topic In addition to what JP in Network Security

Cisco ASA 5505 not pinging Google or computers on the Interfaces

jdamico — Tue, 12 Mar 2019 09:23:24 GMT

Hi Everyone,

I am currently training for my CCENT and plan on getting my CCNA, but unfortunately our network engineer left the organization and all of his responsibilities have landed on my shoulders. I have been scrapping by thanks to google and our online training program, but this has got me stuck. We have a small off site facility with only 3 devices and a Cisco ASA 5505. Unfortunately that device broke and we had to purchase a new ASA which I am now configuring. I cannot for the life of me get this to ping 8.8.8.8 or an internal IP Address. I believe the issue lies with the NAT settings, but almost every guide I find is using the Global command which is apparently no longer in use. I also found cisco's guide on the change, but I don't understand enough of it to apply the change to this ASA. Please take a look at the running config and let me know if you see anything wrong. I also want to set up and use ASDM just like our other 2 firewalls, so if you see any settings missing from that, I would appreciate the help as well.

If you have a moment to explain the commands, so I can learn from this mistake, I would greatly appreciate the information.

Thank you!

NOTE: I replaced any confidential information with "?" and our Hostname with "HOSTNAME"

HOSTNAME# sh run
: Saved
:
: Serial Number: ????????????
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.1(6)
!
hostname HOSTNAME
enable password ???????????? encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.66 255.255.255.0
!
interface Vlan2
nameif Outside
security-level 0
ip address 192.168.4.1 255.255.255.0
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-subnet
subnet 192.168.5.0 255.255.255.0
object network dmz-subnet
subnet 192.168.4.0 255.255.255.0
pager lines 24
logging asdm informational
mtu Outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside-subnet
nat (inside,Outside) dynamic interface
route Outside 0.0.0.0 0.0.0.0 192.168.5.254 1
route Outside 0.0.0.0 0.0.0.0 192.168.1.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.5.66 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 192.168.5.254
dhcpd auto_config Outside
!
dhcpd address 192.168.5.10-192.168.5.20 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username ?????? password ???????????? encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:bc027647fbf5752b0952b684a2e3e30c
: end

Hi jdamico@tgcaz.org,

JP Miranda Z — Fri, 19 May 2017 01:35:06 GMT

Hi jdamico@tgcaz.org,

Considering you outside interface is part of the network 192.168.4.0/24 your route to the outside should be part of that network:

Current routes:

route Outside 0.0.0.0 0.0.0.0 192.168.5.254 1 --remove
route Outside 0.0.0.0 0.0.0.0 192.168.1.254 1 --remove

New route:

route Outside 0.0.0.0 0.0.0.0 192.168.4.x

The nat seems fine.

Hope this info helps!!

Rate if helps you!!

-JP-

In addition to what JP

Marvin Rhoads — Fri, 19 May 2017 04:52:17 GMT

In addition to what JP correctly noted, an ASA does not by default inspect icmp traffic and thus ping through the device will never work as the icmp echo reply messages will be droppped at the outside interface.

Also, generally speaking ping is not the best test to use for connectiivty as it might work while communications requiring an actual connection (i.e. TCP 3-way handshake) will not work due to any number of reasons that wold not be shown via a simple ping. I recommend testing via actual representative user traffic like browsing to the Internet or, for a sys admin, logging into a device on the other side of the firewall via RDP, ssh or telnet or such.

To fix the ping issue, you can add the inspection as follows:

policy-map global_policy
  class inspection_default
    inspect icmp

Thank you for your help JP,

jdamico — Fri, 19 May 2017 22:23:53 GMT

Thank you for your help JP, but that unfortunately didn't fix the issue. I cannot access the internet or access the site for ASDM. I attached the new sh run, just in case.

I also did not know that Marvin, thank you.

Some topology.

Interface 0 - Incoming from Modem.

Interface 7 - Laptop.

Are you able to ping the

Marvin Rhoads — Sat, 20 May 2017 03:49:58 GMT

Are you able to ping the upstream gateway (modem address 192.168.4.66) from an inside computer?

Hi Marvin/JP,

jdamico — Wed, 24 May 2017 22:08:54 GMT

Hi Marvin/JP,

Sorry, This past week has been absolutely crazy with issues, hopefully things will slow down so I can get this set up and running. I had a few minutes to plug it in and try pinging 192.168.4.66, which failed. I looked at the default gateway that I was getting on the computer plugged into interface 7, this gateway showed as 192.168.5.66. Which I was able to ping. I am at a loss at what to try next.

Thank you for any knowledge you can pass on!

-JD

If you cannot reach the

Marvin Rhoads — Thu, 25 May 2017 08:06:40 GMT

If you cannot reach the default gateway from the ASA then you certainly won't be able to reach anything on the Internet.

Are you sure you have the gateway address correct? .66 is a bit of an odd address for a gateway on a /24 subnet. .1 or .254 would be much more common.

See if you can resolve that and let us know if you can.

Hi Marvin,

jdamico — Fri, 26 May 2017 16:49:43 GMT

Hi Marvin,

I had followed a guide online step by step and after seeing what you posted and thinking about it, you are correct, the default gateway was 192.168.1.1. After switching this over I am good to go. Now to configure the site to site vpn.

Thank you for your help!

-JD