topic Re: LAN can't ping the Internet in Network Security

LAN can't ping the Internet

blin — Sun, 22 Mar 2020 17:32:12 GMT

I just configured ASA 5510 and we can access the internet. However, I can't ping any outside IP address for example 8.8.8.8. For a troubleshooting, I test ping 8.8.8.8 from ASA without any issues. But can't ping inside/LAN IP from the ASA. I assume it may not have return so that I add access-list acl-inbound extended permit icmp any any commands. Hare are configuration related to ping

interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 192.168.11.2 255.255.255.0

....

access-list outside extended permit icmp any any echo-reply
access-list OUTSIDE extended permit icmp any any time-exceeded
access-list OUTSIDE extended permit icmp any any timestamp-reply
access-list OUTSIDE extended permit icmp any any unreachable
access-list acl-inbound extended permit icmp any any echo
access-list acl-inbound extended permit icmp any any echo-reply
access-list acl-inbound extended permit icmp any any unreachable
access-list acl-inbound extended permit icmp any any time-exceeded

.....

icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside

......

global (inside) 1 192.168.9.2-192.168.9.254 netmask 255.255.255.0
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.11.1 1

Re: LAN can't ping the Internet

blin — Sun, 22 Mar 2020 18:56:21 GMT

More information. I can ping Comcast modem inside IP address, 192.168.11.1 from LAN 192.168.9.0/24.

Re: LAN can't ping the Internet

Marius Gunnerud — Sun, 22 Mar 2020 19:43:53 GMT

Do you have inspect icmp configured under your policy map (show run policy-map)? If not then add it and test again.

Re: LAN can't ping the Internet

blin — Sun, 22 Mar 2020 19:59:30 GMT

No, I don't have. Let me find out how to add it. Will be back.

Re: LAN can't ping the Internet

blin — Sun, 22 Mar 2020 20:04:02 GMT

Before I posted I try but get this message

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ERROR: % class-map inspection_default not configured

Then I use access-list.

access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended permit icmp any any time-exceeded
access-list OUTSIDE extended permit icmp any any timestamp-reply
access-list OUTSIDE extended permit icmp any any unreachable

Why do I get ERROR: % class-map inspection_default not configured? Do I need to create some policy first?

Re: LAN can't ping the Internet

Marius Gunnerud — Sun, 22 Mar 2020 20:09:00 GMT

You get the error because the default_inspection class map is not configured. Did you do a complete configuration wipe on the device?

Below are the more common inspections which we normally enable. If you do not want to allow traceroute then remove the icmp error. Or remove any that you dont want or dont use for that matter.

class-map inspection_default
match default-inspection-traffic

policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
inspect icmp
inspect icmp error

Re: LAN can't ping the Internet

blin — Sun, 22 Mar 2020 20:25:06 GMT

Yes, I did a complete configuration wipe on the device yesterday. Will try and get back to you.

Re: LAN can't ping the Internet

blin — Mon, 23 Mar 2020 00:27:07 GMT

I added those policy. However, from LAN 192.168.9.0/24 still can't ping 8.8.8.8. Attached is the configuration.

ciscoasa# show run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect icmp
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
inspect icmp error

Re: LAN can't ping the Internet

Marius Gunnerud — Mon, 23 Mar 2020 06:17:08 GMT

Since you say that you are able to access sites on the internet, you should be able to ping anything on the internet from your LAN with the configuration you have on your ASA. Do you have access to the Comcast router/modem to check if ping is being blocked there? If not, I would suggest contacting Comcast to make sure they are not blocking ICMP / ping as it looks like the issue is on their side.

Re: LAN can't ping the Internet

blin — Mon, 23 Mar 2020 16:24:12 GMT

From ASDM, I don't see policy-map global-policy. After I added it at ASDM, it works. These are the current settings for working. Don't know why. Thank you for help.

policy-map global_policy
class inspection_default
inspect icmp
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
inspect icmp error

Ping works after adding these

policy-map global-policy
class global-class
inspect icmp

Re: LAN can't ping the Internet

Marius Gunnerud — Mon, 23 Mar 2020 16:53:48 GMT

most likely because I forgot to add the following command in my previous post:

service-policy global_policy global

This applies the policy-map globaly

Re: LAN can't ping the Internet

blin — Mon, 23 Mar 2020 17:35:31 GMT

.Thank you!