Ping to internet from workstation behind ASA 5505

tpalumbo — Mon, 11 Mar 2019 21:06:16 GMT

Hello All,

I have been struggling with this issue. I have a ASA 5505. I want to be able to ping from my workstation to some address, lets say www.yahoo.com. My workstation is connected to Ethernet 0/2. I have tried playing around with the ACL but am not able to accomplish this. Here is my config could somebody please help:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name home.7vnmotorsports.com

names
name 192.168.3.8 XBOX description XBOX Console
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
no forward interface Vlan1
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
domain-name home.CLMXTR.com
object-group service XBOX-TCP tcp
description XBOX TCP Port
port-object eq 3074
access-list outside_access_in extended permit tcp any host XBOX object-group XBOX-TCP
pager lines 24
logging enable
logging asdm informational
logging host inside 192.168.3.100
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
ip audit name Reset attack action reset
ip audit interface outside Reset
ip audit attack action alarm reset
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.131 inside
dhcpd dns 192.168.1.1 interface inside
dhcpd domain home.CLMXR23.com interface inside
dhcpd update dns both interface inside
dhcpd option 3 ip 192.168.1.1 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.1.0 255.255.255.0
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context

: end

Thank you in advance.

Ping to internet from workstation behind ASA 5505

varrao — Mon, 01 Aug 2011 06:14:18 GMT

Hi Tony,

You would need to add the following access-list to allow return traffic:

access-list outside_access_in extended permit icmp any any

and it should work fine after that.

Thanks,

Varun

Ping to internet from workstation behind ASA 5505

Tim Schneider — Mon, 01 Aug 2011 10:43:52 GMT

You need to implement ICMP inspectiong to your global policy

Ping to internet from workstation behind ASA 5505

tpalumbo — Mon, 01 Aug 2011 13:48:26 GMT

Thank you all for the answers. Of the two above solutions, what is the difference, which one is better?

Also, should I upgrade the software to 8.4?

Ping to internet from workstation behind ASA 5505

varrao — Mon, 01 Aug 2011 13:58:33 GMT

Both the options does the same thing, there is no difference for ping traffic, you can try any. Upgrading the software is your call, if you are facing any issues, you may otherwise you can stay on same code.

Thanks,

Varun

Ping to internet from workstation behind ASA 5505

tpalumbo — Mon, 01 Aug 2011 14:04:20 GMT

Thank you Varun.

Is there a thread or do you know if the ASA 5505 can me implemented with DynDNS?

topic Ping to internet from workstation behind ASA 5505 in Network Security

Ping to internet from workstation behind ASA 5505

Ping to internet from workstation behind ASA 5505

Ping to internet from workstation behind ASA 5505

Ping to internet from workstation behind ASA 5505

Ping to internet from workstation behind ASA 5505

Ping to internet from workstation behind ASA 5505