>>> -----Original Message-----
>>>>> >>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
>>>>> Behalf Of
>>>>> >>>> Luan
>>>>> >>>> Nguyen
>>>>> >>>> Sent: Monday, June 16, 2008 7:38 AM
>>>>> >>>> To: Dane Newman
>>>>> >>>> Cc: Cisco certification
>>>>> >>>> Subject: Re: what Am I missing?
>>>>> >>>>
>>>>> >>>> Do you have something behind the ASA to ping to? instead of the
>>>>> >>>> interface
>>>>> >>>> itself?
>>>>> >>>> Logging console debugging doesn't show anything without logging
>>>>> enable.
>>>>> >>>> try to do: packet-tracer input outside icmp 132.1.137.7 8 0
>>>>> >>>> 204.12.6.13detail and then packet-tracer input outside icmp
>>>>> >>>> 132.1.137.7 8 0 132.1.137.113 <http://204.12.6.13/> detail and
>>>>> see
>>>>> >>>> what's
>>>>> >>>> going on.
>>>>> >>>> Also turn on debug icmp trace.
>>>>> >>>> then change back to single mode and do the same thing.
>>>>> >>>> Maybe you just can't ping the inside interface like that.
>>>>> >>>>
>>>>> >>>> -Luan
>>>>> >>>>
>>>>> >>>>
>>>>> >>>> On Sun, Jun 15, 2008 at 4:11 PM, Dane Newman <
>>>>> dane.newman@gmail.com>
>>>>> >>>> wrote:
>>>>> >>>>
>>>>> >>>> > I have ASA2 configured with two contexts. ContextA and B both
>>>>> share
>>>>> >>>> > the outside interface of ASA2. I made sure to put in the system
>>>>> >>>> > context mac-address auto command. ASA2 is directly connected to
>>>>> >>>> switch1
>>>>> >>>> on fa0/15.
>>>>> >>>> > I am able to ping the outside interface of contextA from switch
>>>>> 1 but
>>>>> >>>> > not able to ping the inside interface of contextA as shown in
>>>>> the
>>>>> >>>> output
>>>>> >>>> below.
>>>>> >>>> > Could someone suggest what I am missing?
>>>>> >>>> >
>>>>> >>>> >
>>>>> >>>> > Rack1SW1#ping 204.12.6.13
>>>>> >>>> > Type escape sequence to abort.
>>>>> >>>> > Sending 5, 100-byte ICMP Echos to 204.12.6.13, timeout is 2
>>>>> seconds:
>>>>> >>>> > .....
>>>>> >>>> > Success rate is 0 percent (0/5)
>>>>> >>>> >
>>>>> >>>> > Rack1ASA2/ContextA# show run
>>>>> >>>> > : Saved
>>>>> >>>> > :
>>>>> >>>> > ASA Version 7.2(3) <context>
>>>>> >>>> > !
>>>>> >>>> > hostname ContextA
>>>>> >>>> > domain-name internetworkexpert.com
>>>>> >>>> > enable password 8Ry2YjIyt7RRXU24 encrypted names !
>>>>> >>>> > interface outsideA
>>>>> >>>> > nameif outside
>>>>> >>>> > security-level 0
>>>>> >>>> > ip address 132.1.137.113 255.255.255.0 !
>>>>> >>>> > interface insideA
>>>>> >>>> > nameif Inside
>>>>> >>>> > security-level 100
>>>>> >>>> > ip address 204.12.6.13 255.255.255.0
>>>>> >>>> > !
>>>>> >>>> > passwd 2KFQnbNIdI.2KYOU encrypted
>>>>> >>>> > dns server-group DefaultDNS
>>>>> >>>> > domain-name internetworkexpert.com
>>>>> >>>> > access-list OUTSIDE_IN extended permit icmp any any log
>>>>> access-list
>>>>> >>>> > OUTSIDE_IN extended permit icmp any any echo access-list
>>>>> OUTSIDE_IN
>>>>> >>>> > extended permit icmp any any echo-reply access-list OUTSIDE_IN
>>>>> >>>> > extended permit tcp any any eq bgp access-list OUTSIDE_IN
>>>>> extended
>>>>> >>>> > permit tcp any eq bgp any logging console debugging mtu outside
>>>>> 1500
>>>>> >>>> > mtu Inside 1500 icmp unreachable rate-limit 1 burst-size 1 no
>>>>> asdm
>>>>> >>>> > history enable arp timeout 14400 access-group OUTSIDE_IN in
>>>>> interface
>>>>> >>>> > outside route outside 0.0.0.0 0.0.0.0 132.1.137.7 1 timeout
>>>>> xlate
>>>>> >>>> > 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
>>>>> icmp
>>>>> >>>> > 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp
>>>>> 0:05:00
>>>>> >>>> > mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00
>>>>> sip-invite
>>>>> >>>> > 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute
>>>>> aaa
>>>>> >>>> > authentication ssh console LOCAL no snmp-server location no
>>>>> >>>> > snmp-server contact telnet timeout 5 ssh 132.1.170.0
>>>>> 255.255.255.0
>>>>> >>>> > outside ssh timeout 5 !
