topic Re: Reg: ASA inside to outside config in Network Security

Reg: ASA inside to outside config

VijayKumar9803 — Thu, 29 Aug 2019 13:15:45 GMT

Dear All,

I've the ASA device with the following config and the problem to config the inside traffic to outside traffic communication. Kindly share the solution for this.

Note: The device with bgp config.

ping from firewall to 10.101.174.178 -- result success

ping from laptop (lap ip: 192.168.12.35) to 192.168.12.33 -- result success

ping from laptop (lap ip: 192.168.12.35) to 10.101.174.178 -- result fail

Config:

-----------------------------

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 10.101.174.177 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.12.33 255.255.255.0
!

router bgp 100
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 10.101.174.178 remote-as 200
neighbor 10.101.174.178 activate
network 192.168.12.32 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
!
route outside 0.0.0.0 0.0.0.0 10.10.101.174.178 1

ASA(config)# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any-1 nat-obj-10.101.174.178
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic inside_nat interface
translate_hits = 0, untranslate_hits = 0

Regards,

Vijay

Re: Reg: ASA inside to outside config

Rob Ingram — Thu, 29 Aug 2019 14:18:50 GMT

Hi,
Configure inspection for ICMP, enter the command "fixup protocol icmp" this should permit the icmp replies.

HTH

Re: Reg: ASA inside to outside config

VijayKumar9803 — Fri, 30 Aug 2019 07:11:21 GMT

Hi Sir,

Thanks for the reply.

I've used this "fixup protocol icmp" but still facing the same issue. Kindly suggest me for other way of solution.

Regards,

Vijay

Re: Reg: ASA inside to outside config

Rob Ingram — Fri, 30 Aug 2019 07:59:44 GMT

Turn on icmp debug on the ASA "debug icmp trace" and then ping the device from the laptop, provide the output of the logs here for review.

Run packet-tracer from the CLI - e.g. "packet-tracer input inside icmp 192.168.12.35 8 0 10.101.174.178" and provide the full output here.

Also provide your full configuration.

Re: Reg: ASA inside to outside config

VijayKumar9803 — Fri, 30 Aug 2019 08:46:07 GMT

Hi Sir,

The details are sent to you... Kindly help me for the further solution.

Regards,
Vijay

Re: Reg: ASA inside to outside config

Rob Ingram — Fri, 30 Aug 2019 09:05:27 GMT

There is no reason to send me a private message.

You sent this:-

========================from laptop===================
[E:\~]$ ping 10.101.174.178

Pinging 10.100.173.178 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.101.174.178:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Why is it pinging a different IP address (10.100.173.178)?

You didn't send the debug I requested. Does the ping even reach the ASA? The debug would confirm that.

Run a packet capture on the ASA and confirm whether the icmp echo is received on the ASA from the laptop. If not then the laptop is not sending the traffic to the ASA in the first place (which is why the output of the packet-tracert confirms the traffic should be "allowed").

Re: Reg: ASA inside to outside config

VijayKumar9803 — Fri, 30 Aug 2019 16:35:13 GMT

Hi Sir,

As the earlier "fixup protocol icmp" command worked for me....

Thank you so much for your help on this.

Regards,
Vijay