Cisco Firewall :: Can Ping ASA5520 Outside Interface But Cannot Connect To Other
Nov 5, 2012
So I have a client with an ASA 5520 running version 9.0 (was on 8.4) that I am trying to get either IPSec or SSL VPN configured on. I got everything setup and tried to connect. However, I couldn't connect to either. I fired up the real time monitoring and didn't see any syslog messages referring to a VPN build up. I also enabled SSH/Telnet on the outside interface and cannot connect to the ASA outside interface. I can ping the outside interface and can ping the internet from the ASA. I did set up a test ACL on the ASA and ran packet tracer on it and the results came back fine.
There is an IPS in the ASA as well, but I disabled the ACL for that and still am having these issues. Part of me wonders if the ISP has something set up to block inbound traffic. This should be a business class connection.
View 5 Replies
ADVERTISEMENT
Mar 7, 2011
I am trying to introduce an ASA5520 to my network based on the following diagram: ISP Internet ------> ASA5520 ------- > Cisco Router ------> LAN. The problem is I cannot ping the ASA from the LAN. I can ping it from inside the router. I already allow ICMP within ASA. If i remove the cisco router and replace it by a swich, I can ping the ASA with NO problem.
View 5 Replies
View Related
May 22, 2013
I have Cisco ASA5520 with a 8.4 code in GNS3. I have a problem pinging to the internet. On the ASA console, I can ping to outside world, but on vpc I cannot ping the outside world. But I can ping the ASA Inside interface and other VLANs, no problem. [code]
View 3 Replies
View Related
Aug 22, 2012
I have a ASA5520 with 4 Port channel interfaces and ASA Version 8.4.(2). There are many vlan interfaces but in the DMZ I have one Server who has a Static NAT to all other interfaces.
Why the first ping works and the others doesn´t work?
View 12 Replies
View Related
Jan 22, 2012
I have newly deployed network. I have two ASA5520-AIP20-k9. both connected to ISP and configured as Active/standby failover. the ASAs were working fine at first but later on, the internet connection becomes very slow. the ping reply i am getting from my next hop(ISP router) varies during the peak hour is some times in 2000 msec or above but during off hours, the ping reply time is 1 and 2 msec. when I directly connect my laptop to the link that comes from the ISP its ping reply is 1msec and 2msec. I thought the ping reply of the ASA5520 to the ISP gateway should be constant and should be 1 and 2 msec regardsless of the traffic passing through the firewall.
View 1 Replies
View Related
Oct 16, 2011
i have a Cisco ASA 5520 8.4(1) with a ASA 5520 VPN Plus license
i want to use the management interface as a regular interface (using the no management-only command)is this interface a Gig interface as well ?
View 1 Replies
View Related
Aug 8, 2012
We have an ASA 5520, working fine.One of the interfaces is connected to users PCs and printers mainly. Last months the number of devices has grown rapidly, and we would like to make some changes in it in order for it to be able to host new devices.We thought on change subnet mask of actual subnet (10.0.2.0/24) to 10.0.2.0/23, so it can hold as many devices.I understand I have to make some changes in the ASA, but my question is:What will happend to the acces rules I have created?Will I need to create them again? There are some objects which carry information about subnet mask, so I suppose I will need to redefine them, but for those without any subnet mask information, will I have to redefine them?
View 2 Replies
View Related
May 29, 2011
Recently, I deployed ASA 5520 as our company firewall, everything was working fine except two main problem I still can not resolve them after I did a lot of research.
1. DNS rewriting - The internal user can not access the DMZ or internal server by put in the domain or external ip address. such as [URL] will resolve our wan ip address 210.0.0.83 ( internal ip address is 192.168.1.21 ).I used static (inside,Outside) tcp 210.0.0.83 https 192.168.1.21 https netmask 255.255.255.255 dns, but it will not work. We have our internal DNS server, but don't want to just add the domain as a record. Is there anyway to get the internal user to access Internal server and DMZ server through the public domain?
