topic Inside Network Cant Access Internet ASA 5506 || Packet Tracer Lab || in Network Security

Inside Network Cant Access Internet ASA 5506 || Packet Tracer Lab ||

Abdul Mateen — Thu, 13 Aug 2020 09:33:50 GMT

I have a simple topology where two inside VLANS have HSRP Gateways needs to access Internet through ASA.

I can ping the inside Interface of ASA 5506 (Packet Tracer Simulator) from PC/Laptop but cant able to ping the Internet Router. Can any one share the valid solution with explanation for ASA config as i possibly think its a NAT issue.
Screenshot+ ASA Config attached.

Re: Inside Network Cant Access Internet ASA 5506 || Packet Tracer Lab ||

Rob Ingram — Thu, 13 Aug 2020 09:41:39 GMT

Hi,
In order to ping through your ASA, you either need to permit the return icmp traffic or enable ICMP inspection. Run the command "fixup protocol icmp" to enable ICMP inspection.

NAT your traffic behind the ASA's interface, amend your existing NAT to "nat (inside2,outside) dynamic interface"

Re: Inside Network Cant Access Internet ASA 5506 || Packet Tracer Lab ||

Abdul Mateen — Thu, 13 Aug 2020 09:57:18 GMT

Thanks for your reply.

I am untouch from ASA quite long.
I would be glad if you please enlighten me a bit about NAT (Static &
Dynamic) operation in ASA in and exact commands to make it work.
Also fixup protocol icmp is not working in ASA Packet Tracer.
[image: image.png]

Re: Inside Network Cant Access Internet ASA 5506 || Packet Tracer Lab ||

Rob Ingram — Thu, 13 Aug 2020 10:10:15 GMT

The image is not displayed, does packet tracer no like the command?
Amend you not NAT like below.

object network inside_inet
no (inside2,outside) static 172.16.10.0
nat (inside2,outside) dynamic interface

You NAT assumes that traffic is coming via "inside2" interface, you also have "inside" interface and would need a NAT rule for that.

Re: Inside Network Cant Access Internet ASA 5506 || Packet Tracer Lab ||

Abdul Mateen — Tue, 18 Aug 2020 07:37:35 GMT

ciscoasa#sh run
: Saved
:
ASA Version 9.6(1)
!
hostname ciscoasa
names
!
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface GigabitEthernet1/2
no nameif
security-level 100
ip address dhcp
shutdown
!
interface GigabitEthernet1/3
nameif outside
security-level 0
ip address 172.16.30.2 255.255.255.0
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
object network inside_inet
subnet 192.168.50.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 172.16.30.1 1
route inside 172.16.10.0 255.255.255.0 192.168.50.2 1
route inside 192.168.10.0 255.255.255.0 192.168.50.2 1
route inside 192.168.20.0 255.255.255.0 192.168.50.2 1
!
!
!
object network inside_inet
nat (inside,outside) dynamic interface
!
!
!
!
class-map C1
match default-inspection-traffic
!
policy-map P1
class C1
inspect icmp
!
!
telnet timeout 5
ssh timeout 5
!
!
!
!
!
ciscoasa#

Re: Inside Network Cant Access Internet ASA 5506 || Packet Tracer Lab ||

Abdul Mateen — Tue, 18 Aug 2020 07:54:04 GMT

I have modified a little in the topology and add a L3 Switch before ASA.

I can now ping ASA internal interface from desktop computer but cant be able to reach the internet.

ASA config attached.