>>>>> >>>> > class-map inspection_default
>>>>> >>>> > match default-inspection-traffic
>>>>> >>>> > !
>>>>> >>>> > !
>>>>> >>>> > policy-map type inspect dns
>>>>> preset_dns_map parameters message-length
>>>>> >>>> > maximum 512 policy-map global_policy class inspection_default
>>>>> >>>> > inspect dns preset_dns_map inspect ftp inspect h323
>>>>> h225 inspect
>>>>> >>>> > h323 ras inspect netbios inspect rsh inspect rtsp inspect
>>>>> skinny
>>>>> >>>> > inspect esmtp inspect sqlnet inspect sunrpc inspect
>>>>> tftp inspect
>>>>> >>>> > sip inspect xdmcp inspect icmp !
>>>>> >>>> > service-policy global_policy global
>>>>> >>>> > username ADMIN password 0Fiyt7Ojpuvbkp7l encrypted
>>>>> >>>> > Cryptochecksum:4818558e3f200ea02f7b6b397155d9fd
>>>>> >>>> > : end
>>>>> >>>> > Rack1ASA2/ContextA#
>>>>> >>>> >
>>>>> >>>> >
>>>>> >>>> > Rack1SW1#show run
>>>>> >>>> > Building configuration...
>>>>> >>>> > Current configuration : 3297 bytes
>>>>> >>>> > !
>>>>> >>>> > version 12.2
>>>>> >>>> > no service pad
>>>>> >>>> > service timestamps debug uptime
>>>>> >>>> > service timestamps log uptime
>>>>> >>>> > no service password-encryption
>>>>> >>>> > !
>>>>> >>>> > hostname Rack1SW1
>>>>> >>>> > !
>>>>> >>>> > enable password cisco
>>>>> >>>> > !
>>>>> >>>> > no aaa new-model
>>>>> >>>> > ip subnet-zero
>>>>> >>>> > ip routing
>>>>> >>>> > !
>>>>> >>>> > no ip domain-lookup
>>>>> >>>> > !
>>>>> >>>> > !
>>>>> >>>> > !
>>>>> >>>> > no file verify auto
>>>>> >>>> > spanning-tree mode pvst
>>>>> >>>> > spanning-tree extend system-id
>>>>> >>>> > !
>>>>> >>>> > !
>>>>> >>>> > !
>>>>> >>>> > vlan internal allocation policy ascending !
>>>>> >>>> > !
>>>>> >>>> > interface Loopback0
>>>>> >>>> > ip address 150.1.7.7 255.255.255.0
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/1
>>>>> >>>> > switchport access vlan 170
>>>>> >>>> > switchport mode access
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/2
>>>>> >>>> > switchport access vlan 29
>>>>> >>>> > switchport mode access
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/3
>>>>> >>>> > switchport access vlan 3
>>>>> >>>> > switchport mode access
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/4
>>>>> >>>> > switchport access vlan 4
>>>>> >>>> > switchport mode access
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/5
>>>>> >>>> > switchport access vlan 115
>>>>> >>>> > switchport mode access
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/6
>>>>> >>>> > switchport access vlan 69
>>>>> >>>> > switchport mode access
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/7
>>>>> >>>> > switchport mode dynamic desirable
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/8
>>>>> >>>> > switchport mode dynamic desirable
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/9
>>>>> >>>> > switchport access vlan 29
>>>>> >>>> > switchport mode access
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/10
>>>>> >>>> > switchport access vlan 170
>>>>> >>>> > switchport mode access
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/11
>>>>> >>>> > switchport access vlan 112
>>>>> >>>> > switchport mode access
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/12
>>>>> >>>> > switchport mode dynamic desirable
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/13
>>>>> >>>> > switchport access vlan 9
>>>>> >>>> > switchport mode access
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/14
>>>>> >>>> > switchport mode dynamic desirable
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/15
>>>>> >>>> > switchport access vlan 133
>>>>> >>>> > switchport mode access
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/16
>>>>> >>>> > switchport mode dynamic desirable
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/17
>>>>> >>>> > switchport mode dynamic desirable
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/18
>>>>> >>>> > switchport mode dynamic desirable
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/19
>>>>> >>>> > switchport mode dynamic desirable
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/20
>>>>> >>>> > switchport access vlan 9
>>>>> >>>> > switchport mode access
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/21
>>>>> >>>> > switchport mode dynamic desirable
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/22
>>>>> >>>> > switchport mode dynamic desirable
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/23
>>>>> >>>> > switchport trunk encapsulation isl
>>>>> >>>> > switchport mode trunk
>>>>> >>>> > !
