From: saheed Balogun (saheedb@gmail.com)
Date: Mon Jun 16 2008 - 23:54:31 ART
you have not added the command:
*icmp permit <network> <mask> inside *just specify the your switch network
or 'any' network.
This command is different from the Access-list command
On 6/17/08, Dane Newman <dane.newman@gmail.com> wrote:
>
> Rack1ASA2/ContextA(config)# access-group INSIDE_IN in inter inside
>
>
> access-list INSIDE_IN extended permit ip any any
> access-list INSIDE_IN extended permit icmp any any
>
> Rack1SW1#ping 204.12.6.13
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 204.12.6.13, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> Rack1SW1#ping 204.12.6.254
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 204.12.6.254, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
> Rack1SW1#
>
> Stil not able to ping? ;( but I can still ping beyond the ASA
>
> On Mon, Jun 16, 2008 at 9:54 PM, saheed Balogun <saheedb@gmail.com>
> wrote:
>
>> Hi Dane,
>>
>> You need this command:
>> *icmp permit <network> <mask> inside
>> *The PIX/ASA by default would not allow you to ping its interfaces except
>> you are connected through that interface.
>> R1 ------- inside |*ASA*| outside -------R2
>> R1 can ping inside but would not be able to ping outside by default.
>>
>>
>>
>> On 6/17/08, Dane Newman <dane.newman@gmail.com> wrote:
>>
>>> On Mon, Jun 16, 2008 at 7:21 PM, Dane Newman <dane.newman@gmail.com>
>>> wrote:
>>>
>>> > Sadly I have tried that removed all the NAT and verified no nat-control
>>> was
>>> > on (it does not show up in the config because its default) but I could
>>> not
>>> > ping ;(
>>> >
>>> >
>>> >
>>> >
>>> > On Mon, Jun 16, 2008 at 1:52 PM, Luan Nguyen <luan.m.nguyen@gmail.com>
>>> > wrote:
>>> >
>>> >> If you remove all the global, nat, and static, and put in a no
>>> nat-control
>>> >> (on by default if no nat..etc statements), then you should be able to
>>> ping
>>> >> the BB3 router from the SW1 using the OUTSIDE_IN ACL.
>>> >>
>>> >>
>>> >>
>>> >> On Mon, Jun 16, 2008 at 9:50 AM, Dane Newman <dane.newman@gmail.com>
>>> >> wrote:
>>> >>
>>> >>> When i do a capture I get
>>> >>>
>>> >>>
>>> >>> Rack1ASA2/ContextA(config)# sh cap TEST
>>> >>> 5 packets captured
>>> >>> 1: 23:11:27.681315 132.1.137.7 > 204.12.6.13: icmp: echo request
>>> >>> 2: 23:11:29.681223 132.1.137.7 > 204.12.6.13: icmp: echo request
>>> >>> 3: 23:11:31.681544 132.1.137.7 > 204.12.6.13: icmp: echo request
>>> >>> 4: 23:11:33.682276 132.1.137.7 > 204.12.6.13: icmp: echo request
>>> >>> 5: 23:11:35.682169 132.1.137.7 > 204.12.6.13: icmp: echo request
>>> >>> 5 packets shown
>>> >>>
>>> >>> So they are getting to the interface
>>> >>>
>>> >>> I should see them sending an echo reply if everything was working out
>>> >>> of the capture right?
>>> >>>
>>> >>> BB3 is directly connected to the ASA on vlan 113. I thought I
>>> >>> should be able to ping the BB3 interface that is on vlan 113 which ip
>>> >>> is 204.12.6.254 but it would not ping. The ASA has a default route
>>> to
>>> >>> SW1.
>>> >>>
>>> >>> I had to add the following and oddly enough I could then ping
>>> >>> 204.12.6.254
>>> >>>
>>> >>> global (Inside) 1 interface
>>> >>> nat (outside) 1 0.0.0.0 0.0.0.0 outside
>>> >>> static (Inside,outside) 204.12.6.254 204.12.6.254 netmask
>>> >>> 255.255.255.255
>>> >>>
>>> >>>
>>> >>> I then tried to add this but i still could not ping the address
>>> >>> static (Inside,outside) 204.12.6.13 204.12.6.13 netmask
>>> 255.255.255.255
>>> >>>
>>> >>> On Mon, Jun 16, 2008 at 3:13 AM, Hashiru Aminu <hashng@gmail.com>
>>> >>> wrote:
>>> >>>
>>> >>>>
>>> >>>> Hi,
>>> >>>>
>>> >>>> I would advice to look at the logs on the ASA with "show logging"
>>> >>>> command
>>> >>>> and see if the traffic is coming back from the switch and equally
>>> try
>>> >>>> and to
>>> >>>> enable icmp permit <the IP address of the icmp reply from the
>>> switch>
>>> >>>> for
>>> >>>> the inside interface...I presume you are trying to ping the inside
>>> >>>> interface
>>> >>>> from your mail. From the from the log as long as you have all the
>>> rules
>>> >>>> logs
>>> >>>> the traffic you will surely see what you are missing.
