ASA 5520: Not able to ping outside n/w from inside interface

ameyahanamsagar — Tue, 12 Mar 2019 04:30:13 GMT

Hello,

I am new to ASA. I have set up a lab in GNS3.

I cannot ping the outside interface from inside or vice versa. I have tried adding ACL's, inspect icmp and everything that I found while searching for the solution.

My Current running config is:

ciscoasa(config)# show running-config
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface GigabitEthernet0
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 10.0.0.1 255.0.0.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
interface Port-channel1
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network nonat
access-list outside_access_out extended permit tcp any eq echo any eq echo
access-list outside_access_out extended permit ip any any
access-list outside_access_out extended permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.255.0
access-list inside_access_out extended permit tcp any eq echo any eq echo
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit ip 172.16.0.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq echo
access-list inside_access_in extended permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any eq echo
access-list outside_access_in extended permit ip 172.16.0.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any
!
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
!
router ospf 1
network 10.0.0.0 255.0.0.0 area 0
network 172.16.0.0 255.255.255.0 area 0
log-adj-changes
!
route inside 192.168.1.0 255.255.255.0 172.16.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 192.168.1.1 255.255.255.255 outside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ameya password xxxxxxxxxxxxxxx encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:69a533dbabc0f5a84aaeee0c2054746a
: end
ciscoasa(config)#

Pings even dont work when I ping from outside interface to inside interface and vice versa.

ciscoasa# ping inside 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ciscoasa# ping outside 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ciscoasa#

Hi ameyahanamsagar Ping from

rvarelac — Mon, 21 Jul 2014 18:07:52 GMT

Hi ameyahanamsagar

Ping from your inside interface to the outside interface is not allowed on the ASA.

Try to create a virtual machine and do the test or create a LAN environment, I'm pretty sure ping should work fine as long as the ASA keeps reachable .

I would add to the configuration:

ICMP permit any echo-reply in

ICMP permit any echo-reply out

Hope this help !

- Randy -

Hi,You are using too much

turbo_engine26 — Tue, 29 Jul 2014 04:50:45 GMT

Hi,

You are using too much ACLs in your configuration. Keep in mind that, by default, traffic from higher security interface (inside) is allowed to lower security interface (outside) without the need for any ACL. The only ACL you need is for traffic comes from outside to inside in the inbound interface direction. The "out" keyword is rarely used and should be avoided as it is only used for specific scenarios. Also, remove the current NAT configs and just create a simple dynamic PAT using Auto-NAT for the inside subnet. Twice NAT is a bit complex and used for specific situations.

I suggest to use the following configs:

access-list Outside_IN extended permit icmp any any echo (Not recommended in production)

access-list Outside_IN extended permit icmp any any echo-reply

access-group Outside-IN in interface outside

object network Inside_Subnet

subnet 172.16.0.0 255.255.255.0

nat (inside,outside) dynamic interface

I also suggest to ping live machines rather than ASA's own interfaces.

topic Hi,You are using too much in Network Security

ASA 5520: Not able to ping outside n/w from inside interface

Hi ameyahanamsagar Ping from

Hi,You are using too much