https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137325#M878878 <HTML><HEAD></HEAD><BODY><P>Hello Pascal,</P><P> Please do the following</P><P></P><P>(Assuming that NAT for internet connection etc does not take place in router for 192.168.1.0/24 network)</P><P>nat (inside) 1 0 0</P><P>global (outside) 1 interface</P><P></P><P>interface Vlan2</P><P> security 0</P><P> </P><P>no same-security-traffic permit inter-interface </P><P>no same-security-traffic permit intra-interface </P><P>no access-list inside_access_in extended permit ip any any </P><P>no access-list outside_access_in extended permit ip any any </P><P>no access-group inside_access_in in interface inside </P><P>no access-group outside_access_in in interface outside </P><P></P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect icmp</P><P></P><P>Regards</P><P></P></BODY></HTML> Fri, 12 Dec 2008 17:33:46 GMT Alan Huseyin Kayahan 2008-12-12T17:33:46Z https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137317#M878865 <P>Hello,</P><P></P><P>I'm a newbie on ASA, I need some assistance.</P><P></P><P>I have this schema.</P><P></P><P>Host 192.168.1.0/ ---&gt; ASA INSIDE -----&gt;ASA OUTSIDE ------&gt; to my interface router</P><P></P><P>From host 192.168.1.0/24 I can ping INSIDE interface from my ASA but I cannot ping interface OUTISIDE and no interface from my router at this address 172.16.0.5/252</P><P></P><P>Under my conf.</P><P></P><P>ASA Version 7.2(4)</P><P>!</P><P>hostname ciscoasa</P><P>domain-name default.domain.invalid</P><P>enable password 1I5BT/dHhpGbnQvr encrypted</P><P>passwd 2KFQnbNIdI.2KYOU encrypted</P><P>names</P><P>!</P><P>interface Vlan1</P><P>nameif inside</P><P>security-level 100</P><P>ip address 192.168.1.1 255.255.255.0</P><P>!</P><P>interface Vlan2</P><P>nameif outside</P><P>security-level 100</P><P>ip address 172.16.0.6 255.255.255.252</P><P>!</P><P>interface Ethernet0/0</P><P>switchport access vlan 2</P><P>!</P><P>interface Ethernet0/1</P><P>!</P><P>interface Ethernet0/2</P><P>!</P><P>interface Ethernet0/3</P><P>!</P><P>interface Ethernet0/4</P><P>!</P><P>interface Ethernet0/5</P><P>!</P><P>interface Ethernet0/6</P><P>!</P><P>interface Ethernet0/7</P><P>!</P><P>ftp mode passive</P><P>dns server-group DefaultDNS</P><P>domain-name default.domain.invalid</P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P>access-list inside_access_in extended permit ip any any</P><P>access-list outside_access_in extended permit ip any any</P><P>pager lines 24</P><P>logging asdm informational</P><P>mtu inside 1500</P><P>mtu outside 1500</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-524.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>nat-control</P><P>access-group inside_access_in in interface inside</P><P>access-group outside_access_in in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 172.16.0.5 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>http server enable</P><P>http 192.168.1.0 255.255.255.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>console timeout 0</P><P>dhcpd auto_config outside</P><P>!</P><P>dhcpd address 192.168.1.2-192.168.1.33 inside</P><P>dhcpd enable inside</P><P>!</P><P></P><P>username admin password p1ClWSkbSujddlxc encrypted</P><P>!</P><P>class-map inspection_default</P><P>match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P>parameters</P><P>message-length maximum 512</P><P>policy-map global_policy</P><P>class inspection_default</P><P>inspect dns preset_dns_map</P><P>inspect ftp</P><P>inspect h323 h225</P><P>inspect h323 ras</P><P>inspect rsh</P><P>inspect rtsp</P><P>inspect esmtp</P><P>inspect sqlnet</P><P>inspect skinny</P><P>inspect sunrpc</P><P>inspect xdmcp</P><P>inspect sip</P><P>inspect netbios</P><P>inspect tftp</P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context</P><P>Cryptochecksum:885202205e413b4a47e7f59d572ef3d7</P><P>: end</P><P></P> Mon, 11 Mar 2019 14:25:27 GMT https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137317#M878865 p.maillot 2019-03-11T14:25:27Z https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137318#M878866 <HTML><HEAD></HEAD><BODY><P>From the inside host you are not allowed to ping the outside interface (that's part of the security of the firewall). From the router you should be able to ping the outside IP though. Try adding this line-</P><P></P><P>icmp permit any outside</P><P></P><P>Try pinging and if it fails, take a look at the log <B>show logging buff | inc ICMP</B> and see where it's failing.