>>> >>>>
>>> >>>> HTH
>>> >>>>
>>> >>>> Hash
>>> >>>>
>>> >>>> -----Original Message-----
>>> >>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
>>> Behalf Of
>>> >>>> Luan
>>> >>>> Nguyen
>>> >>>> Sent: Monday, June 16, 2008 7:38 AM
>>> >>>> To: Dane Newman
>>> >>>> Cc: Cisco certification
>>> >>>> Subject: Re: what Am I missing?
>>> >>>>
>>> >>>> Do you have something behind the ASA to ping to? instead of the
>>> >>>> interface
>>> >>>> itself?
>>> >>>> Logging console debugging doesn't show anything without logging
>>> enable.
>>> >>>> try to do: packet-tracer input outside icmp 132.1.137.7 8 0
>>> >>>> 204.12.6.13detail and then packet-tracer input outside icmp
>>> >>>> 132.1.137.7 8 0 132.1.137.113 <http://204.12.6.13/> detail and see
>>> >>>> what's
>>> >>>> going on.
>>> >>>> Also turn on debug icmp trace.
>>> >>>> then change back to single mode and do the same thing.
>>> >>>> Maybe you just can't ping the inside interface like that.
>>> >>>>
>>> >>>> -Luan
>>> >>>>
>>> >>>>
>>> >>>> On Sun, Jun 15, 2008 at 4:11 PM, Dane Newman <dane.newman@gmail.com
>>> >
>>> >>>> wrote:
>>> >>>>
>>> >>>> > I have ASA2 configured with two contexts. ContextA and B both
>>> share
>>> >>>> > the outside interface of ASA2. I made sure to put in the system
>>> >>>> > context mac-address auto command. ASA2 is directly connected to
>>> >>>> switch1
>>> >>>> on fa0/15.
>>> >>>> > I am able to ping the outside interface of contextA from switch 1
>>> but
>>> >>>> > not able to ping the inside interface of contextA as shown in the
>>> >>>> output
>>> >>>> below.
>>> >>>> > Could someone suggest what I am missing?
>>> >>>> >
>>> >>>> >
>>> >>>> > Rack1SW1#ping 204.12.6.13
>>> >>>> > Type escape sequence to abort.
>>> >>>> > Sending 5, 100-byte ICMP Echos to 204.12.6.13, timeout is 2
>>> seconds:
>>> >>>> > .....
>>> >>>> > Success rate is 0 percent (0/5)
>>> >>>> >
>>> >>>> > Rack1ASA2/ContextA# show run
>>> >>>> > : Saved
>>> >>>> > :
>>> >>>> > ASA Version 7.2(3) <context>
>>> >>>> > !
>>> >>>> > hostname ContextA
>>> >>>> > domain-name internetworkexpert.com
>>> >>>> > enable password 8Ry2YjIyt7RRXU24 encrypted names !
>>> >>>> > interface outsideA
>>> >>>> > nameif outside
>>> >>>> > security-level 0
>>> >>>> > ip address 132.1.137.113 255.255.255.0 !
>>> >>>> > interface insideA
>>> >>>> > nameif Inside
>>> >>>> > security-level 100
>>> >>>> > ip address 204.12.6.13 255.255.255.0
>>> >>>> > !
>>> >>>> > passwd 2KFQnbNIdI.2KYOU encrypted
>>> >>>> > dns server-group DefaultDNS
>>> >>>> > domain-name internetworkexpert.com
>>> >>>> > access-list OUTSIDE_IN extended permit icmp any any log
>>> access-list
>>> >>>> > OUTSIDE_IN extended permit icmp any any echo access-list
>>> OUTSIDE_IN
>>> >>>> > extended permit icmp any any echo-reply access-list OUTSIDE_IN
>>> >>>> > extended permit tcp any any eq bgp access-list OUTSIDE_IN extended
>>> >>>> > permit tcp any eq bgp any logging console debugging mtu outside
>>> 1500
>>> >>>> > mtu Inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm
>>> >>>> > history enable arp timeout 14400 access-group OUTSIDE_IN in
>>> interface
>>> >>>> > outside route outside 0.0.0.0 0.0.0.0 132.1.137.7 1 timeout xlate
>>> >>>> > 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp
>>> >>>> > 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp
>>> 0:05:00
>>> >>>> > mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite
>>> >>>> > 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute aaa
>>> >>>> > authentication ssh console LOCAL no snmp-server location no
>>> >>>> > snmp-server contact telnet timeout 5 ssh 132.1.170.0
>>> 255.255.255.0
>>> >>>> > outside ssh timeout 5 !
