Re: ASA 5505 network behind an access point from Carlos G Mendioroz on 2012-07-17 (Ccielab archives 07/2012)

From: Carlos G Mendioroz <tron_at_huapi.ba.ar>
Date: Tue, 17 Jul 2012 07:36:25 -0300

Please add a route *to the host* (i.e. the linux) so you can take the
ASA out of the question...

Tony Singh @ 17/07/2012 07:32 -0300 dixit:
>
>
> hi carlos
>
> yes sorry should have mentioned from asa - first time playing with these...
>
> from linux host (192.168.1.6)
>
> root_at_dm8000:~# ping 10.0.0.2
> PING 10.0.0.2 (10.0.0.2): 56 data bytes
>
> not getting anything back
>
> but ASA looks like it's passing the icmp on
>
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=38400 len=56
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=38656 len=56
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=38912 len=56
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=39168 len=56
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=39424 len=56
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=39680 len=56
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=39936 len=56
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=40192 len=56
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=40448 len=56
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=40704 len=56
> ICMP echo request from inside:192.168.1.6 to inside:10.0.0.2 ID=57673
> seq=40960 len=56
>
>
>
>
>
>
> On 17 July 2012 10:56, Carlos G Mendioroz <tron_at_huapi.ba.ar
> <mailto:tron_at_huapi.ba.ar>> wrote:
>
> Sorry, I thought you where trying to get from another host to the
> wireless. Now I see that the ASA is not able to ping.
> Can you ping a wireless host from another 192.168.1.1 host if you
> add a route via .7 ? Sounds like a WLC ACL.
>
>
> Tony Singh @ 17/07/2012 06:49 -0300 dixit:
>
>
>
> hi carlos - thanks but see below...
>
> ciscoasa(config)# same-security-traffic permit inter-interface
> ciscoasa(config)# same-security-traffic permit intra-interface
> ciscoasa(config)# ping 10.0.0.1
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
> ?????
> Success rate is 0 percent (0/5)
>
> ciscoasa(config)# debug icmp trace 15
> debug icmp trace enabled at level 15
> ciscoasa(config)# ping 10.0.0.1
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
> ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139
> seq=39650 len=72
> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139
> seq=39650 len=72
> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139
> seq=39650 len=72
> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139
> seq=39650 len=72
> ?ICMP echo request from 192.168.1.1 to 10.0.0.1 ID=65139
> seq=39650 len=72
> ?
> Success rate is 0 percent (0/5)
>
>
>
> On 17 July 2012 10:36, Carlos G Mendioroz <tron_at_huapi.ba.ar
> <mailto:tron_at_huapi.ba.ar>
> <mailto:tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar>>> wrote:
>
> http://www.cisco.com/en/US/____products/ps6120/products_tech_____note09186a0080734db7.shtml
> <http://www.cisco.com/en/US/__products/ps6120/products_tech___note09186a0080734db7.shtml>
>
>
> <http://www.cisco.com/en/US/__products/ps6120/products_tech___note09186a0080734db7.shtml
> <http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml>>
> ?
>
> same security traffic permit intra-interface
>
> -Carlos
>
> Tony Singh @ 17/07/2012 05:21 -0300 dixit:
>
> hi experts
>
> problem
> network behind wireless is 10.0.0.0/24
> <http://10.0.0.0/24> <http://10.0.0.0/24>
>
> unable to access from asa defined
> dhcp network 192.168.1.0/24 <http://192.168.1.0/24>
> <http://192.168.1.0/24>
>
>
> topology
> wireless access point wan port --> ASA inside
> switchport vlan 1
>
> on asa set a static route to say 10.x is behind 192.168.1.7
> (which is the
> address of the wan port of the wireless access point,
> pings fine
> from asa
> and traffic from the 10.x range is able to get out to the
> internet fine)
>
> route inside 10.0.0.0 255.255.255.0 192.168.1.7
>
> S 10.0.0.0 255.255.255.0 [1/0] via 192.168.1.7, inside
>
> but ping fails
>
> ciscoasa(config)# ping 10.0.0.1
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is
> 2 seconds:
> ?????
> Success rate is 0 percent (0/5)
>
> using the ASDM packet tracer facility it show that it
> is trying
> to ping
> from inside to outside interface, it fails due to acl-rule
>
> but on asa not seeing it here..
>
> ciscoasa(config)# show access-list
> access-list cached ACL log flows: total 0, denied 0
> (deny-flow-max 4096)
> alert-interval 300
>
> problem is this probably a private vlan scenario as I
> have a
> network within
> a network on my inside interface so the packet trace
> going from
> inside to
> outside is wrong
>
> any advice would be great
>
>
> Blogs and organic groups at http://www.ccie.net
>
>
> _______________________________________________________________________________
>
> Subscription information may be found at:
> http://www.groupstudy.com/____list/CCIELab.html
> <http://www.groupstudy.com/__list/CCIELab.html>
> <http://www.groupstudy.com/__list/CCIELab.html
> <http://www.groupstudy.com/list/CCIELab.html>>
>
>
>
>
>
>
>
>
> --
> Carlos G Mendioroz <tron_at_huapi.ba.ar
> <mailto:tron_at_huapi.ba.ar> <mailto:tron_at_huapi.ba.ar
> <mailto:tron_at_huapi.ba.ar>>>
> LW7 EQI Argentina
>
>
>
>
> --
> Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar>>
> LW7 EQI Argentina
>
>
>

-- 
Carlos G Mendioroz  <tron_at_huapi.ba.ar>  LW7 EQI  Argentina
Blogs and organic groups at http://www.ccie.net

Received on Tue Jul 17 2012 - 07:36:25 ART

This archive was generated by hypermail 2.2.0 : Wed Aug 01 2012 - 15:55:23 ART