Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cannot Ping ASA from 7204

Status
Not open for further replies.
Sep 28, 2009
10
US
Hello
I recently started a new job and I've been trying to clean up a bit. We have a T-1 with a 151 address that goes to an old checkpoint and a T-3 with an 65 address that goes to an ASA5520. Everything goes through the T-1 and I want to slowly start moving the vpns and everything else over to the ASA and then remove the T-1 or go BGP and loadbalance/failover. If I'm at the router, I can ping any address on the 151 side, but I cannot ping the ASA or anything else that has a 65 address
Any assistance would be appreciated. Below is the config
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname PAD_7204
!
logging rate-limit console 10 except errors
enable secret 5 $1$QObK$ly9n/oI/Wu9f/uAKhAtrB/
!
ip subnet-zero

ip name-server 151.198.0.68
ip name-server 151.201.0.68
!
no ip dhcp-client network-discovery
ipx routing 0005.749b.d406
call rsvp-sync

interface Ethernet0/0
ip address 65.211.65.2 255.255.255.224 secondary
ip address 151.198.253.225 255.255.255.224
ip access-group 101 in
ip access-group 102 out
ip route-cache policy
ip policy route-map PBR1
duplex auto

interface Ethernet0/0.1

interface GigabitEthernet0/0
ip address 10.10.0.8 255.255.0.0
ip helper-address 10.100.91.5
negotiation auto
ipx network 7 encapsulation SAP
ipx gns-response-delay 1
ipx type-20-propagation

interface Serial1/0
description T3-18MB Verizon-ISP
ip address 208.214.102.210 255.255.255.252
no ip redirects
no ip proxy-arp
encapsulation ppp
no ip mroute-cache
load-interval 30
scramble
framing c-bit
cablelength 10
dsu bandwidth 18948
no cdp enable

interface ATM2/0
description ATM PAD-OBD
no ip address
atm uni-version 3.1
no atm ilmi-keepalive

interface ATM2/0.1 point-to-point
description Bell Atlantic Internet Solutions
bandwidth 75000
ip address 151.198.252.206 255.255.255.252
ip policy route-map net-11
pvc 1/57
vbr-nrt 10000 10000 100
encapsulation aal5snap

interface ATM2/0.5 point-to-point
bandwidth 145000
ip address 10.15.0.2 255.255.255.252
ip helper-address 10.100.91.5
ip policy route-map net-10
pvc obd 5/55
protocol ip 10.15.0.1 broadcast
vbr-nrt 145000 145000 1000
encapsulation aal5snap

ipx network A21

router eigrp 1
network 10.0.0.0
no auto-summary
no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 151.198.252.205
ip route 10.70.1.1 255.255.255.255 10.60.1.2 name URG
ip route 10.70.1.2 255.255.255.255 10.60.1.2 name URG2
no ip http server

access-list 102 deny ip 0.0.0.0 255.0.0.0 any
access-list 102 permit ip any any
access-list 111 permit ip any any
access-list 112 permit ip any any
access-list 116 permit ip 65.211.65.0 0.0.0.31 any
access-list 117 permit ip 151.198.253.224 0.0.0.31 any
arp 151.198.253.233 0150.5ac6.fde9 ARPA
arp 151.198.253.235 0150.5ac6.fde9 ARPA
arp 151.198.253.229 0150.5ac6.fde9 ARPA
arp 151.198.253.230 0150.5ac6.fde9 ARPA
arp 151.198.253.227 0150.5ac6.fde9 ARPA
arp 151.198.253.251 0150.5ac6.fde9 ARPA
arp 151.198.253.244 0150.5ac6.fde9 ARPA
arp 151.198.253.245 0150.5ac6.fde9 ARPA
arp 151.198.253.246 0150.5ac6.fde9 ARPA
arp 151.198.253.243 0150.5ac6.fde9 ARPA

route-map net-11 permit 11
set interface Ethernet0/0
!
route-map net-10 permit 10
match ip address 111
set ip next-hop 10.10.0.1
!
route-map PBR1 permit 10
match ip address 116
set interface Serial1/0
set ip next-hop 208.214.102.209

route-map PBR1 permit 20
match ip address 117
set interface ATM2/0.1
set ip next-hop 151.198.252.205

ipx router eigrp 1
network A21

gatekeeper
shutdown
 
Did you allow icmp so you can ping the ASA?

[americanflag] Go Army!
Tek-TIP Member 19,650
CCNA, CCNA Voice, CCNP, CCVP
Avaya IP Office 500, CS1000
 

Your interface Ethernet0/0 has an inbound rule (101) that is nonexistent and I'm not sure if that means a default deny any any is applied

The outbound rule (102) has a strange deny...
access-list 102 deny ip 0.0.0.0 255.0.0.0 any
I believe that is saying a source network of anything in the first octet ie 0.0.0.0 to 255.0.0.0 which will pretty much excludes everything?


-Blue
The significant problems we face cannot be solved at the same level of thinking we were at when we created them
 
E0/0 will not deny all traffic without an acl applied. This is a common misnomer.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Thanks Burt that was my understanding, just wasn't sure with it having an access-group applied to the interface even though the access-list didn't exist...

-Blue
The significant problems we face cannot be solved at the same level of thinking we were at when we created them
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top