Re: ICMP to Next Hop with ASA

Steven Williams · ‎05-07-2019

I am thinking my issue is NAT, but I am wondering about how to get this to work.

I have the following setup:

[Switch]---[ASA]---[Cloudgenix]---[ISP]

The cloudgenix is doing the NAT for the internet because that is the best method when you are connecting multiple ISPs to the SD-WAN device rather then doing something policy based routing from downstreams devices.

So that being said, the "outside" interface is connected to the inside LAN port on the SD-WAN device and runs a /29 between the two. There is no NAT configured for the outside interface. So when I try to ping the next hop It doesn't work. From what I am reading its because there is not a NAT. If this is true how can you get this to work for troubleshooting.

Seb Rupik · ‎05-07-2019

Hi there,

You have two options. Either configure NAT on the ASA to translate all ASA-inside subnets to the ASA-outside interface.

Or, configure routes on the Cloudgenix directing traffic to the ASA-inside subets to the ASA-outside interface IP address.

cheers,

Seb.

Steven Williams · ‎05-07-2019

Yes I am doing that. The issue is from the ASA I cannot ping the next hop LAN IP of the cloudgenix.

ping outside 10.153.176.1

I just get ????

Seb Rupik · ‎05-07-2019

What is the output of:

sh nameif
sh int ip br
sh route

cheers,

Seb.

Steven Williams · ‎05-07-2019

SJ-ASA01/pri/act# show nameif
Interface Name Security
GigabitEthernet1/1 outside 0
GigabitEthernet1/2 inside 100
GigabitEthernet1/3 hotspot 25
GigabitEthernet1/4 comcast 0

!

!
SJ-ASA01/pri/act# show int ip br
Interface IP-Address OK? Method Status Protocol
Virtual0 127.1.0.1 YES unset up up
GigabitEthernet1/1 10.153.176.5 YES manual up up
GigabitEthernet1/2 10.81.176.10 YES CONFIG up up
GigabitEthernet1/3 192.168.176.10 YES CONFIG up up
GigabitEthernet1/4 96.66.66.110 YES CONFIG up up
GigabitEthernet1/5 unassigned YES unset administratively down down
GigabitEthernet1/6 unassigned YES unset administratively down down
GigabitEthernet1/7 1.1.1.1 YES unset up up
GigabitEthernet1/8 2.2.2.1 YES unset up up
Internal-Control1/1 127.0.1.1 YES unset up up
Internal-Data1/1 unassigned YES unset up up
Internal-Data1/2 unassigned YES unset up up
Internal-Data1/3 unassigned YES unset up up
Internal-Data1/4 169.254.1.1 YES unset up up
Management1/1 unassigned YES unset up up

!

SJ-ASA01/pri/act# show route connected

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 96.66.77.110 to network 0.0.0.0

C 1.1.1.0 255.255.255.252 is directly connected, folink
L 1.1.1.1 255.255.255.255 is directly connected, folink
C 2.2.2.0 255.255.255.252 is directly connected, statelink
L 2.2.2.1 255.255.255.255 is directly connected, statelink
C 10.81.176.0 255.255.255.0 is directly connected, inside
L 10.81.176.10 255.255.255.255 is directly connected, inside
C 10.153.176.0 255.255.255.248 is directly connected, outside
L 10.153.176.5 255.255.255.255 is directly connected, outside
C 96.66.77.104 255.255.255.248 is directly connected, comcast
L 96.66.77.105 255.255.255.255 is directly connected, comcast
C 192.168.176.0 255.255.255.0 is directly connected, hotspot
L 192.168.176.10 255.255.255.255 is directly connected, hotspot

!

SJ-ASA01/pri/act# show run route
route outside 0.0.0.0 0.0.0.0 10.153.176.1 1 track 1
route comcast 0.0.0.0 0.0.0.0 96.66.77.110 2
SJ-ASA01/pri/act#