From: Dane Newman (dane.newman@gmail.com)
Date: Mon Jun 16 2008 - 10:50:02 ART
When i do a capture I get
Rack1ASA2/ContextA(config)# sh cap TEST
5 packets captured
1: 23:11:27.681315 132.1.137.7 > 204.12.6.13: icmp: echo request
2: 23:11:29.681223 132.1.137.7 > 204.12.6.13: icmp: echo request
3: 23:11:31.681544 132.1.137.7 > 204.12.6.13: icmp: echo request
4: 23:11:33.682276 132.1.137.7 > 204.12.6.13: icmp: echo request
5: 23:11:35.682169 132.1.137.7 > 204.12.6.13: icmp: echo request
5 packets shown
So they are getting to the interface
I should see them sending an echo reply if everything was working out
of the capture right?
BB3 is directly connected to the ASA on vlan 113. I thought I
should be able to ping the BB3 interface that is on vlan 113 which ip
is 204.12.6.254 but it would not ping. The ASA has a default route to
SW1.
I had to add the following and oddly enough I could then ping 204.12.6.254
global (Inside) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0 outside
static (Inside,outside) 204.12.6.254 204.12.6.254 netmask 255.255.255.255
I then tried to add this but i still could not ping the address
static (Inside,outside) 204.12.6.13 204.12.6.13 netmask 255.255.255.255
On Mon, Jun 16, 2008 at 3:13 AM, Hashiru Aminu <hashng@gmail.com> wrote:
>
> Hi,
>
> I would advice to look at the logs on the ASA with "show logging" command
> and see if the traffic is coming back from the switch and equally try and
> to
> enable icmp permit <the IP address of the icmp reply from the switch> for
> the inside interface...I presume you are trying to ping the inside
> interface
> from your mail. From the from the log as long as you have all the rules
> logs
> the traffic you will surely see what you are missing.
>
> HTH
>
> Hash
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Luan
> Nguyen
> Sent: Monday, June 16, 2008 7:38 AM
> To: Dane Newman
> Cc: Cisco certification
> Subject: Re: what Am I missing?
>
> Do you have something behind the ASA to ping to? instead of the interface
> itself?
> Logging console debugging doesn't show anything without logging enable.
> try to do: packet-tracer input outside icmp 132.1.137.7 8 0
> 204.12.6.13detail and then packet-tracer input outside icmp
> 132.1.137.7 8 0 132.1.137.113 <http://204.12.6.13/> detail and see what's
> going on.
> Also turn on debug icmp trace.
> then change back to single mode and do the same thing.
> Maybe you just can't ping the inside interface like that.
>
> -Luan
>
>
> On Sun, Jun 15, 2008 at 4:11 PM, Dane Newman <dane.newman@gmail.com>
> wrote:
>
> > I have ASA2 configured with two contexts. ContextA and B both share
> > the outside interface of ASA2. I made sure to put in the system
> > context mac-address auto command. ASA2 is directly connected to switch1
> on fa0/15.
> > I am able to ping the outside interface of contextA from switch 1 but
> > not able to ping the inside interface of contextA as shown in the output
> below.
> > Could someone suggest what I am missing?
> >
> >
> > Rack1SW1#ping 204.12.6.13
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 204.12.6.13, timeout is 2 seconds:
> > .....
> > Success rate is 0 percent (0/5)
> >
> > Rack1ASA2/ContextA# show run
> > : Saved
> > :
> > ASA Version 7.2(3) <context>
> > !
> > hostname ContextA
> > domain-name internetworkexpert.com
> > enable password 8Ry2YjIyt7RRXU24 encrypted names !
> > interface outsideA
> > nameif outside
> > security-level 0
> > ip address 132.1.137.113 255.255.255.0 !
> > interface insideA
> > nameif Inside
> > security-level 100
> > ip address 204.12.6.13 255.255.255.0
> > !
> > passwd 2KFQnbNIdI.2KYOU encrypted
> > dns server-group DefaultDNS
> > domain-name internetworkexpert.com
> > access-list OUTSIDE_IN extended permit icmp any any log access-list
> > OUTSIDE_IN extended permit icmp any any echo access-list OUTSIDE_IN
> > extended permit icmp any any echo-reply access-list OUTSIDE_IN
> > extended permit tcp any any eq bgp access-list OUTSIDE_IN extended
> > permit tcp any eq bgp any logging console debugging mtu outside 1500
> > mtu Inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm
> > history enable arp timeout 14400 access-group OUTSIDE_IN in interface
> > outside route outside 0.0.0.0 0.0.0.0 132.1.137.7 1 timeout xlate
> > 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp
> > 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> > mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite
> > 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute aaa
> > authentication ssh console LOCAL no snmp-server location no
> > snmp-server contact telnet timeout 5 ssh 132.1.170.0 255.255.255.0
> > outside ssh timeout 5 !
> > class-map inspection_default
> > match default-inspection-traffic
> > !
> > !
