It is currently Thu Dec 14, 2017 8:09 am


All times are UTC




Post new topic Reply to topic  [ 16 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: ASA 5520 with GNS3 connected to ms loopback
PostPosted: Sat Aug 16, 2014 12:26 pm 
Offline

Joined: Sat Aug 16, 2014 12:14 pm
Posts: 9
Hi,
I have started CCNA security and i have a lab setup in GNS 3. I'm trying to access internet 8.8.8.8 trough my WIN-XP 32 bit installed on Oracle Virtual Box.
The problem is i can not ping from my XP to the outside world.
I can ping 8.8.8.8 from the Cisco ASA firewall , no problem
I can ping the 10.10.10.50 which is the XP-32
i can ping 10.10.10.1 from XP which the Default Gateway for XP to the ASA.
But ICMP packets can not pass through the firewall.
i have static S* default route to 192.168.1.0 where .1 is my ISP router.

From Firewall to 8.8.8.8 is fine .
from inside network only can ping the 10.10.10.1 which the inside IP of the ASA.
Can not pass beyond.
I am using windows 7.
Please suggest!

Thanks

[email protected]
regards




Top
 Profile  
 
 Post subject: Re: ASA 5520 with GNS3 connected to ms loopback
PostPosted: Sat Aug 16, 2014 12:48 pm 
Offline

Joined: Fri Mar 05, 2010 11:33 am
Posts: 1494
Location: Australia
a) I would suggest strongly that you remove you phone number from your post - just for security (if you can't edit you post and want it removed, let me know. I'll fix it!)

b) Need more information - like your ASA config and your topology.net.

_________________
RedNectar
http://rednectar.net
@rednectarchris
GNS3 WorkBench-a VMware image of Ubuntu with GNS3 and VPCS installed and a collection of exercises/labs


Top
 Profile  
 
 Post subject: Re: ASA 5520 with GNS3 connected to ms loopback
PostPosted: Sat Aug 16, 2014 4:20 pm 
Offline

Joined: Sat Aug 16, 2014 12:14 pm
Posts: 9
yes please do it. That's no problem.


Attachments:
GNS ASA with Internet.png
GNS ASA with Internet.png [ 26.12 KiB | Viewed 8958 times ]


Last edited by ishahid25 on Sat Aug 16, 2014 6:17 pm, edited 1 time in total.
Top
 Profile  
 
 Post subject: Re: ASA 5520 with GNS3 connected to ms loopback
PostPosted: Sat Aug 16, 2014 6:05 pm 
Offline

Joined: Sat Aug 16, 2014 12:14 pm
Posts: 9
[img]http://C:\User\imran\Desktop\GNS%20ASA%20with%20Internet.png[/img]
Hi,
Here you go
Default Gateway 192.168.137.1
FW inside ip= 10.10.10.1
Virtual Box Windows XP-32 Bit IP=10.10.10.50


ciscoasa(config)# show int ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0 192.168.137.2 YES manual up up
GigabitEthernet1 10.10.10.1 YES CONFIG up up
GigabitEthernet2 unassigned YES unset administratively down up
GigabitEthernet3 unassigned YES unset administratively down up
GigabitEthernet4 unassigned YES unset administratively down up
GigabitEthernet5 unassigned YES unset administratively down up
ciscoasa(config)#

ciscoasa(config)# ping 8.8.8.8 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 10/17/30 ms
ciscoasa(config)#

ciscoasa(config)# ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa(config)# ping 10.10.10.50
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.50, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ciscoasa(config)#




ciscoasa(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 192.168.137.1 to network 0.0.0.0

C 10.10.10.0 255.255.255.0 is directly connected, inside
C 192.168.137.0 255.255.255.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.137.1, outside
ciscoasa(config)#


I CAN PING FROM XP to inside IP which is 10.10.10.1
but no more than that.

Please help

Thanks
:)


Last edited by ishahid25 on Sat Aug 16, 2014 6:16 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: ASA 5520 with GNS3 connected to ms loopback
PostPosted: Sat Aug 16, 2014 6:08 pm 
Offline

Joined: Sat Aug 16, 2014 12:14 pm
Posts: 9
when i ping inside ip from the XP VB,
I can see the debug which shows FW is responding.


ciscoasa(config)# debug icmp trace
debug icmp trace enabled at level 1
ciscoasa(config)# ICMP echo request from 10.10.10.50 to 10.10.10.1 ID=512 seq=1280 len=32
ICMP echo reply from 10.10.10.1 to 10.10.10.50 ID=512 seq=1280 len=32
ICMP echo request from 10.10.10.50 to 10.10.10.1 ID=512 seq=1536 len=32
ICMP echo reply from 10.10.10.1 to 10.10.10.50 ID=512 seq=1536 len=32
ICMP echo request from 10.10.10.50 to 10.10.10.1 ID=512 seq=1792 len=32
ICMP echo reply from 10.10.10.1 to 10.10.10.50 ID=512 seq=1792 len=32
ICMP echo request from 10.10.10.50 to 10.10.10.1 ID=512 seq=2048 len=32
ICMP echo reply from 10.10.10.1 to 10.10.10.50 ID=512 seq=2048 len=32


Top
 Profile  
 
 Post subject: Re: ASA 5520 with GNS3 connected to ms loopback
PostPosted: Sat Aug 16, 2014 6:44 pm 
Offline

Joined: Fri May 13, 2011 10:35 pm
Posts: 83
Location: Seattle, WA (USA)
Have you configured the ACL, with fixup and policy map inspection, to allow ping and traceroute traffic thru the device? Per section 3.4 ASAVM from http://binarynature.blogspot.com/2014/02/implement-multivendor-ospf-lab-gns3-vmware-fusion.html:

Code:
asavm(config)# access-list outside_access_in extended permit icmp any any time-exceeded
asavm(config)# access-list outside_access_in extended permit icmp any any unreachable
asavm(config)# access-group outside_access_in in interface outside
asavm(config)# fixup protocol icmp
INFO: converting 'fixup protocol icmp ' to MPF commands
asavm(config)# icmp unreachable rate-limit 10 burst-size 5
asavm(config)# policy-map global_policy
asavm(config-pmap)# class class-default
asavm(config-pmap-c)# set connection decrement-ttl
asavm(config-pmap-c)# end

_________________
http://binarynature.blogspot.com/search/label/GNS3


Top
 Profile  
 
 Post subject: Re: ASA 5520 with GNS3 connected to ms loopback
PostPosted: Sat Aug 16, 2014 6:53 pm 
Offline

Joined: Sat Aug 16, 2014 12:14 pm
Posts: 9
No luck even typing those commands

Here is the complete show run



!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 192.168.137.2 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network INSIDE_to_OUTSIDE
host 10.10.10.50
access-list INSIDE_to_OUTSIDE1 extended permit tcp any any
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 10 burst-size 5
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
!
object network INSIDE_to_OUTSIDE
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
access-group INSIDE_to_OUTSIDE1 in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.137.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
service resetoutside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
class-map INSPECTION_DEFAULT
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map GLOBAL_POLICY
class INSPECTION_DEFAULT
inspect icmp
inspect http
inspect dns
class inspection_default
inspect icmp
class class-default
set connection decrement-ttl
!
service-policy GLOBAL_POLICY global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/odd ... DCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:77518c6afc78e4c4484abf3475946376
: end
ciscoasa#


Top
 Profile  
 
 Post subject: Re: ASA 5520 with GNS3 connected to ms loopback
PostPosted: Sat Aug 16, 2014 7:35 pm 
Offline

Joined: Fri May 13, 2011 10:35 pm
Posts: 83
Location: Seattle, WA (USA)
Remove the following:

Code:
access-list INSIDE_to_OUTSIDE1 extended permit tcp any any
access-group INSIDE_to_OUTSIDE1 in interface inside


I would also modify the INSIDE_to_OUTSIDE object to represent the whole 10.10.10.0/24 subnet, instead of a single host, for the translation.

Code:
object network INSIDE_to_OUTSIDE
  subnet 10.10.10.0 255.255.255.0
  nat (inside,outside) dynamic interface

_________________
http://binarynature.blogspot.com/search/label/GNS3


Top
 Profile  
 
 Post subject: Re: ASA 5520 with GNS3 connected to ms loopback
PostPosted: Sat Aug 16, 2014 7:43 pm 
Offline

Joined: Sat Aug 16, 2014 12:14 pm
Posts: 9
Still not resolved.
Please help


Top
 Profile  
 
 Post subject: Re: ASA 5520 with GNS3 connected to ms loopback
PostPosted: Sat Aug 16, 2014 8:41 pm 
Offline

Joined: Fri May 13, 2011 10:35 pm
Posts: 83
Location: Seattle, WA (USA)
The ASA configuration looks correct, so you should troubleshoot external components. Your ASA configuration has 192.168.137.1 set as the next hop for your default route, but you state 192.168.1.1 is the address assigned to the LAN interface of your physical router linked to the Internet. What are the components between SW1 and your physical router?



_________________
http://binarynature.blogspot.com/search/label/GNS3


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 16 posts ]  Go to page 1, 2  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group

phpBB SEO