>>> >>>> > class-map inspection_default
>>> >>>> > match default-inspection-traffic
>>> >>>> > !
>>> >>>> > !
>>> >>>> > policy-map type inspect dns
>>> preset_dns_map parameters message-length
>>> >>>> > maximum 512 policy-map global_policy class inspection_default
>>> >>>> > inspect dns preset_dns_map inspect ftp inspect h323
>>> h225 inspect
>>> >>>> > h323 ras inspect netbios inspect rsh inspect rtsp inspect
>>> skinny
>>> >>>> > inspect esmtp inspect sqlnet inspect sunrpc inspect
>>> tftp inspect
>>> >>>> > sip inspect xdmcp inspect icmp !
>>> >>>> > service-policy global_policy global
>>> >>>> > username ADMIN password 0Fiyt7Ojpuvbkp7l encrypted
>>> >>>> > Cryptochecksum:4818558e3f200ea02f7b6b397155d9fd
>>> >>>> > : end
>>> >>>> > Rack1ASA2/ContextA#
>>> >>>> >
>>> >>>> >
>>> >>>> > Rack1SW1#show run
>>> >>>> > Building configuration...
>>> >>>> > Current configuration : 3297 bytes
>>> >>>> > !
>>> >>>> > version 12.2
>>> >>>> > no service pad
>>> >>>> > service timestamps debug uptime
>>> >>>> > service timestamps log uptime
>>> >>>> > no service password-encryption
>>> >>>> > !
>>> >>>> > hostname Rack1SW1
>>> >>>> > !
>>> >>>> > enable password cisco
>>> >>>> > !
>>> >>>> > no aaa new-model
>>> >>>> > ip subnet-zero
>>> >>>> > ip routing
>>> >>>> > !
>>> >>>> > no ip domain-lookup
>>> >>>> > !
>>> >>>> > !
>>> >>>> > !
>>> >>>> > no file verify auto
>>> >>>> > spanning-tree mode pvst
>>> >>>> > spanning-tree extend system-id
>>> >>>> > !
>>> >>>> > !
>>> >>>> > !
>>> >>>> > vlan internal allocation policy ascending !
>>> >>>> > !
>>> >>>> > interface Loopback0
>>> >>>> > ip address 150.1.7.7 255.255.255.0
>>> >>>> > !
>>> >>>> > interface FastEthernet0/1
>>> >>>> > switchport access vlan 170
>>> >>>> > switchport mode access
>>> >>>> > !
>>> >>>> > interface FastEthernet0/2
>>> >>>> > switchport access vlan 29
>>> >>>> > switchport mode access
>>> >>>> > !
>>> >>>> > interface FastEthernet0/3
>>> >>>> > switchport access vlan 3
>>> >>>> > switchport mode access
>>> >>>> > !
>>> >>>> > interface FastEthernet0/4
>>> >>>> > switchport access vlan 4
>>> >>>> > switchport mode access
>>> >>>> > !
>>> >>>> > interface FastEthernet0/5
>>> >>>> > switchport access vlan 115
>>> >>>> > switchport mode access
>>> >>>> > !
>>> >>>> > interface FastEthernet0/6
>>> >>>> > switchport access vlan 69
>>> >>>> > switchport mode access
>>> >>>> > !
>>> >>>> > interface FastEthernet0/7
>>> >>>> > switchport mode dynamic desirable
>>> >>>> > !
>>> >>>> > interface FastEthernet0/8
>>> >>>> > switchport mode dynamic desirable
>>> >>>> > !
>>> >>>> > interface FastEthernet0/9
>>> >>>> > switchport access vlan 29
>>> >>>> > switchport mode access
>>> >>>> > !
>>> >>>> > interface FastEthernet0/10
>>> >>>> > switchport access vlan 170
>>> >>>> > switchport mode access
>>> >>>> > !
>>> >>>> > interface FastEthernet0/11
>>> >>>> > switchport access vlan 112
>>> >>>> > switchport mode access
>>> >>>> > !
>>> >>>> > interface FastEthernet0/12
>>> >>>> > switchport mode dynamic desirable
>>> >>>> > !
