topic Another explanation worth in Network Security

Unable to ping out from ASA 5505

Shane.Toumey — Tue, 12 Mar 2019 09:40:15 GMT

Hi folks,

ASA newbie here.

I had what I thought was a decent grasp on how to configure a 5505 from factory settings, but I'm having trouble with some basic functionality. Currently I'm unable to ping out from the ASA itself to anywhere on the outside interface. (To be clear, I'm not concerned with pinging from a host on the inside network yet.) For example, I can't ping my ISP's gateway or 8.8.8.8. Additionally, I'm only getting partial web page loads (if they load at all), but I can probably deal with that in another thread. For now, I'd just like the ability to ping anything on the Internet from the firewall. My running config is below and I've sanitized what I thought was appropriate. Any help would be appreciated.

ciscoasa# sh run
: Saved
:
: Serial Number: ***********
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(4)
!
hostname **********
enable password ******************* encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd **************** encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address *.*.*.* *.*.*.*
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa924-k8.bin
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone pst -8
dns domain-lookup outside
dns server-group DefaultDNS
name-server *.*.*.*
name-server *.*.*.*
object-group network obj_any
access-list from_outside extended permit icmp any any echo-reply
access-list from_outside extended permit icmp any any time-exceeded
access-list from_outside extended permit icmp any any unreachable
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-781-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
nat (inside,outside) after-auto source dynamic any interface
access-group from_outside in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http *.*.*.* *.*.*.* inside
http *.*.*.* *.*.*.* outside
http *.*.*.* *.*.*.* outside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca **************
******************
******************
quit
telnet timeout 5
ssh stricthostkeycheck
ssh *.*.*.* *.*.*.* inside
ssh *.*.*.* *.*.*.* outside
ssh *.*.*.* *.*.*.* outside
ssh timeout 15
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address *.*.*.*-*.*.*.* inside
dhcpd dns *.*.*.* *.*.*.* interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username provost password ****************** encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:******************
: end

Under

GRANT3779 — Fri, 07 Jul 2017 20:10:57 GMT

Under

policy-map global_policy

class inspection_default

add

inspect icmp

First thing i would try for the pinging issue.

Thanks for the suggestion. I

Shane.Toumey — Fri, 07 Jul 2017 20:25:05 GMT

Thanks for the suggestion. I gave it a try but am still unable to ping anything.

icmp permit any echo

GRANT3779 — Fri, 07 Jul 2017 20:37:44 GMT

icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside

not sure it is best practice to do so but may work as I believe this is for traffic directed at asa itself and not through it.

Here are my current access

Shane.Toumey — Fri, 07 Jul 2017 20:53:34 GMT

Here are my current access-list and access-group settings:
access-group from_outside in interface outside
access-list from_outside extended permit icmp any any echo-reply
access-list from_outside extended permit icmp any any time-exceeded
access-list from_outside extended permit icmp any any unreachable
access-list from_outside extended permit icmp any any echo

I'm still unable to ping anything.

I'm starting to think this issue may be related to how the 5505 is interacting with my ISP or cable modem. The cable modem itself has an amber link light. When I was using my consumer firewall before, it worked normally and the light was green. I didn't think anything of it at first because I am (strangely) able to load google.com and occasionally other pages.

Maybe I should shift my focus to figuring out how best to configure the ASA to work as the edge device on my network while connected to a cable modem that uses DHCP.

The icmp permit commands are

GRANT3779 — Fri, 07 Jul 2017 21:00:10 GMT

The icmp permit commands are totally separate from your acls and access-group command.

Did you add them from configuration mode to test?

Can you also post output of show interface eth0/0

I think I understand that now

Shane.Toumey — Fri, 07 Jul 2017 21:07:12 GMT

I think I understand that now. I added the commands you mentioned but still no dice.

Here's the output of sh int eth0/0 and I'm throwing in vlan2 as well.

Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        Available but not configured via nameif
        MAC address ****.****.****, MTU not set
        IP address unassigned
        164073 packets input, 82635857 bytes, 0 no buffer
        Received 102948 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        4921 switch ingress policy drops
        29884 packets output, 2582839 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 rate limit drops
        0 switch egress policy drops
        0 input reset drops, 0 output reset drops

Interface Vlan2 "outside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        MAC address ****.****.****, MTU 1500
        IP address *.*.*.*, subnet mask *.*.*.*
Traffic Statistics for "outside":
        159265 packets input, 79200361 bytes
        29886 packets output, 1909165 bytes
        286 packets dropped
      1 minute input rate 10 pkts/sec, 495 bytes/sec
      1 minute output rate 0 pkts/sec, 4 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 10 pkts/sec, 504 bytes/sec
      5 minute output rate 0 pkts/sec, 6 bytes/sec
      5 minute drop rate, 0 pkts/sec

Switch ingress policy drops

GRANT3779 — Fri, 07 Jul 2017 21:20:11 GMT

Switch ingress policy drops stand out on the physical interface.

I would look at this.

Is there a switch in between the asa and isp device or are yiu connected directly to isp device?

Connected directly.

Shane.Toumey — Fri, 07 Jul 2017 21:24:14 GMT

Connected directly.

I would maybe try a few

GRANT3779 — Fri, 07 Jul 2017 21:34:59 GMT

I would maybe try a few different combinations of hard setting duplex and speed of the eth0/0 interface. See if the isp device likes it better.

Enable logging to buffer and see if anything stands out.

Another explanation worth

GRANT3779 — Fri, 07 Jul 2017 21:49:55 GMT

Another explanation worth following up would be amending mtu for asa interface and possibly mss for tcp

sysopt connection tcpmss xxxx

look up the isp device mtu preferred settings online.

Find a happy relationship between them hopefully.

My boss recommended putting a

Shane.Toumey — Wed, 12 Jul 2017 16:34:04 GMT

My boss recommended putting a switch between the modem and ASA. Afterwards I'm able to ping from the ASA out to the Internet.

I'm betting you were right about trying a hard setting for speed and duplex. I'm going to try that next and see if I can eliminate the switch.

I'll post results.