topic Re: Can't ping through ASA in Network Security

Can't ping through ASA

Surtie16 — Mon, 21 Oct 2019 15:04:30 GMT

For some reason I can't ping from my internal network to the external network through the ASA in my network. I have attached a copy of my Packet tracer file. Any help would be appreciated.

Re: Can't ping through ASA

Rob Ingram — Mon, 21 Oct 2019 15:12:03 GMT

Hi,
I don't have packet tracer to load your topology, but try entering the command "fixup protocol icmp" to inspect icmp traffic. If that doesn't work, please attach the running configu of your ASA.

HTH

Re: Can't ping through ASA

Surtie16 — Mon, 21 Oct 2019 15:30:38 GMT

Here is my running config for the ASA

ciscoasa#show run

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 30

!

interface Ethernet0/1

switchport access vlan 30

!

interface Ethernet0/2

switchport access vlan 30

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 3

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan2

nameif outside

security-level 0

ip address 10.0.0.2 255.255.255.252

!

interface Vlan3

no forward interface Vlan30

nameif dmz-zone

security-level 50

ip address 10.20.30.1 255.255.255.0

!

interface Vlan30

no nameif

security-level 100

ip address 172.16.1.21 255.255.255.224

!

object network INSIDE-NET

subnet 172.16.1.0 255.255.255.224

object network dmz-server

host 10.20.30.3

object network dmz-server2

host 10.20.30.2

!

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

!

access-list icmp extended permit icmp any any

access-list OUTSIDE-DMZ extended permit ip any host 10.20.30.3

access-list OUTSIDE-DMZ extended permit ip any host 10.20.30.2

!

!

access-group icmp in interface outside

object network dmz-server

nat (dmz-zone,outside) static 205.0.1.1

object network dmz-server2

nat (dmz-zone,outside) static 205.0.1.2

!

!

!

!

class-map inspection-default

class-map icmp-class

match default-inspection-traffic

!

policy-map global-policy

class inspection-default

inspect icmp

policy-map icmp_policy

class icmp-class

inspect icmp

!

!

telnet timeout 5

ssh timeout 5

!

dhcpd auto_config outside

!

dhcpd enable

!

!

!

!

!

!

Re: Can't ping through ASA

Rob Ingram — Mon, 21 Oct 2019 15:39:34 GMT

Can you be more specific. What IP address are you pinging from and what IP address are you pinging?
You do not have a NAT defined for the internal network (172.16.1.x) were you expecting this traffic to be natted? Or does the next hop have a route back to the ASA for this traffic?

Re: Can't ping through ASA

Surtie16 — Mon, 21 Oct 2019 15:43:38 GMT

pinging from 204.0.1.0 network to the internal network which is the 172.16.1.0 network. Would setting up NAT for this solve this issue?

Re: Can't ping through ASA

Rob Ingram — Mon, 21 Oct 2019 15:52:25 GMT

So you are actually pinging from outside/external network to inside/internal, not the other way around. Obviously this is a packet tracer lab and not a production network, but is 172.16.1.0 network routable from the outside? Does the next hop of 204.0.1.0 know how to reach 172.16.1.0 network (are there routes define on each hop)? Or is nat required? In which case you'd need to define a static NAT.

Whatever device you are pinging on the 172.16.1.0 network, is it's default gateway the ASA?

Re: Can't ping through ASA

Surtie16 — Mon, 21 Oct 2019 16:06:24 GMT

Setting up NAT has solved the issue. Thank you so much!

Re: Can't ping through ASA

JoeSemos27769 — Tue, 22 Oct 2019 09:59:40 GMT

@Surtie16 Ohh Thank you so much for solving the issue. Hope to be more helpfull further.