</P><P></P><P>Hope that helps.</P></BODY></HTML> Fri, 12 Dec 2008 16:26:47 GMT https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137318#M878866 Collin Clark 2008-12-12T16:26:47Z https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137319#M878867 <HTML><HEAD></HEAD><BODY><P>Thank Collin but no change with</P><P></P><P>icmp permit any outside and icmp permit any inside</P><P></P><P>This command don't exist show logging buff | inc ICMP.</P><P></P><P>I can do only</P><P></P><P>ciscoasa# sh logging ?</P><P></P><P> asdm Show ASDM syslog buffer content</P><P> message Show enabled and disabled messages at non-default level</P><P> queue Show syslog queue</P><P> setting Show syslog setting</P><P> | Output modifiers</P><P> <CR></CR></P><P></P><P></P><P> </P></BODY></HTML> Fri, 12 Dec 2008 16:41:43 GMT https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137319#M878867 p.maillot 2008-12-12T16:41:43Z https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137320#M878869 <HTML><HEAD></HEAD><BODY><P>try access-list outside_access_in extended permit icmp any any </P><P></P><P>Francisco</P></BODY></HTML> Fri, 12 Dec 2008 16:48:55 GMT https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137320#M878869 francisco_1 2008-12-12T16:48:55Z https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137321#M878871 <HTML><HEAD></HEAD><BODY><P>Sorry, <B>show logging</B> is correct.</P></BODY></HTML> Fri, 12 Dec 2008 16:56:57 GMT https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137321#M878871 Collin Clark 2008-12-12T16:56:57Z https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137322#M878873 <HTML><HEAD></HEAD><BODY><P>Always same problem with</P><P></P><P>access-list outside_access_in extended permit icmp any any</P><P></P><P>And after sh logging?</P><P></P><P>ciscoasa# sh logging</P><P>Syslog logging: disabled</P><P> Facility: 20</P><P> Timestamp logging: disabled</P><P> Standby logging: disabled</P><P> Deny Conn when Queue Full: disabled</P><P> Console logging: disabled</P><P> Monitor logging: disabled</P><P> Buffer logging: disabled</P><P> Trap logging: disabled</P><P> History logging: disabled</P><P> Device ID: disabled</P><P> Mail logging: disabled</P><P> ASDM logging: level informational, 0 messages logged</P></BODY></HTML> Fri, 12 Dec 2008 17:10:12 GMT https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137322#M878873 p.maillot 2008-12-12T17:10:12Z https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137323#M878876 <HTML><HEAD></HEAD><BODY><P>should work.</P><P></P><P>access-list outside_access_in permit icmp any any echo-reply</P><P>access-list outside_access_in permit icmp any any source-quench </P><P>access-list outside_access_in permit icmp any any unreachable </P><P>access-list outside_access_in permit icmp any any time-exceeded</P><P></P></BODY></HTML> Fri, 12 Dec 2008 17:18:27 GMT https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137323#M878876 francisco_1 2008-12-12T17:18:27Z https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137324#M878877 <HTML><HEAD></HEAD><BODY><P>Same problem with.</P><P></P><P>access-list outside_access_in permit icmp any any echo-reply</P><P>access-list outside_access_in permit icmp any any source-quench</P><P>access-list outside_access_in permit icmp any any unreachable</P><P>access-list outside_access_in permit icmp any any time-exceeded </P><P></P><P></P></BODY></HTML> Fri, 12 Dec 2008 17:30:33 GMT https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137324#M878877 p.maillot 2008-12-12T17:30:33Z https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137325#M878878 <HTML><HEAD></HEAD><BODY><P>Hello Pascal,</P><P> Please do the following</P><P></P><P>(Assuming that NAT for internet connection etc does not take place in router for 192.168.1.0/24 network)</P><P>nat (inside) 1 0 0</P><P>global (outside) 1 interface</P><P></P><P>interface Vlan2</P><P> security 0</P><P> </P><P>no same-security-traffic permit inter-interface </P><P>no same-security-traffic permit intra-interface </P><P>no access-list inside_access_in extended permit ip any any </P><P>no access-list outside_access_in extended permit ip any any </P><P>no access-group inside_access_in in interface inside </P><P>no access-group outside_access_in in interface outside </P><P></P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect icmp</P><P></P><P>Regards</P><P></P></BODY></HTML> Fri, 12 Dec 2008 17:33:46 GMT https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137325#M878878 Alan Huseyin Kayahan 2008-12-12T17:33:46Z https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137326#M878880 <HTML><HEAD></HEAD><BODY><P>nat (inside) 1 192.168.1.0 255.255.255.0</P><P>global (outside) 1 interface</P><P></P><P>Jon</P></BODY></HTML> Fri, 12 Dec 2008 17:35:12 GMT https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137326#M878880 Jon Marshall 2008-12-12T17:35:12Z https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137327#M878881 <HTML><HEAD></HEAD><BODY><P>now why didnt i though of that <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>good job jon</P></BODY></HTML> Fri, 12 Dec 2008 17:36:46 GMT https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137327#M878881 francisco_1 2008-12-12T17:36:46Z https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137328#M878883 <HTML><HEAD></HEAD><BODY><P>Same problem. See my last conf</P><P></P><P>ASA Version 7.2(4)</P><P>!</P><P>hostname ciscoasa</P><P>domain-name default.domain.invalid</P><P>enable password 1I5BT/dHhpGbnQvr encrypted</P><P>passwd 2KFQnbNIdI.2KYOU encrypted</P><P>names</P><P>!</P><P>interface Vlan1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0</P><P>!</P><P>interface Vlan2</P><P> nameif outside</P><P> security-level 0</P><P> ip address 172.16.0.6 255.255.255.252</P><P>!</P><P>interface Ethernet0/0</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/1</P><P>!</P><P>!</P><P>interface Ethernet0/2</P><P>!</P><P>interface Ethernet0/3</P><P>!</P><P>interface Ethernet0/4</P><P>!</P><P>interface Ethernet0/5</P><P>!</P><P>interface Ethernet0/6</P><P>!</P><P>interface Ethernet0/7</P><P>!</P><P>ftp mode passive</P><P>dns server-group DefaultDNS</P><P> domain-name default.domain.invalid</P><P>access-list outside_access_in extended permit icmp any any echo-reply</P><P>access-list outside_access_in extended permit icmp any any source-quench</P><P>access-list outside_access_in extended permit icmp any any unreachable</P><P>access-list outside_access_in extended permit icmp any any time-exceeded</P><P>pager lines 24</P><P>logging asdm informational</P><P>mtu inside 1500</P><P>mtu inside 1500</P><P>mtu outside 1500</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>icmp permit any outside</P><P>asdm image disk0:/asdm-524.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>nat-control</P><P>global (outside) 1 interface</P><P>nat (inside) 1 192.168.1.0 255.255.255.0</P><P>route outside 0.0.0.0 0.0.0.0 172.16.0.5 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>http server enable</P><P>http 192.168.1.0 255.255.255.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>console timeout 0</P><P>dhcpd auto_config outside</P><P>!</P><P>dhcpd address 192.168.1.2-192.168.1.33 inside</P><P>dhcpd enable inside</P><P>!</P><P></P><P>username admin password p1ClWSkbSujddlxc encrypted</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P> message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect dns preset_dns_map</P><P> inspect ftp</P><P> inspect h323 h225</P><P> inspect h323 ras</P><P> inspect rsh</P><P> inspect rtsp</P><P> inspect esmtp</P><P> inspect sqlnet</P><P> inspect skinny</P><P> inspect sunrpc</P><P> inspect xdmcp</P><P> inspect sip</P><P> inspect netbios</P><P> inspect tftp</P><P> inspect icmp</P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context</P><P>Cryptochecksum:885202205e413b4a47e7f59d572ef3d7</P><P>: end</P><P>ciscoasa(config)#</P></BODY></HTML> Fri, 12 Dec 2008 18:04:45 GMT https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137328#M878883 p.maillot 2008-12-12T18:04:45Z https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137329#M878885 <HTML><HEAD></HEAD><BODY><P>use "sh logg | inc icmp" under CLI and post outout. </P><P></P></BODY></HTML> Fri, 12 Dec 2008 18:16:17 GMT https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137329#M878885 francisco_1 2008-12-12T18:16:17Z https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137330#M878886 <HTML><HEAD></HEAD><BODY><P>Config looks OK, now please explain the problem in details. Please keep in mind that by default, you can NOT! ping the inside interface of ASA from your router connected to outside interface. And with this configuration, you can NOT! ping hosts in 192.168.1.0/24 on their actual IPs since they are NATed. If you describe what you exactly want to achieve, then we will advise accordingly</P></BODY></HTML> Fri, 12 Dec 2008 18:21:21 GMT https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137330#M878886 Alan Huseyin Kayahan 2008-12-12T18:21:21Z https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137331#M878887 <HTML><HEAD></HEAD><BODY><P>When I use "sh logg | inc icmp" under CLI, nothing appears. </P><P></P><P></P></BODY></HTML> Fri, 12 Dec 2008 18:22:01 GMT https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137331#M878887 p.maillot 2008-12-12T18:22:01Z https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137332#M878888 <HTML><HEAD></HEAD><BODY><P>From my host 192.168.1.2 I want to ping interface of my routeur 172.16.0.5/30</P><P></P><P>From my host to ASA Inside interface = OK</P><P>From my host to ASA Outiside interface = NOK</P><P>From my router to ASA Outiside interface = OK</P><P>From my router to my Host = NOK</P><P></P><P></P></BODY></HTML> Fri, 12 Dec 2008 18:31:01 GMT https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137332#M878888 p.maillot 2008-12-12T18:31:01Z https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137333#M878889 <HTML><HEAD></HEAD><BODY><P>"From my host to ASA Outiside interface = NOK "</P><P></P><P>This is the default non-changeable behaviour which has no affect on your network</P><P></P><P>"From my router to my Host = NOK "</P><P>To achieve this, do the following modification</P><P></P><P>access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 172.16.0.4 255.255.255.252</P><P>nat (inside) 0 access-list inside_nat0_outbound</P><P></P><P></P><P>"From my host 192.168.1.2 I want to ping interface of my routeur 172.16.0.5/30 "</P><P></P><P>You should be able to be doing this right now, check your host if it has the default gateway of 192.168.1.1. !If windows firewall is enabled, and you have an exception added for PING, keep in mind that the exceptions work only for same subnet, so you wont be able to receive ping replies from another subnet like our router's interface. So either manually enter exception for 172 subnet or temporarily disable the windows firewall for testing purposes!</P><P></P><P></P><P></P></BODY></HTML> Fri, 12 Dec 2008 18:33:43 GMT https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137333#M878889 Alan Huseyin Kayahan 2008-12-12T18:33:43Z https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137334#M878890 <HTML><HEAD></HEAD><BODY><P>Thank you a lot husycisco.........</P><P></P><P>Now from host I can ping my router but why from my router I cannot ping the host?</P><P>It's normal?</P><P></P></BODY></HTML> Fri, 12 Dec 2008 18:49:10 GMT https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137334#M878890 p.maillot 2008-12-12T18:49:10Z https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137335#M878891 <HTML><HEAD></HEAD><BODY><P>Try this,</P><P> In router, just type ping then press enter. Enter the destination address, then press enter to accept defaults for other settings untill extended options which states [n]. Press y when extended options is asked, it will ask you "source interface", type in 172.16.0.5, then press enter for all other options and see if ping is successfull</P></BODY></HTML> Fri, 12 Dec 2008 18:52:55 GMT https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137335#M878891 Alan Huseyin Kayahan 2008-12-12T18:52:55Z https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137336#M878892 <HTML><HEAD></HEAD><BODY><P>Pascal,</P><P> Any update?</P><P></P><P>*Please rate helpful posts</P></BODY></HTML> Fri, 12 Dec 2008 20:21:39 GMT https://community.cisco.com/t5/network-security/basic-conf-asa-5505/m-p/1137336#M878892 Alan Huseyin Kayahan 2008-12-12T20:21:39Z