>>> >>>> > interface FastEthernet0/13
>>> >>>> > switchport access vlan 9
>>> >>>> > switchport mode access
>>> >>>> > !
>>> >>>> > interface FastEthernet0/14
>>> >>>> > switchport mode dynamic desirable
>>> >>>> > !
>>> >>>> > interface FastEthernet0/15
>>> >>>> > switchport access vlan 133
>>> >>>> > switchport mode access
>>> >>>> > !
>>> >>>> > interface FastEthernet0/16
>>> >>>> > switchport mode dynamic desirable
>>> >>>> > !
>>> >>>> > interface FastEthernet0/17
>>> >>>> > switchport mode dynamic desirable
>>> >>>> > !
>>> >>>> > interface FastEthernet0/18
>>> >>>> > switchport mode dynamic desirable
>>> >>>> > !
>>> >>>> > interface FastEthernet0/19
>>> >>>> > switchport mode dynamic desirable
>>> >>>> > !
>>> >>>> > interface FastEthernet0/20
>>> >>>> > switchport access vlan 9
>>> >>>> > switchport mode access
>>> >>>> > !
>>> >>>> > interface FastEthernet0/21
>>> >>>> > switchport mode dynamic desirable
>>> >>>> > !
>>> >>>> > interface FastEthernet0/22
>>> >>>> > switchport mode dynamic desirable
>>> >>>> > !
>>> >>>> > interface FastEthernet0/23
>>> >>>> > switchport trunk encapsulation isl
>>> >>>> > switchport mode trunk
>>> >>>> > !
>>> >>>> > interface FastEthernet0/24
>>> >>>> > switchport access vlan 133
>>> >>>> > switchport mode access
>>> >>>> > !
>>> >>>> > interface GigabitEthernet0/1
>>> >>>> > switchport mode dynamic desirable
>>> >>>> > !
>>> >>>> > interface GigabitEthernet0/2
>>> >>>> > switchport mode dynamic desirable
>>> >>>> > !
>>> >>>> > interface Vlan1
>>> >>>> > no ip address
>>> >>>> > shutdown
>>> >>>> > !
>>> >>>> > interface Vlan137
>>> >>>> > ip address 132.1.137.7 255.255.255.0
>>> >>>> > !
>>> >>>> > interface Vlan170
>>> >>>> > ip address 132.1.170.7 255.255.255.0
>>> >>>> > !
>>> >>>> > router ospf 1
>>> >>>> > router-id 150.1.7.7
>>> >>>> > log-adjacency-changes
>>> >>>> > redistribute connected subnets
>>> >>>> > redistribute static subnets
>>> >>>> > network 132.1.137.7 0.0.0.0 area 170
>>> >>>> > network 132.1.170.7 0.0.0.0 area 170
>>> >>>> > network 150.1.7.7 0.0.0.0 area 170
>>> >>>> > !
>>> >>>> > router bgp 100
>>> >>>> > no synchronization
>>> >>>> > bgp router-id 150.1.7.7
>>> >>>> > bgp log-neighbor-changes
>>> >>>> > neighbor 150.1.2.2 remote-as 100
>>> >>>> > neighbor 150.1.2.2 update-source Loopback0 neighbor
>>> 204.12.6.254
>>> >>>> > remote-as 54 neighbor 204.12.6.254 ebgp-multihop 255 no
>>> >>>> auto-summary
>>> >>>> > !
>>> >>>> > ip classless
>>> >>>> > ip route 132.1.138.0 255.255.255.0 132.1.137.213 ip route
>>> 204.12.6.0
>>> >>>> > 255.255.255.0 132.1.137.113 ip http server ip http secure-server
>>> !
>>> >>>> > !
>>> >>>> > !
>>> >>>> > !
>>> >>>> > !
>>> >>>> > control-plane
>>> >>>> > !
>>> >>>> > !
>>> >>>> > line con 0
>>> >>>> > exec-timeout 0 0
>>> >>>> > privilege level 15
>>> >>>> > logging synchronous
>>> >>>> > line vty 0 4
>>> >>>> > password cisco
>>> >>>> > login
>>> >>>> > line vty 5 15
>>> >>>> > password cisco
>>> >>>> > login
>>> >>>> > !
>>> >>>> > !
>>> >>>> > end
>>> >>>> >
>>> >>>> >
>>> >>>> >
>>> ______________________________________________________________________
>>> >>>> > _ Subscription information may be found at:
>>> >>>> > http://www.groupstudy.com/list/CCIELab.html
>>> >>>>
>>> >>>>
>>> >>>>
>>> _______________________________________________________________________
>>> >>>> Subscription information may be found at:
>>> >>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:22 ART