2. We also have an internal multiple subnet, another router was conneting to ASA firewall inside interface and using ip address 192.168.1.223, another subnet 10.1.15.16/28 is behind the this router, for the users in subnet 192.168.1.0/24, they connect firewall inside interface directly.I added an static route and intra-interface permit route inside 10.1.15.16 255.255.255.240 192.168.1.223 1same-security-traffic permit intra-interface I also added access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.15.16 255.255.255.240access-list inside_nat0_outbound extended permit ip 10.1.15.16 255.255.255.240 192.168.1.0 255.255.255.0nat (inside) 0 access-list inside_nat0_outbound The internal users on 192.168.1.0/24 can ping 10.1.15.18 but can not telnet to 10.1.15.18 22. If I set 192.168.1.223 as one of the workstation on 192.168.1.0/24 default gateway, it can telnet to 10.1.15.18 22 without any problem.
View 2 Replies
View Related
Apr 17, 2012
We have an ASA5520 running ver 7.0(8), nat-control is disabled. On the "outside" interface we have a closed network which is publicly addressed i.e. no access to Internet. We also have two Vlan interfaces on a trunk connection i.e. "inside" interface (Vlan7) and "dmz" interface (Vlan802). Traffic from the "outside" to "inside" is statically NAT'd such that the public IP is translated to a private IP when accessing the "inside" interface. However, our OSS servers on the "dmz" interface need to be able to receive packets from the public IP addresses on the "outside" . All is okay with the outside to inside traffic and traffic initiated from the OSS servers on the "dmz" to the outside works okay (snmp gets etc) i.e. the servers receive reply packets from the public addresses of the outside devices.
However, traffic that originates on the "outside" interface (snmp traps etc) which is destined for the "dmz" is actually being routed to the "inside" interface and therefore the public source address is being NAT'd by the static NAT command. The access-list "in_on_outside" has relevant entries to allow connectivity from outside to dmz, we have tried a static nat command (outside, dmz) to maintain the public addressing but this made no difference and also a nat exempt. With ########nat-control disabled - do I still need a translation or NAT exempt for the "outside" <> "dmz" traffic flow, if so how should this look ?
View 11 Replies
View Related
Jul 14, 2011
I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.
View 32 Replies
View Related
Feb 3, 2013
I cannot seem to ping from the outside of my 5520 firewall to an inside network. I have a single physical outside interface connected to a Layer 2 switch, with a laptop connected to it. This is on network 10.11.131.0/28. From there, I cannot ping to the inside interface (which is a sub interface on G0/0) with network 10.11.130.0/24/ For some reason, it doesnt work.
Now. I had access-lists in place, but have removed them for testing and it still doesnt work. I have set the security level of inside and outside to 100, and entered the same-security-traffic permit inter-interface command - still no joy. Below is the relevant configuration.
Inside Interface
interface GigabitEthernet0/0.96
description L3 Interface - Informational Zone
vlan 96
[Code].....
View 4 Replies
View Related
Nov 14, 2011
I have a Cisco ASA 5505, the problem is I am not able to ping to outside natted interface (ip: 172.88.188.123 and 124 and 125) from inside network I have looked for ASA documentation through the internet and still got nothing.
the config are:
: Saved
:
ASA Version 8.2(1)
!
[Code].....
View 2 Replies
View Related
May 10, 2011
I have a new ASA 5505 and all is working fine, I can CLI and ASDM into it, but just can't ping the inside interface, do I need to enable a feature to make this work somehow?
View 1 Replies
View Related
Aug 4, 2011
I'm currently configuring an ASA5510.I connected a laptop (IP 192.168.96.18/255.255.255.0) to port 0/2 and tried to ping 192.168.100.2 ... impossible to ping outside interface.I resetted the config of the ASA to retest more simple. [code]
View 1 Replies
View Related
Apr 13, 2013
I ran into a very strange icmp ping issue. The network has been working fine other than the issue listed below, L2L VPN works fine and all three data centers can access each other via L2L VPN.I have three ASA5510. [code]
View 5 Replies
View Related
Dec 12, 2011
I have an ASA 5505 that I'm trying to set up a guest network on. I've configured an interface as a trunk and allowed the 2 vlans but I'm not getting any layer 3 to it. The switch connected to it is a 3560 and port is configured as a trunk with the same vlans.
I can't ping the ASA inside interface but I see its MAC address in the swtich's table.
[code]....
