# Only one side can ping the other through ASA in GNS3



## trainerbrian85 (Nov 25, 2014)

Hello, over the last couple of days I have been setting up a test network that I am going to use for penetration testing but have gotten stuck completing the final connection.











I have full connectivity between all areas of the network except the Workstation (10.3.1.50) cannot ping to any of the internal servers (Domain Controller, Syslog, SQL, etc). However, when issuing pings from the internal servers to the Workstation, all of them succeed.

*Successful ping from Domain Controller (10.3.2.4) to Workstation (10.3.1.50)*


*Failed ping from Workstation (10.3.1.50) to Domain Controller (10.3.2.4)*

*ASA1 Configuration*
ASA Version 8.4(2)
!
hostname ASA
enable password
!
interface GigabitEthernet0
nameif workstations
security-level 100
ip address 10.3.1.2 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 100
ip address 172.1.0.3 255.255.255.0
!
interface GigabitEthernet2
nameif DMZ
security-level 100
ip address 10.4.2.3 255.255.255.0
!
interface GigabitEthernet3
nameif inside
security-level 100
ip address 172.17.0.3 255.255.255.0
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network dmz-net
subnet 10.4.2.0 255.255.255.0
object network workstations
subnet 10.3.1.0 255.255.255.0
object network internal-out
subnet 172.17.0.0 255.255.255.0
access-list outside_access_in extended permit ip any any
pager lines 24
mtu workstations 1500
mtu outside 1500
mtu DMZ 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network dmz-net
nat (DMZ,outside) dynamic interface
object network workstations
nat (workstations,outside) dynamic interface
object network internal-out
nat (inside,outside) dynamic interface
access-group outside_access_in global
route outside 0.0.0.0 0.0.0.0 172.1.0.2 1
route outside 10.3.2.0 255.255.255.0 172.17.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 10
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable

*SW1 Configuration*
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VLAN_SW1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
no ip routing
no ip icmp rate-limit unreachable
no ip cef
!
no ip domain lookup
!
multilink bundle-name authenticated
!
vtp mode transparent
archive
log config
hidekeys
!
vlan 3,6,99
!
ip tcp synwait-time 5
ip ssh version 1
!
interface FastEthernet0/0
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
switchport mode trunk
speed 100
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
switchport mode trunk
speed 100
!
interface FastEthernet1/15
switchport mode trunk
speed 100
!
interface Vlan1
no ip address
no ip route-cache
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.17.0.3
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end

*ASA2 Configuration*
ASA Version 8.4(2)
!
hostname ASA2
!
interface GigabitEthernet0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0.1
vlan 6
nameif vlan6
security-level 100
ip address 10.3.2.2 255.255.255.0
!
interface GigabitEthernet0.2
vlan 4
nameif vlan4
security-level 100
ip address 10.4.1.2 255.255.255.0
!
interface GigabitEthernet0.3
vlan 99
nameif vlan99
security-level 100
ip address 10.99.1.2 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 100
ip address 172.17.0.2 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network core-servers
subnet 10.3.2.0 255.255.255.0
object network dist-servers
subnet 10.4.1.0 255.255.255.0
object network management
subnet 10.99.1.0 255.255.255.0
object network workstations
subnet 10.3.1.0 255.255.255.0
access-list outside_access_in extended permit ip any any
pager lines 24
mtu vlan6 1500
mtu vlan4 1500
mtu vlan99 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network core-servers
nat (vlan6,outside) dynamic interface
object network dist-servers
nat (vlan4,outside) dynamic interface
object network management
nat (vlan99,outside) dynamic interface
access-group outside_access_in global
route outside 0.0.0.0 0.0.0.0 172.17.0.3 1
route outside 10.3.1.0 255.255.255.0 172.17.0.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.99.1.0 255.255.255.0 vlan99
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.99.1.0 255.255.255.0 vlan99
ssh timeout 10
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:9eae54d930f4597bb9335da9ef7e98cc
: end

*SW_INT Configuration*
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW_INT
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
no ip routing
no ip icmp rate-limit unreachable
no ip cef
!
no ip domain lookup
!
multilink bundle-name authenticated
!
vtp mode transparent
archive
log config
hidekeys
!
vlan 3-4,6,99
!
ip tcp synwait-time 5
ip ssh version 1
!
interface FastEthernet0/0
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
switchport access vlan 6
duplex full
speed 100
!
interface FastEthernet1/4
switchport access vlan 4
duplex full
speed 100
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
switchport access vlan 99
duplex full
speed 100
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
switchport mode trunk
!
interface Vlan1
no ip address
no ip route-cache
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end


----------

