topic Do you see any drops in the in Network Security

Unable to ping ASA outside interface

Cisco Freak — Tue, 12 Mar 2019 07:30:08 GMT

Hi All,

I am not able to ping the outside interface IP from internet. But I can ping from the ASA to internet.

FW# ping 4.2.2.2 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 70/70/70 ms

FW# sh run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside

FW#

Can you please help?

Do you see any drops in the

Marius Gunnerud — Wed, 16 Mar 2016 21:52:04 GMT

Do you see any drops in the ASDM real time log viewer when you ping the outside IP?

Just for testing could you add permit icmp any any on the outside interface ACL?

What version ASA are you running?

Please remember to select a correct answer and rate helpful posts

I tried permitting ICMP in

Cisco Freak — Fri, 18 Mar 2016 16:00:41 GMT

I tried permitting ICMP in the outside ACL. But still no luck.

I am running asa9.1(7).

Do a "debug icmp trace" on

Dinesh Moudgil — Fri, 18 Mar 2016 16:16:37 GMT

Do a "debug icmp trace" on the ASA while pinging to see if you get the pings from the host on internet.

I hope you don't have a static nat translating everything to an internal resource.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Hi Dinesh,

Cisco Freak — Fri, 18 Mar 2016 16:44:12 GMT

Hi Dinesh,

I can't do a debug on the device since its production ASA. However, I created packet capture on the ASA. But it doesn't show any hits.

fw-01# sh access-list Test
access-list Test; 2 elements; name hash: 0x173428b0
access-list Test line 1 extended permit icmp host x.x.x.x any4 (hitcnt=0) 0x0b3d0029
access-list Test line 2 extended permit icmp any4 host x.x.x.x (hitcnt=0) 0x5c57c3b6

fw-01# sh capture
capture Test type raw-data access-list Test buffer 2000 interface outside headers-only [Capturing - 0 bytes]
fw-01#

Also, I have ran packet-tracer for ICMP type 8 code 0 from 4.2.2.2 to outside public IP:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

It shows that the packet will be allowed.

There is not static NAT to translate everything into internal.

Is this ASA internet facing

Dinesh Moudgil — Fri, 18 Mar 2016 17:39:49 GMT

Is this ASA internet facing device ?

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Yes, it is.

Cisco Freak — Fri, 18 Mar 2016 19:19:58 GMT

Yes, it is.

Check if there are no drops

Dinesh Moudgil — Fri, 18 Mar 2016 19:29:07 GMT

Check if there are no drops on ASA (run "cap asp type asp-drop all" and do "show cap asp | in <ASA IP>" to check that),

BTW does any other service works (SSH/Telnet/HTTP) ?

Send the output of "show run nat " along with all object-groups associated with it.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Hi,

Aditya Ganjoo — Fri, 18 Mar 2016 23:48:17 GMT

Hi,

It seems we are getting ping drops on the ASA outside interface.

Use an asp-drop capture and also check the syslogs of the ASA.

Share the output of show cap asp | in outside IP

Regards,

Aditya

Please rate helpful posts.