Connectivity trouble with ASA help!
Robbo777
Member Posts: 331 ■■■□□□□□□□
Hi, i'm having trouble with getting PC's to communicate in my topology with my ASA in the middle of it. Basically i have an ASA connected to a switch that connects to 2 PC's, but nothing is pinging, the ASA can ping its own VLAN interfaces but thats all. Funny thing is that it can ping the edge device which is the router on 172.16.30.1 AND the router can ping E0/0 at 172.16.30.2 even though the E0/0 is on the outside interface so i have no clue how to router is able to successfully ping it since it is coming from the outside interface.
Here is the config for the ASA
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 30
!
interface Ethernet0/2
switchport access vlan 30
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
no nameif
security-level 100
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.30.2 255.255.255.0
!
interface Vlan30
nameif inside
security-level 100
ip address 10.30.0.1 255.255.255.0
!
!
!
access-list VPN standard permit 10.30.0.0 255.255.255.0
!
!
!
!
!
!
class-map inspect
match default-inspection-traffic
!
policy-map global
class inspect
!
service-policy global global
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
dhcpd enable
!
!
!
crypto ipsec ikev1 transform-set VPN esp-aes 256 esp-sha-hmac
!
crypto map VPN_MAP 1 match address VPN
crypto map VPN_MAP 1 set peer 172.16.31.2
crypto map VPN_MAP 1 set security-association lifetime seconds 8600
crypto map VPN_MAP 1 set ikev1 transform-set VPN
crypto ikev1 policy 1
encr aes
authentication pre-share
group 5
lifetime 8600
!
tunnel-group 172.16.30.2 type ipsec-l2l
tunnel-group 172.16.30.2 ipsec-attributes
ikev1 pre-shared-key cisco
!
When i got connectivity i planned to set up a VPN but I'm having trouble trying to grasp how to connect all these vlans and devices together when the ASA on packet tracer doesn't let you do routing protocols or assign physical interfaces addresses.
Any help would be greatly appreciated.
Thanks!
Update:
I moved one PC to directly connect it to the ASA with the default gateway the same as VLAN 30 etc... and it worked but i moved it back to the switch and it failed, so I'm thinking its something to do with the switch? I have had the link that connects the switch to the ASA as Switchport access vlan 30 and nothing and also as a trunk with the vlan allowed over the trunk but yet again nothing!
Here is the config for the ASA
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 30
!
interface Ethernet0/2
switchport access vlan 30
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
no nameif
security-level 100
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.30.2 255.255.255.0
!
interface Vlan30
nameif inside
security-level 100
ip address 10.30.0.1 255.255.255.0
!
!
!
access-list VPN standard permit 10.30.0.0 255.255.255.0
!
!
!
!
!
!
class-map inspect
match default-inspection-traffic
!
policy-map global
class inspect
!
service-policy global global
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
dhcpd enable
!
!
!
crypto ipsec ikev1 transform-set VPN esp-aes 256 esp-sha-hmac
!
crypto map VPN_MAP 1 match address VPN
crypto map VPN_MAP 1 set peer 172.16.31.2
crypto map VPN_MAP 1 set security-association lifetime seconds 8600
crypto map VPN_MAP 1 set ikev1 transform-set VPN
crypto ikev1 policy 1
encr aes
authentication pre-share
group 5
lifetime 8600
!
tunnel-group 172.16.30.2 type ipsec-l2l
tunnel-group 172.16.30.2 ipsec-attributes
ikev1 pre-shared-key cisco
!
When i got connectivity i planned to set up a VPN but I'm having trouble trying to grasp how to connect all these vlans and devices together when the ASA on packet tracer doesn't let you do routing protocols or assign physical interfaces addresses.
Any help would be greatly appreciated.
Thanks!
Update:
I moved one PC to directly connect it to the ASA with the default gateway the same as VLAN 30 etc... and it worked but i moved it back to the switch and it failed, so I'm thinking its something to do with the switch? I have had the link that connects the switch to the ASA as Switchport access vlan 30 and nothing and also as a trunk with the vlan allowed over the trunk but yet again nothing!
Comments
-
Simrid
Member Posts: 327
By default ASA does not have ICMP inspection turned on. This needs be enabled in order for pings to be sent between the interfaces. This should fix your issue. Remember that traffic can only be sent from a high security level to a lower secrutiy level.
I'm not 100% sure with this but the physical interfaces may need a nameif and security-level applied.Network Engineer | London, UK | Currently working on: CCIE Routing & Switching
sriddle.co.uk
uk.linkedin.com/in/simonriddle -
Robbo777
Member Posts: 331 ■■■□□□□□□□
By default ASA does not have ICMP inspection turned on. This needs be enabled in order for pings to be sent between the interfaces. This should fix your issue. Remember that traffic can only be sent from a high security level to a lower secrutiy level.
I'm not 100% sure with this but the physical interfaces may need a nameif and security-level applied.
Hi, thanks for the reply, i named the physical ones but still nothing, it didnt even show up in the config, just the same as above ^^^
Regarding the ICMP, i'm aware of this and have created a global policy anyway that includes ICMP, it is an option in packet tracer itself to have all of them inspected, here is the list:
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748 dns
udp--53
ftp
tcp--21 gtp
udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http
tcp--80 icmp
icmp
ils
tcp--389 ip-options
rsvp
mgcp
udp--2427,2727 netbios---udp--137-138
radius-acct----udp--1646 rpc
udp--111
rsh
tcp--514 rtsp
tcp--554
sip
tcp--5060 sip
udp--5060
skinny----tcp--2000 smtp
tcp--25
sqlnet----tcp--1521 tftp
udp--69
waas
tcp--1-65535 xdmcp
udp--177
I have called the class map "inspect" and linked it to a policy map called global and made a global service policy for it, so ICMP shouldn't affect it either. I have no idea what is causing this haha.