>>>>> >>>> > interface FastEthernet0/24
>>>>> >>>> > switchport access vlan 133
>>>>> >>>> > switchport mode access
>>>>> >>>> > !
>>>>> >>>> > interface GigabitEthernet0/1
>>>>> >>>> > switchport mode dynamic desirable
>>>>> >>>> > !
>>>>> >>>> > interface GigabitEthernet0/2
>>>>> >>>> > switchport mode dynamic desirable
>>>>> >>>> > !
>>>>> >>>> > interface Vlan1
>>>>> >>>> > no ip address
>>>>> >>>> > shutdown
>>>>> >>>> > !
>>>>> >>>> > interface Vlan137
>>>>> >>>> > ip address 132.1.137.7 255.255.255.0
>>>>> >>>> > !
>>>>> >>>> > interface Vlan170
>>>>> >>>> > ip address 132.1.170.7 255.255.255.0
>>>>> >>>> > !
>>>>> >>>> > router ospf 1
>>>>> >>>> > router-id 150.1.7.7
>>>>> >>>> > log-adjacency-changes
>>>>> >>>> > redistribute connected subnets
>>>>> >>>> > redistribute static subnets
>>>>> >>>> > network 132.1.137.7 0.0.0.0 area 170
>>>>> >>>> > network 132.1.170.7 0.0.0.0 area 170
>>>>> >>>> > network 150.1.7.7 0.0.0.0 area 170
>>>>> >>>> > !
>>>>> >>>> > router bgp 100
>>>>> >>>> > no synchronization
>>>>> >>>> > bgp router-id 150.1.7.7
>>>>> >>>> > bgp log-neighbor-changes
>>>>> >>>> > neighbor 150.1.2.2 remote-as 100
>>>>> >>>> > neighbor 150.1.2.2 update-source Loopback0 neighbor
>>>>> 204.12.6.254
>>>>> >>>> > remote-as 54 neighbor 204.12.6.254 ebgp-multihop 255 no
>>>>> >>>> auto-summary
>>>>> >>>> > !
>>>>> >>>> > ip classless
>>>>> >>>> > ip route 132.1.138.0 255.255.255.0 132.1.137.213 ip route
>>>>> 204.12.6.0
>>>>> >>>> > 255.255.255.0 132.1.137.113 ip http server ip http
>>>>> secure-server !
>>>>> >>>> > !
>>>>> >>>> > !
>>>>> >>>> > !
>>>>> >>>> > !
>>>>> >>>> > control-plane
>>>>> >>>> > !
>>>>> >>>> > !
>>>>> >>>> > line con 0
>>>>> >>>> > exec-timeout 0 0
>>>>> >>>> > privilege level 15
>>>>> >>>> > logging synchronous
>>>>> >>>> > line vty 0 4
>>>>> >>>> > password cisco
>>>>> >>>> > login
>>>>> >>>> > line vty 5 15
>>>>> >>>> > password cisco
>>>>> >>>> > login
>>>>> >>>> > !
>>>>> >>>> > !
>>>>> >>>> > end
>>>>> >>>> >
>>>>> >>>> >
>>>>> >>>> >
>>>>> ______________________________________________________________________
>>>>> >>>> > _ Subscription information may be found at:
>>>>> >>>> > http://www.groupstudy.com/list/CCIELab.html
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>>> _______________________________________________________________________
>>>>> >>>> Subscription information may be found at:
>>>>> >>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________________________________
>>>>>
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:22 ART