You'll not be able to ping from R2 as there is NAT Control enabled and no translation group.
Mate, good advise to you. Enable logging on the ASA and you'll see what is happening there: loggin buffered 7 logg on try to ping and then sho logg 2010/12/29 kamran shakil <[email protected]> > For the sake of reach ability i advertise those loopbacks in IGPs of > respective R1 and R2 routers ....and now i see them on ASA > > and can ping also but now another interesting problem is appearing : > > R1 can ping 200.200.200.200 with 5 bangs successful but R2 fails to bang > 100.100.100.100 and packets drop !!! > > ASA has following table : > > BOX/sec# sh route > > Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP > > D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area > N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 > E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP > i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter > area > > * - candidate default, U - per-user static route, o - ODR > P - periodic downloaded static route > > Gateway of last resort is not set > > O 200.200.200.200 255.255.255.255 [110/11] via 1.1.1.1, 0:02:42, outside > > C 1.1.1.0 255.255.255.0 is directly connected, outside > C 2.2.2.0 255.255.255.0 is directly connected, inside > R 100.100.100.0 255.255.255.0 [120/1] via 2.2.2.1, 0:00:16, inside > O IA 20.20.20.20 255.255.255.255 [110/11] via 1.1.1.1, 0:02:42, outside > R 11.11.11.11 255.255.255.255 [120/1] via 2.2.2.1, 0:00:16, inside > BOX/sec# > > > And R1 and R2 routing tables are below : > ============================== > > R1 :- > ========================== > > > R1#sh ip ro > Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP > D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area > N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 > E1 - OSPF external type 1, E2 - OSPF external type 2 > i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS > level-2 > ia - IS-IS inter area, * - candidate default, U - per-user static > route > o - ODR, P - periodic downloaded static route > > Gateway of last resort is not set > > 200.200.200.0/24 is variably subnetted, 2 subnets, 2 masks > R 200.200.200.200/32 [120/1] via 2.2.2.2, 00:00:15, FastEthernet0/1 > B 200.200.200.0/24 [20/0] via 20.20.20.20, 00:25:17 > > 1.0.0.0/24 is subnetted, 1 subnets > R 1.1.1.0 [120/1] via 2.2.2.2, 00:00:15, FastEthernet0/1 > > 2.0.0.0/24 is subnetted, 1 subnets > C 2.2.2.0 is directly connected, FastEthernet0/1 > 100.0.0.0/24 is subnetted, 1 subnets > C 100.100.100.0 is directly connected, Loopback100 > 20.0.0.0/32 is subnetted, 1 subnets > R 20.20.20.20 [120/1] via 2.2.2.2, 00:00:15, FastEthernet0/1 > > 11.0.0.0/32 is subnetted, 1 subnets > C 11.11.11.11 is directly connected, Loopback1 > > > > R2 :- > ========================== > > > R2#sh ip ro > Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP > D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area > N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 > E1 - OSPF external type 1, E2 - OSPF external type 2 > i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS > level-2 > ia - IS-IS inter area, * - candidate default, U - per-user static > route > o - ODR, P - periodic downloaded static route > > Gateway of last resort is not set > > C 200.200.200.0/24 is directly connected, Loopback200 > 1.0.0.0/24 is subnetted, 1 subnets > C 1.1.1.0 is directly connected, FastEthernet0/0 > 2.0.0.0/24 is subnetted, 1 subnets > O E2 2.2.2.0 [110/1] via 1.1.1.2, 00:26:33, FastEthernet0/0 > > 100.0.0.0/24 is subnetted, 1 subnets > B 100.100.100.0 [20/0] via 11.11.11.11, 00:25:51 > > 20.0.0.0/32 is subnetted, 1 subnets > C 20.20.20.20 is directly connected, Loopback2 > 11.0.0.0/32 is subnetted, 1 subnets > O E2 11.11.11.11 [110/1] via 1.1.1.2, 00:26:33, FastEthernet0/0 > R2# > > > On Wed, Dec 29, 2010 at 9:31 PM, kamran shakil > <[email protected]>wrote: > >> ASA can ping R1 and R2 those loopbacks which are coming thru IGP , and ASA >> cannot ping those loopbacks which are only advertised in BGP ???? How to >> resolve this ? can this be possible in CCIE SEC. Exam ???? >> >> On Wed, Dec 29, 2010 at 9:31 PM, kamran shakil >> <[email protected]>wrote: >> >>> ASA can ping R1 and R2 those loopbacks which are coming thru IGP , and >>> ASA cannot ping those loopbacks which are only advertised in BGP ???? How to >>> resolve this ? can this be possible in CCIE SEC. Exam ???? >>> >>> On Wed, Dec 29, 2010 at 9:22 PM, kamran shakil <[email protected] >>> > wrote: >>> >>>> so where exactly is the mistrake or any suggestion you can make or give >>>> me ???? >>>> >>>> i sent the configs before as well ! Plz note that there is no error >>>> coming of authenticatino or tcp packet random seq ..... >>>> >>>> >>>> On Wed, Dec 29, 2010 at 9:19 PM, Piotr Matusiak <[email protected]> wrote: >>>> >>>>> ASA has no idea how to route packets destined to 100.100.100.0 and >>>>> 200.200.200.0 networks. >>>>> >>>>> >>>>> >>>>> 2010/12/29 kamran shakil <[email protected]> >>>>> >>>>>> I will show you all routes : >>>>>> >>>>>> ASA output : >>>>>> ============= >>>>>> >>>>>> >>>>>> C 1.1.1.0 255.255.255.0 is directly connected, outside >>>>>> C 2.2.2.0 255.255.255.0 is directly connected, inside >>>>>> O IA 20.20.20.20 255.255.255.255 [110/11] via 1.1.1.1, 0:00:01, >>>>>> outside >>>>>> R 11.11.11.11 255.255.255.255 [120/1] via 2.2.2.1, 0:00:13, inside >>>>>> BOX/sec# >>>>>> >>>>>> >>>>>> R1 Output : >>>>>> =========== >>>>>> >>>>>> R1#sh ip ro >>>>>> Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP >>>>>> D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area >>>>>> N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 >>>>>> E1 - OSPF external type 1, E2 - OSPF external type 2 >>>>>> i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS >>>>>> level-2 >>>>>> ia - IS-IS inter area, * - candidate default, U - per-user >>>>>> static route >>>>>> o - ODR, P - periodic downloaded static route >>>>>> >>>>>> Gateway of last resort is not set >>>>>> >>>>>> B 200.200.200.0/24 [20/0] via 20.20.20.20, 00:00:29 >>>>>> 1.0.0.0/24 is subnetted, 1 subnets >>>>>> R 1.1.1.0 [120/1] via 2.2.2.2, 00:00:23, FastEthernet0/1 >>>>>> 2.0.0.0/24 is subnetted, 1 subnets >>>>>> C 2.2.2.0 is directly connected, FastEthernet0/1 >>>>>> 100.0.0.0/24 is subnetted, 1 subnets >>>>>> C 100.100.100.0 is directly connected, Loopback100 >>>>>> 20.0.0.0/32 is subnetted, 1 subnets >>>>>> R 20.20.20.20 [120/1] via 2.2.2.2, 00:00:23, FastEthernet0/1 >>>>>> 11.0.0.0/32 is subnetted, 1 subnets >>>>>> C 11.11.11.11 is directly connected, Loopback1 >>>>>> R1# >>>>>> >>>>>> R1#sh ip bgp >>>>>> BGP table version is 3, local router ID is 100.100.100.100 >>>>>> Status codes: s suppressed, d damped, h history, * valid, > best, i - >>>>>> internal, >>>>>> r RIB-failure, S Stale >>>>>> Origin codes: i - IGP, e - EGP, ? - incomplete >>>>>> >>>>>> Network Next Hop Metric LocPrf Weight Path >>>>>> *> 100.100.100.0/24 0.0.0.0 0 32768 i >>>>>> *> 200.200.200.0 20.20.20.20 0 0 1 i >>>>>> R1# >>>>>> >>>>>> >>>>>> >>>>>> R2 Output : >>>>>> ============ >>>>>> >>>>>> R2#sh ip ro >>>>>> Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP >>>>>> D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area >>>>>> N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 >>>>>> E1 - OSPF external type 1, E2 - OSPF external type 2 >>>>>> i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS >>>>>> level-2 >>>>>> ia - IS-IS inter area, * - candidate default, U - per-user >>>>>> static route >>>>>> o - ODR, P - periodic downloaded static route >>>>>> >>>>>> Gateway of last resort is not set >>>>>> >>>>>> C 200.200.200.0/24 is directly connected, Loopback200 >>>>>> 1.0.0.0/24 is subnetted, 1 subnets >>>>>> C 1.1.1.0 is directly connected, FastEthernet0/0 >>>>>> 2.0.0.0/24 is subnetted, 1 subnets >>>>>> O E2 2.2.2.0 [110/1] via 1.1.1.2, 00:02:08, FastEthernet0/0 >>>>>> 100.0.0.0/24 is subnetted, 1 subnets >>>>>> B 100.100.100.0 [20/0] via 11.11.11.11, 00:01:25 >>>>>> 20.0.0.0/32 is subnetted, 1 subnets >>>>>> C 20.20.20.20 is directly connected, Loopback2 >>>>>> 11.0.0.0/32 is subnetted, 1 subnets >>>>>> O E2 11.11.11.11 [110/1] via 1.1.1.2, 00:02:08, FastEthernet0/0 >>>>>> R2# >>>>>> >>>>>> >>>>>> R2#sh ip bgp >>>>>> BGP table version is 3, local router ID is 200.200.200.200 >>>>>> Status codes: s suppressed, d damped, h history, * valid, > best, i - >>>>>> internal, >>>>>> r RIB-failure, S Stale >>>>>> Origin codes: i - IGP, e - EGP, ? - incomplete >>>>>> >>>>>> Network Next Hop Metric LocPrf Weight Path >>>>>> *> 100.100.100.0/24 11.11.11.11 0 0 2 i >>>>>> *> 200.200.200.0 0.0.0.0 0 32768 i >>>>>> R2# >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Wed, Dec 29, 2010 at 7:09 PM, Piotr Matusiak <[email protected]>wrote: >>>>>> >>>>>>> Do you see BGP routes in RIB? Can you send >>>>>>> sho ip bgp >>>>>>> sho ip route >>>>>>> >>>>>>> 2010/12/29 kamran shakil <[email protected]> >>>>>>> >>>>>>>> Dears, >>>>>>>> I am seriously confused here .... i made a very simple setup to test >>>>>>>> BGP between 2 routers , putting 1 ASA in the middle and was doing the >>>>>>>> lab, >>>>>>>> that finally i noticed something strang ??? my ROUTES are all OK , i >>>>>>>> can >>>>>>>> learn routes on the remote routers thru ASA, and i did the TCP-OPTIONS >>>>>>>> and >>>>>>>> also RANDOM SEQ. disable, and since nat-control was enabled, I also >>>>>>>> did the >>>>>>>> static IDENTITY NAT .... but PING is not >>>>>>>> working............................ >>>>>>>> !!! I am pasting the configs.. >>>>>>>> >>>>>>>> " EXPERTS....guide me ..plz " >>>>>>>> >>>>>>>> >>>>>>>> * R1 -- > ASA ---- R2 >>>>>>>> * >>>>>>>> >>>>>>>> >>>>>>>> R1 : >>>>>>>> === >>>>>>>> interface Loopback1 >>>>>>>> ip address 11.11.11.11 255.255.255.255 >>>>>>>> ! >>>>>>>> interface Loopback100 >>>>>>>> ip address 100.100.100.100 255.255.255.0 >>>>>>>> ! >>>>>>>> interface FastEthernet0/1 >>>>>>>> ip address 2.2.2.1 255.255.255.0 >>>>>>>> duplex auto >>>>>>>> speed auto >>>>>>>> ! >>>>>>>> router rip >>>>>>>> version 2 >>>>>>>> network 2.0.0.0 >>>>>>>> network 11.0.0.0 >>>>>>>> no auto-summary >>>>>>>> ! >>>>>>>> router bgp 2 >>>>>>>> no synchronization >>>>>>>> bgp log-neighbor-changes >>>>>>>> network 100.100.100.0 mask 255.255.255.0 >>>>>>>> neighbor 20.20.20.20 remote-as 1 >>>>>>>> neighbor 20.20.20.20 password x >>>>>>>> neighbor 20.20.20.20 ebgp-multihop 10 >>>>>>>> neighbor 20.20.20.20 update-source Loopback1 >>>>>>>> no auto-summary >>>>>>>> >>>>>>>> >>>>>>>> ASA : >>>>>>>> ====== >>>>>>>> interface Ethernet0/0 >>>>>>>> description Connected to R2 >>>>>>>> nameif outside >>>>>>>> security-level 0 >>>>>>>> ip address 1.1.1.2 255.255.255.0 >>>>>>>> ! >>>>>>>> interface Ethernet0/1 >>>>>>>> description Connected to R1 >>>>>>>> nameif inside >>>>>>>> security-level 100 >>>>>>>> ip address 2.2.2.2 255.255.255.0 >>>>>>>> >>>>>>>> >>>>>>>> access-list outside-in extended permit icmp any any >>>>>>>> access-list outside-in extended permit tcp any any eq bgp >>>>>>>> ! >>>>>>>> tcp-map OPTION19 >>>>>>>> tcp-options range 19 19 allow >>>>>>>> >>>>>>>> pager lines 24 >>>>>>>> logging console debugging >>>>>>>> logging buffered debugging >>>>>>>> mtu outside 1500 >>>>>>>> mtu inside 1500 >>>>>>>> no failover >>>>>>>> icmp unreachable rate-limit 1 burst-size 1 >>>>>>>> icmp permit any outside >>>>>>>> icmp permit any inside >>>>>>>> no asdm history enable >>>>>>>> arp timeout 14400 >>>>>>>> nat-control >>>>>>>> global (outside) 1 interface >>>>>>>> nat (inside) 1 0.0.0.0 0.0.0.0 >>>>>>>> static (inside,outside) 11.11.11.11 11.11.11.11 netmask >>>>>>>> 255.255.255.255 >>>>>>>> access-group outside-in in interface outside >>>>>>>> ! >>>>>>>> router ospf 1 >>>>>>>> network 1.1.1.0 255.255.255.0 area 0 >>>>>>>> log-adj-changes >>>>>>>> redistribute rip metric 1 subnets >>>>>>>> ! >>>>>>>> router rip >>>>>>>> network 2.0.0.0 >>>>>>>> redistribute ospf 1 metric 1 >>>>>>>> version 2 >>>>>>>> no auto-summary >>>>>>>> ! >>>>>>>> class-map BGP_CMAP >>>>>>>> match port tcp eq bgp >>>>>>>> class-map inspection_default >>>>>>>> match default-inspection-traffic >>>>>>>> ! >>>>>>>> ! >>>>>>>> policy-map global_policy >>>>>>>> class BGP_CMAP >>>>>>>> set connection random-sequence-number disable >>>>>>>> set connection advanced-options OPTION19 >>>>>>>> class inspection_default >>>>>>>> ! >>>>>>>> service-policy global_policy global >>>>>>>> prompt hostname priority context >>>>>>>> Cryptochecksum:65755c185976d9164a0b06eee25f2f42 >>>>>>>> >>>>>>>> >>>>>>>> R2 : >>>>>>>> ====== >>>>>>>> >>>>>>>> interface Loopback2 >>>>>>>> ip address 20.20.20.20 255.255.255.255 >>>>>>>> ! >>>>>>>> interface Loopback200 >>>>>>>> ip address 200.200.200.200 255.255.255.0 >>>>>>>> ! >>>>>>>> interface FastEthernet0/0 >>>>>>>> ip address 1.1.1.1 255.255.255.0 >>>>>>>> duplex auto >>>>>>>> speed auto >>>>>>>> ! >>>>>>>> router ospf 1 >>>>>>>> log-adjacency-changes >>>>>>>> network 1.1.1.0 0.0.0.255 area 0 >>>>>>>> network 20.20.20.20 0.0.0.0 area 1 >>>>>>>> ! >>>>>>>> router bgp 1 >>>>>>>> no synchronization >>>>>>>> bgp log-neighbor-changes >>>>>>>> network 200.200.200.0 >>>>>>>> neighbor 11.11.11.11 remote-as 2 >>>>>>>> neighbor 11.11.11.11 password x >>>>>>>> neighbor 11.11.11.11 ebgp-multihop 10 >>>>>>>> neighbor 11.11.11.11 update-source Loopback2 >>>>>>>> no auto-summary >>>>>>>> >>>>>>>> >>>>>>>> --------------------------------------------------------------------------------------------------------------------------------------- >>>>>>>> Guide me to understand this PING issue for BGP network !!!! >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>> please visit www.ipexpert.com >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