View 4 Replies
View Related
Apr 4, 2012
The ASA is configured in very simple transparent mode. As desired, traffic can flow in each direction between inside and outside. I can manage the ASA via console and direct connection to the management interface. The problem is that I cannot ping or ssh to the ASA via the inside interface. I need to be able to manage the ASA from any PC on the inside LAN. I suspect I am missing some easy aspect of the configuration but after a lot of hours I'm about at the end of my patience with it. Here is what I believe to be the relevant parts of the config.
ASA Version 8.2(1)
!
firewall transparent
hostname issr1
enable password 2alej83t5cqT0FWd encrypted
passwd 4kleUY438I93.4ljdh encrypted
names
[code]....
View 4 Replies
View Related
Nov 27, 2012
One of my client has BSNL leased line with LAN IP POOL we configured those on ASA 5510 nad Internet working fine but from cloud we are not getting any response for ping requiest please find running configuration below:
ciscoasa(config)# sh run
: Saved
:
ASA Version 8.2(1)
[Code]....
View 4 Replies
View Related
May 3, 2012
one of my SNMP server 10.242.103.42 sits in MZ zone,and ACE 4710 is connected to core switch,coreswitch is connected to firewall asa.
Now iam trying to ping from MZ zone SNMP server to loadbalancer ip 10.242.105.1,iam unable to ping my LB interface to discover SLB on my SNMP server.
View 1 Replies
View Related
Sep 23, 2012
I have a problem with ASDM connection to ASA 5520 cluster. When I'm trying to connect the ASDM shows: "Contacting the device. Please wait..." and nothing happen. The http server is enabled with default port. Both cluster members after restart.
Cisco Adaptive Security Appliance Software Version 8.4(1) Device Manager Version 6.4(1)
View 7 Replies
View Related
Jul 26, 2011
I am having a problem configuring my ASA 5505 for NAT.
View 3 Replies
View Related
Jul 26, 2011
I am unable to ping inside interface (Rin) to outside interface (Rout) of my Cisco ASA 5520 runing on ASA Version 8.4(1).
ASA Version 8.4(1)
!
hostname FW5520
[Code].....
View 10 Replies
View Related
Feb 3, 2012
When I tried to upgrading PIX525 6.3 to 7.0 , Not able to Ping the host from the PIX 525 Inside interface which is on the same subnet, Also from the host to Inside Interface , Tried with Directly connected laptop with Cross cable and using Straight cable via switch, But the results end with fail.
View 2 Replies
View Related
Aug 12, 2012
I have a question about my ASA 5520, it worked well till two weeks ago, and suddenly cannot be accessed by SSH/Telnet/TFTP....only can use the Consoel port to access it now, but other VPN/ACL setting working well. [code] If I enabled the outside access for SSH like below, it works well for outside port.ssh 0.0.0.0 0.0.0.0 outside.
View 3 Replies
View Related
Sep 13, 2012
I am trying to access and ping the inside interface of a ASA5505 from a remote network. From the remote network, I am able to access anything on the local network, but the ASA5505 inside interface.The 2 networks linked by a fiber link which have a transport network on another interface. From the remote network, I am able to ping the transport network interface IP, but I would like to be able to ping the inside interface IP. When I do a packet tracer, I get a deny from an implicit rule.How can I achieve that?
Here are the subnets involved and the ASA5505 config.
Remote network : 10.10.2.0/24
Local network : 10.10.1.0/24
Transport network : 10.10.99.0/24
[code]....
View 1 Replies
View Related
May 31, 2011
Our firewall expert has gone off on long term illness leave and I am trying to pick up the pieces :-(
We have an ASA 5520 (local office) talking to another ASA (remote office) via a VPN Tunnel.
My 1st problem is that I cannot ping from my inside network (local) to the outside interface of my remote ASA.
My 2nd is that I have debug enabled on my rules but am not logging anything.
