cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1767
Views
5
Helpful
12
Replies

Unable to ping from ASA 5520 to outside

Okay, this is my first time here. I am setting up a home lab. Router(2921) to a layer 3 switch(3560) to an ASA(5520). The router to layer 3 switch works fine. On the switch I have 2 vlans setup (vlan 1 10.4.0.1/24, vlan 2 10.3.0.1/24) connected directly to the switch is my ASA in which I gave the outside interface the ip address of 10.4.0.2/24. From the switch I can ping the outside interface of the ASA. However, from my ASA I cannot ping anything except 10.4.0.1. 

 

switch config

 


!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2,99
!
!
!
interface FastEthernet2/0/1
no switchport
ip address 10.2.0.2 255.255.255.0
!
interface FastEthernet2/0/2
!
interface FastEthernet2/0/3
switchport access vlan 2
switchport mode access
!
interface FastEthernet2/0/4
switchport access vlan 2
switchport mode access
!
interface FastEthernet2/0/5
switchport access vlan 2
switchport mode access
!
interface FastEthernet2/0/6
!
interface FastEthernet2/0/7
!
interface FastEthernet2/0/8
!
interface FastEthernet2/0/9
!
interface FastEthernet2/0/10
!
interface FastEthernet2/0/11
!
interface FastEthernet2/0/12
!
interface FastEthernet2/0/13
!
interface FastEthernet2/0/14
!
interface FastEthernet2/0/15
!
interface FastEthernet2/0/16
!
interface FastEthernet2/0/17
!
interface FastEthernet2/0/18
!
interface FastEthernet2/0/19
!
interface FastEthernet2/0/20
!
interface FastEthernet2/0/21
!
interface FastEthernet2/0/22
!
interface FastEthernet2/0/23
!
interface FastEthernet2/0/24
!
interface FastEthernet2/0/25
!
interface FastEthernet2/0/26
!
interface FastEthernet2/0/27
!
interface FastEthernet2/0/28
!
interface FastEthernet2/0/29
!
interface FastEthernet2/0/30
!
interface FastEthernet2/0/31
!
interface FastEthernet2/0/32
!
interface FastEthernet2/0/33
!
interface FastEthernet2/0/34
!
interface FastEthernet2/0/35
!
interface FastEthernet2/0/36
!
interface FastEthernet2/0/37
!
interface FastEthernet2/0/38
!
interface FastEthernet2/0/39
!
interface FastEthernet2/0/40
!
interface FastEthernet2/0/41
!
interface FastEthernet2/0/42
!
interface FastEthernet2/0/43
!
interface FastEthernet2/0/44
!
interface FastEthernet2/0/45
!
interface FastEthernet2/0/46
!
interface FastEthernet2/0/47
!
interface FastEthernet2/0/48
!
interface GigabitEthernet2/0/1
!
interface GigabitEthernet2/0/2
!
interface GigabitEthernet2/0/3
!
interface GigabitEthernet2/0/4
!
interface Vlan1
ip address 10.4.0.1 255.255.255.0
!
interface Vlan2
ip address 10.3.0.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 0.0.0.0 0.0.0.0 10.2.0.1
ip http server
ip http secure-server
!
!
control-plane
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!

 

 

ASA config

ciscoasa(config)# show run
: Saved
:
: Serial Number: JMX1629X0T3
: Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 9.1(7)32
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.4.0.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.5.0.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route outside 0.0.0.0 0.0.0.0 10.2.0.1 1
route outside 0.0.0.0 0.0.0.0 10.2.0.2 1
route outside 0.0.0.0 0.0.0.0 10.4.0.1 1
route inside 10.0.0.0 255.0.0.0 10.2.0.1 1
route inside 10.0.0.0 255.0.0.0 10.2.0.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.3.0.0 255.255.255.0 outside

 

1 Accepted Solution

Accepted Solutions

The default route of the ASA needs to be 10.4.0.1 (which is the next hop address of the switch in the same network as the outside interface) not 10.2.0.2.