> > policy-map type inspect dns preset_dns_map parameters message-length
> > maximum 512 policy-map global_policy class inspection_default
> > inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect
> > h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny
> > inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect
> > sip inspect xdmcp inspect icmp !
> > service-policy global_policy global
> > username ADMIN password 0Fiyt7Ojpuvbkp7l encrypted
> > Cryptochecksum:4818558e3f200ea02f7b6b397155d9fd
> > : end
> > Rack1ASA2/ContextA#
> >
> >
> > Rack1SW1#show run
> > Building configuration...
> > Current configuration : 3297 bytes
> > !
> > version 12.2
> > no service pad
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname Rack1SW1
> > !
> > enable password cisco
> > !
> > no aaa new-model
> > ip subnet-zero
> > ip routing
> > !
> > no ip domain-lookup
> > !
> > !
> > !
> > no file verify auto
> > spanning-tree mode pvst
> > spanning-tree extend system-id
> > !
> > !
> > !
> > vlan internal allocation policy ascending !
> > !
> > interface Loopback0
> > ip address 150.1.7.7 255.255.255.0
> > !
> > interface FastEthernet0/1
> > switchport access vlan 170
> > switchport mode access
> > !
> > interface FastEthernet0/2
> > switchport access vlan 29
> > switchport mode access
> > !
> > interface FastEthernet0/3
> > switchport access vlan 3
> > switchport mode access
> > !
> > interface FastEthernet0/4
> > switchport access vlan 4
> > switchport mode access
> > !
> > interface FastEthernet0/5
> > switchport access vlan 115
> > switchport mode access
> > !
> > interface FastEthernet0/6
> > switchport access vlan 69
> > switchport mode access
> > !
> > interface FastEthernet0/7
> > switchport mode dynamic desirable
> > !
> > interface FastEthernet0/8
> > switchport mode dynamic desirable
> > !
> > interface FastEthernet0/9
> > switchport access vlan 29
> > switchport mode access
> > !
> > interface FastEthernet0/10
> > switchport access vlan 170
> > switchport mode access
> > !
> > interface FastEthernet0/11
> > switchport access vlan 112
> > switchport mode access
> > !
> > interface FastEthernet0/12
> > switchport mode dynamic desirable
> > !
> > interface FastEthernet0/13
> > switchport access vlan 9
> > switchport mode access
> > !
> > interface FastEthernet0/14
> > switchport mode dynamic desirable
> > !
> > interface FastEthernet0/15
> > switchport access vlan 133
> > switchport mode access
> > !
> > interface FastEthernet0/16
> > switchport mode dynamic desirable
> > !
> > interface FastEthernet0/17
> > switchport mode dynamic desirable
> > !
> > interface FastEthernet0/18
> > switchport mode dynamic desirable
> > !
> > interface FastEthernet0/19
> > switchport mode dynamic desirable
> > !
> > interface FastEthernet0/20
> > switchport access vlan 9
> > switchport mode access
> > !
> > interface FastEthernet0/21
> > switchport mode dynamic desirable
> > !
> > interface FastEthernet0/22
> > switchport mode dynamic desirable
> > !
> > interface FastEthernet0/23
> > switchport trunk encapsulation isl
> > switchport mode trunk
> > !
> > interface FastEthernet0/24
> > switchport access vlan 133
> > switchport mode access
> > !
> > interface GigabitEthernet0/1
> > switchport mode dynamic desirable
> > !
> > interface GigabitEthernet0/2
> > switchport mode dynamic desirable
> > !
> > interface Vlan1
> > no ip address
> > shutdown
> > !
> > interface Vlan137
> > ip address 132.1.137.7 255.255.255.0
> > !
> > interface Vlan170
> > ip address 132.1.170.7 255.255.255.0
> > !
> > router ospf 1
> > router-id 150.1.7.7
> > log-adjacency-changes
> > redistribute connected subnets
> > redistribute static subnets
> > network 132.1.137.7 0.0.0.0 area 170
> > network 132.1.170.7 0.0.0.0 area 170
> > network 150.1.7.7 0.0.0.0 area 170
> > !
> > router bgp 100
> > no synchronization
> > bgp router-id 150.1.7.7
> > bgp log-neighbor-changes
> > neighbor 150.1.2.2 remote-as 100
> > neighbor 150.1.2.2 update-source Loopback0 neighbor 204.12.6.254
> > remote-as 54 neighbor 204.12.6.254 ebgp-multihop 255 no auto-summary
> > !
> > ip classless
> > ip route 132.1.138.0 255.255.255.0 132.1.137.213 ip route 204.12.6.0
> > 255.255.255.0 132.1.137.113 ip http server ip http secure-server !
> > !
> > !
> > !
> > !
> > control-plane
> > !
> > !
> > line con 0
> > exec-timeout 0 0
> > privilege level 15
> > logging synchronous
> > line vty 0 4
> > password cisco
> > login
> > line vty 5 15
> > password cisco
> > login
> > !
> > !
> > end
> >
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:21 ART