topic Re: Cannot ping Outside interface in ASA at home in Network Security

Cannot ping Outside interface in ASA at home

bvn63 — Fri, 21 Feb 2020 16:28:37 GMT

Hello,

I have a problem on Cisco Asa. Here are my config:

object network PARTNER-NETOBJ
subnet 10.175.0.0 255.255.0.0
nat (PARTNER,outside) dynamic AAA.AAA.AAA.AAA

object-group service PARTNER-SEROBJ
service-object tcp destination eq www
service-object tcp destination eq domain
service-object udp destination eq domain
service-object tcp destination eq https
service-object icmp echo-reply
service-object icmp
service-object tcp destination eq 8000
service-object tcp destination eq 8082
service-object tcp destination eq 3306
service-object tcp destination eq ssh
service-object icmp echo

access-group OUT-IN-ACL in interface outside

access-list OUT-IN-ACL extended permit object-group PARTNER-SEROBJ any object PARTNER-NETOBJ log

class-map inspection_default
match default-inspection-traffic

!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect dns
inspect icmp
class FTP-CM
inspect ftp

!
service-policy global_policy global

- inside clients can access and ping to any web

- At home I cannot ping to AAA.AAA.AAA.AAA, I think it blocked by ASA and I use capture command to check

capture capin interface outside match icmp any any
capture capout interface partner match icmp any any

show capture capin

178: 11:49:26.455832 802.1Q vlan#2 P0 123.30.114.xxx > AAA.AAA.AAA.AAA : icmp: echo request
179: 11:49:31.456092 802.1Q vlan#2 P0 123.30.114.xxx > AAA.AAA.AAA.AAA : icmp: echo request

show capture capout

0 packet captured

0 packet shown

As information above, I see my IP Addr at home send icmp packet to AAA.AAA.AAA.AAA but it doesn't send back echo reply and I also check log in ASA and didn't see any icmp.

Could anyone help me ?

Thank you.

Sang.

Re: Cannot ping Outside interface in ASA at home

k.nandakumar — Fri, 16 Nov 2018 05:39:45 GMT

Since its One-to-One NAT why do you use Dynamic ?

object network PARTNER-NETOBJ
host 10.175.4.10
nat (PARTNER,outside) dynamic AAA.AAA.AAA.AAA

Change to

object network PARTNER-NETOBJ
host 10.175.4.10
nat (PARTNER,outside) static AAA.AAA.AAA.AAA

Re: Cannot ping Outside interface in ASA at home

bvn63 — Fri, 16 Nov 2018 06:01:37 GMT

Hi Nandakumar,

Sorry I post wrong info, I change it to

object network PARTNER-NETOBJ
host 10.175.4.10

subnet 10.175.0.0 255.255.0.0

Re: Cannot ping Outside interface in ASA at home

k.nandakumar — Fri, 16 Nov 2018 06:06:10 GMT

Enable "inspect icmp" under class map.

Also enable logging and provide the log message.

Re: Cannot ping Outside interface in ASA at home

bvn63 — Fri, 16 Nov 2018 06:10:56 GMT

inspect icmp enabled under class map and i check log and didn't see any icmp

Re: Cannot ping Outside interface in ASA at home

Marvin Rhoads — Fri, 16 Nov 2018 06:11:34 GMT

Since your nat is dynamic many-to-one, you will not be able to initiate traffic inbound as the ASA would have no way of knowing which of the hosts in the 10.175.0.0 network to send the traffic to.

You could only do that if you have a static 1-1 nat.

Re: Cannot ping Outside interface in ASA at home

bvn63 — Fri, 16 Nov 2018 06:19:57 GMT

Hi Marvin,

Thank you for suggesting, I change it to static and it worked, thank you so much.

Also I thank you Nandakumar.

Sang.