View solution in original post

12 Replies 12

Hi,

How are the ASA's outside and inside interfaces connected to the switch?

Is the ASA outside interface connected to the router?

I think you have the wrong IP address on your inside interface of the ASA - 10.5.0.1?.

 

interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.5.0.1 255.255.255.0

...but your route to the inside network is 10.2.0.1? which is not on the same network as the ASA's inside interface.

 

Your routing table also has routes inside and outside via the same IP address. Remove the incorrect routes

 

route outside 0.0.0.0 0.0.0.0 10.2.0.1 1
route outside 0.0.0.0 0.0.0.0 10.2.0.2 1
route outside 0.0.0.0 0.0.0.0 10.4.0.1 1
route inside 10.0.0.0 255.0.0.0 10.2.0.1 1
route inside 10.0.0.0 255.0.0.0 10.2.0.2 1

 

HTH

The ASA is directly connected to an interface on the switch which is in vlan 1. The switch can ping the outside interface of the ASA which is configure on the ASA as 10.4.0.2. However, from the ASA I cannot reach the internet. From the switch I can ping anywhere. I can actually from the switch ping the default gateway (10.2.0.2) with the source of 10.4.0.1.

So the ASA is connected to the switch only on the outside interface?... the switch (Fa2/0/1) is then plugged into the router?
Does the router have routes to the ASA's outside interface network (10.4.0.x)?
Can you ping from the router to the ASA?
Do you have NAT configured on the router for 10.4.0.x network?

Correct, the (Fa2/0/1) is plugged into the router. From the router I can ping the 10.4.0.1 address but not 10.4.0.2(outside interface of the ASA)

 

Router config

 

Current configuration : 1526 bytes
!
! Last configuration change at 16:54:12 UTC Fri Jan 24 2020
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rackrouter
!
boot-start-marker
boot-end-marker
!
!
! card type command needed for slot/vwic-slot 0/0
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
ip dhcp pool RACKROUTER
network 10.2.0.0 255.255.255.0
default-router 10.2.0.1
dns-server 8.8.8.8
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2821 sn FTX1220A07F
!
redundancy
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.2.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 10.3.0.0 255.255.255.0 10.2.0.2
ip route 10.4.0.0 255.255.255.0 10.2.0.2
!
access-list 1 permit any

Have you enabled routing on the switch? command = "ip routing"

Yes, It is enabled. From the switch i can ping the 10.4.0.2 (outside interface of the ASA) however, from the ASA I am unable to reach any IP.

Remove those other routes that are incorrect on the ASA. Enable "debug icmp trace" on the ASA, ping the ASA from the router - check the output of the debug to see if the icmp echo even reached the ASA. If not, then check "show ip route" on the switch.

Those routes were removed. I received this from the debug.

 

ciscoasa(config)# ICMP echo request from 10.2.0.1 to 10.4.0.2 ID=3 seq=0 len=72
ICMP echo request from 10.2.0.1 to 10.4.0.2 ID=3 seq=1 len=72
ICMP echo request from 10.2.0.1 to 10.4.0.2 ID=3 seq=2 len=72
ICMP echo request from 10.2.0.1 to 10.4.0.2 ID=3 seq=3 len=72
ICMP echo request from 10.2.0.1 to 10.4.0.2 ID=3 seq=4 len=72

Normally I'd expect to see ICMP echo reply, the only way i can think of you not seeing the ASA respond is if there is no route. Try removing the default route re-adding only the correct default route. Can you provide the output of "show route"?

You are permitting ICMP to the outside from any source, so that isn't a problem.

routes were removed and attempted to ping 10.2.0.2 (100% loss)

 

 

 

ASA show route


Gateway of last resort is 10.2.0.2 to network 0.0.0.0

C 10.4.0.0 255.255.255.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 10.2.0.2, outside

The default route of the ASA needs to be 10.4.0.1 (which is the next hop address of the switch in the same network as the outside interface) not 10.2.0.2.

FINALLY!!!!!!!!!! THANK YOU!!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: