Strange PING Problem ( ASA and Router

Scenario:
R1 ---->>> (inside interface e0/0 sec-level 100) ASA 8.02 (outside interface e0/1 sec-level 0 ) <<<---- R2
All are directly connected.No Switch between them.

ASA Configuration:

ASA1(config)# sh run access-list 
access-list ICMP_OUT extended permit icmp any any

ASA1(config)# sh run access-group
access-group ICMP_OUT in interface inside
access-group ICMP_OUT out interface inside
access-group ICMP_OUT in interface outside
access-group ICMP_OUT out interface outside

!
interface Ethernet0/0
 description ASA->R1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/1
 description ASA->R2
 nameif outside
 security-level 0
 ip address 20.1.1.1 255.255.255.0
!

Debug Messages When I try to Ping from R1 to R2

R1:
R1#ping 20.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:
....
*Mar  1 00:40:59.795: ICMP: echo reply rcvd, src 20.1.1.2, dst 10.1.1.2
*Mar  1 00:40:59.799: ICMP: echo reply rcvd, src 20.1.1.2, dst 10.1.1.2.
Success rate is 0 percent (0/5)
R1#
*Mar  1 00:41:02.315: ICMP: echo reply rcvd, src 20.1.1.2, dst 10.1.1.2
*Mar  1 00:41:02.367: ICMP: echo reply rcvd, src 20.1.1.2, dst 10.1.1.2
*Mar  1 00:41:02.719: ICMP: echo reply rcvd, src 20.1.1.2, dst 10.1.1.2

ASA1:

ASA1(config)# ICMP echo request from inside:10.1.1.2 to outside:20.1.1.2 ID=7 seq=0 len=72
ICMP echo request from inside:10.1.1.2 to outside:20.1.1.2 ID=7 seq=1 len=72
ICMP echo reply from outside:20.1.1.2 to inside:10.1.1.2 ID=7 seq=0 len=72
ICMP echo reply from outside:20.1.1.2 to inside:10.1.1.2 ID=7 seq=1 len=72
ICMP echo request from inside:10.1.1.2 to outside:20.1.1.2 ID=7 seq=2 len=72
ICMP echo request from inside:10.1.1.2 to outside:20.1.1.2 ID=7 seq=3 len=72
ICMP echo reply from outside:20.1.1.2 to inside:10.1.1.2 ID=7 seq=2 len=72
ICMP echo reply from outside:20.1.1.2 to inside:10.1.1.2 ID=7 seq=3 len=72
ICMP echo request from inside:10.1.1.2 to outside:20.1.1.2 ID=7 seq=4 len=72
ICMP echo reply from outside:20.1.1.2 to inside:10.1.1.2 ID=7 seq=4 len=72   

R2:

R2#
*Mar  1 00:39:56.403: ICMP: echo reply sent, src 20.1.1.2, dst 10.1.1.2
*Mar  1 00:39:56.407: ICMP: echo reply sent, src 20.1.1.2, dst 10.1.1.2
R2#
*Mar  1 00:40:00.415: ICMP: echo reply sent, src 20.1.1.2, dst 10.1.1.2
*Mar  1 00:40:00.419: ICMP: echo reply sent, src 20.1.1.2, dst 10.1.1.2
R2#
*Mar  1 00:40:03.031: ICMP: echo reply sent, src 20.1.1.2, dst 10.1.1.2
R2#

From the above debugs we can see that R2 has sent the reply , ASA in permitting the reply and R1 is receiving the reply.
But R1 shows success as 0%.
Also to note that my IOS is perfect and this problem occurs when I introduce ASA Between only.

Could someone help me out ?

Comments

  • Interesting, can you post your R1 config.

     

    With regards

    Kings

  • Here is the R1's Configuration

    R1#sh run
    Building configuration...

    Current configuration : 933 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R1
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    memory-size iomem 10
    ip cef
    !
    !
    !
    !
    no ip domain lookup
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    archive
     log config
      hidekeys
    !
    !
    !
    !
    !
    !
    !
    !
    interface Loopback0
     ip address 1.1.1.1 255.255.255.0
    !
    interface FastEthernet0/0
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    interface FastEthernet0/1
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    interface Ethernet1/0
     ip address 10.1.1.2 255.255.255.0
     half-duplex
    !
    router rip
     version 2
     network 1.0.0.0
     network 10.0.0.0
     no auto-summary
    !
    ip forward-protocol nd
    !
    !
    ip http server
    no ip http secure-server
    !
    !
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    line con 0
     exec-timeout 0 0
     logging synchronous
    line aux 0
    line vty 0 4
    !
    !
    end

    Please let me know if you need any more info...

  • The router is clean. Did you try with a reload?

     

     

    With regards

    Kings

  • Is this actual equipment or GNS/Dynamips emulation? If it's Dynamips, load on the cpu, idlepc and other can influence ping behavior.

  • Is this issue fixed ? If not, can you send me ASA config please.. I had similar kind of issue but I was manage to fix it...

     

    Cheers,

    Aspire

  • Is this issue fixed ? If not, can you send me ASA config please.. I had similar kind of issue but I was manage to fix it...

     

    Cheers,

    Aspire

     

    ASA:

    ASA Configuration:

    ASA1(config)# sh run access-list 
    access-list ICMP_OUT extended permit icmp any any

    ASA1(config)# sh run access-group
    access-group ICMP_OUT in interface inside
    access-group ICMP_OUT out interface inside
    access-group ICMP_OUT in interface outside
    access-group ICMP_OUT out interface outside

    !
    interface Ethernet0/0
     description ASA->R1
     nameif inside
     security-level 100
     ip address 10.1.1.1 255.255.255.0
    !
    interface Ethernet0/1
     description ASA->R2
     nameif outside
     security-level 0
     ip address 20.1.1.1 255.255.255.0
    !

     

    Only This I have modified.Others are default ones

    Could you please help me with the way you had solved ?

    Thanks

  • Can you please run sh run on ASA and send me full config !!

     

    Also copy your both routers latest config

  • Why you are using half duplex for ethernet in R1

    interface Ethernet1/0
     ip address 10.1.1.2 255.255.255.0
     half-duplex

     

    can you make it auto or full duplex and try?

  • I agree with Mohamed Fawzy but speed setting will help you to identify packet drop...

  • Yep. include the output of the below commands

     

    Sh run nat

    sh run glo

    sh run stat

     

    sh route

    sh run policy-map.

     

     

Sign In or Register to comment.