Re: Cannot ping Outside interface in ASA at home

bvn63 — Thu, 22 Nov 2018 08:49:39 GMT

Hi Marvin,

I have configured a static 1-1 nat as your advise

object network PARTNER-NETOBJ-NAT-10.175.4.10---1-1

host 10.175.4.10

nat (Partner,outside) static AAA.AAA.AAA.AAA

I ping to AAA.AAA.AAA.AAA from my home and it worked. After I configure one more static 1-1 nat to another server

object network PARTNER-NETOBJ-NAT-10.175.4.12---1-1

host 10.175.4.12

nat (Partner,outside) static AAA.AAA.AAA.AAA

and I also can ping to AAA.AAA.AAA.AAA from my home but if I power off server (10.175.4.10) then I cannot ping to AAA.AAA.AAA.AAA.

How do I can ping to one of servers while another server off ?

- Also I configured NAT https port for mail exchange but I access it from my home and it doesn't work (https:\\mail.abc.name.vn\owa), I cannot see any traffic from my home to mail exchange server and asa logging via https.

object network PARTNER-NETOBJ
subnet 10.175.0.0 255.255.0.0
nat (PARTNER,outside) dynamic AAA.AAA.AAA.AAA

object network PARTNER-NETOBJ-NAT-10.175.4.10---1-1
host 10.175.4.10

object network PARTNER-NETOBJ-NAT-10.175.4.10---8000
host 10.175.4.10
nat (PARTNER,outside) static AAA.AAA.AAA.AAA service tcp 8000 8000

object network PARTNER-NETOBJ-NAT-10.175.4.10---8082
host 10.175.4.10
nat (PARTNER,outside) static AAA.AAA.AAA.AAA service tcp 8082 8082

object network PARTNER-NETOBJ-NAT-10.175.4.10---3306
host 10.175.4.10
nat (PARTNER,outside) static AAA.AAA.AAA.AAA service tcp 3306 3306

-----
Mail Server Exchange

object network PARTNER-NETOBJ-NAT-10.175.4.12---1-1
host 10.175.4.12
nat (PARTNER,outside) static AAA.AAA.AAA.AAA

object network PARTNER-NETOBJ-NAT-10.175.4.12---25
host 10.175.4.12
nat (PARTNER,outside) static AAA.AAA.AAA.AAA service tcp smtp smtp

object network PARTNER-NETOBJ-NAT-10.175.4.12---443
host 10.175.4.12
nat (PARTNER,outside) static AAA.AAA.AAA.AAA service tcp https https

object network PARTNER-NETOBJ-NAT-10.175.4.12---80
host 10.175.4.12
nat (PARTNER,outside) static AAA.AAA.AAA.AAA service tcp www www

---------

object-group service PARTNER-SEROBJ-10.175.4.10
service-object tcp destination eq www
service-object tcp destination eq domain
service-object udp destination eq domain
service-object tcp destination eq 8000
service-object tcp destination eq 8082
service-object tcp destination eq 3306

object-group service PARTNER-SEROBJ-10.175.4.12
service-object tcp destination eq www
service-object tcp destination eq domain
service-object udp destination eq domain
service-object tcp destination eq smtp
service-object tcp destination eq https

access-list OUT-IN-ACL extended permit object-group PARTNER-SEROBJ-10.175.4.12 any object PARTNER-NETOBJ-NAT-10.175.4.12---1-1 log
access-list OUT-IN-ACL extended permit object-group PARTNER-SEROBJ-10.175.4.10 any object PARTNER-NETOBJ-NAT-10.175.4.10---1-1 log

access-group OUT-IN-ACL in interface outside

Can you help me ?

Thank you so much.

Sang.

Re: Cannot ping Outside interface in ASA at home

Marvin Rhoads — Thu, 22 Nov 2018 09:57:34 GMT

I'm not sure why turning off one server would break access to another one.

When you have a mix of dynamic and static NATs for a given interface, put the dynamic NAT last in the list.

Re: Cannot ping Outside interface in ASA at home

Sheraz.Salim — Thu, 22 Nov 2018 10:29:30 GMT

Enable "inspect icmp" under class map.

giving this command will enable ping reply from every interface.

the best is define an access-list

access-list XXXX permit icmp any priviate-server echo

access-group XXX in interface (outside/dmz etc)

Re: Cannot ping Outside interface in ASA at home

bvn63 — Fri, 23 Nov 2018 06:50:44 GMT

Hi Marvin,

Thank you for your suggestion on how to change NAT priority, I delete Dynamic NAT and recreate it and it worked. Again thank you so much.
Sang