View 1 Replies
View Related
Jan 29, 2013
I have a ASA 5520 which is intended to use as a VPN for clients using PDA, I think the PDA is a very old product that the VPN only support CHAP/ MS- CHAP, but seems it cannot connect the VPN, it will prompt "invalid username and password" (but in fact the username and password is valid when using PAP), below is the log i captured from the ASDM when the PDA is connecting the VPN. when i tried to connect it in windows PC, I also have the same issue if the VPN setting is using MS-CHAP, if I choose PAP, it can connect with no problem. But the PDA has no option of PAP. [code]
View 0 Replies
View Related
Mar 31, 2012
I have a new 3560G to set up a small network for a remote site. I configured the vlan and an SVI as the gateway. The switch is also the DHCP server for the LAN. I configured Gi0/2 as L3 port, connecting to the nearest neighbor. My network runs EIGRP so i advertised the routes into the EIGRP process. The switch forms EIGRP neighbors and learns all routes in the enterprise network. The problems I'm having now are: 1. The switch learns all routes in my enterprise LAN and can ping devices in the enterprise LAN, but I can’t ping any interface on the switch from the enterprise LAN. 2.
View 5 Replies
View Related
May 1, 2012
I have a Cisco ASA 5505 and I have my internal and external interfaces configured but I currently cannot ping from the inside to an IP Address on the outside. I had this setup and working and I have another set of equirement that I am replacing that is working with my service provider so I know it is a configuration issue. When I ping 4.2.2.2 for example I get:
Destination host unreachable
Do I need to add a static route from my inside interface to my outside interfaces?
: Saved
:
ASA Version 8.2(5)
!
hostname pxasa
[Code].....
View 2 Replies
View Related
Sep 14, 2012
I have created an IPSEC VPN tunnel using a Cisco ASA5520 (corporate) to a Cisco SRP541W (remote). The corporate subnet is 10.1.0.0/16, and the remote subnet is 192.168.1.0/24. From the remote subnet, I can ping anything on the 10.1.0.0 corporate network, but I cannot ping from the corporate network to the remote subnet. At first I thought this was something obvious, perhaps an incorrect acl or something easy on the corporate firewall. However, we have several other vpn tunnels established, all set up the same, and they work just fine. After looking at it a bit more closely, if I ping the remote subnet I see the hit counter increment by one each time, which leads me to believe that traffic is in fact being routed properly.Now I'm thinking that something in the remote SRP541W that is not allowing icmp traffic, but I can't find it anywhere. To be honest I have never used this type of firewall before, they have all been Cisco PIX501/506e and ASA5500 models.
View 2 Replies
View Related
Aug 29, 2012
I am currently working with a vendor to get my ASA5520 setup to handle IPsec VPN connections for my clients and we are stumped with how to get the outside interface to respond to connections/requests.
I work for a state agency and our network connectivity is provided to us by another agency/department. The firewall I want to use for VPN connectivity has an outside address of 10.0.8.162 which is not routable outside the state's network. I have been assigned a set of public IP addresses for servers in my DMZ and I am wondering if it is possible to configure the ASA to utilize one of those public IP addresses for VPN communication. My DMZ network is setup as a local 192.168.10.0 network and the ASA is performing NAT translations to the corresponding public IP addresses.
Putting in a NAT rule to translate one of the public IP addresses to the 10.0.8.162 outside interface, but I wasn't sure if that would work.
View 1 Replies
View Related
Sep 13, 2011
I configured ASA5520 and RV042 for site-to-site IPSec VPN tunnel.Tunnel get connected, but no ping, no traffic between both end network.
Network:
=======
192.168.113.0/24----------192.168.113.6 -ASA--------public, static IP address------Cisco 2821--------Internet
192.168.10.0/24-----------192.168.10.1 -RV042-----public, static IP address------Cisco 2821--------Internet
ASA5520 config:
----------------------
name 192.168.10.0 VPN
!
interface GigabitEthernet0/1
nameif NET
security-level 100
ip address 192.168.113.6 255.255.255.0
[code]....
View 5 Replies
View Related
Feb 15, 2012
configuration of NAT on an ASA 5520. On the ASA I have 1 x WAN connection and 1 x Internet Connection as well as the Inside and DMZ. I want to translate traffic from certain subnets on the inside (say 10.1.2.0 255.255.255.0) to an outside address (say 1.2.3.0 255.255.255.0). I'm assuming the ASA using the number after the brackets to distinguish what to translate? So if I had another entry with a '2' after the brackets, any of the '1' entries wouldn't translate to this? I have access-lits inbound on the INSIDE interface, I'm assuming these are applied before any NAT and only items allowed through the access-list are allowed to NAT?
I also have an address I would like to statically NAT with a certain port number, how do I do this? After I've configured this, what are the commands to apply NAT on the interface?
View 9 Replies
View Related
