Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2173
Views
0
Helpful
8
Replies

Unable to ping gateway

shoong001
Level 1
Level 1

‎11-12-2018 07:25 AM - edited ‎11-12-2018 07:28 AM

Hi,

We are having issues pinging the gateway after an outage happened. We are unable to ping out from the cisco. Please see below for config

 

ciscoasa(config)# show running-config
: Saved
:
: Serial Number: FCH18457D65
: Hardware:   ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
:
ASA Version 9.8(3)8
!
hostname ciscoasa
enable 
names
no mac-address auto
!
interface GigabitEthernet0/0
 description to WAN
 nameif outside
 security-level 0
 ip address 216.164.164.218 255.255.255.248
!
interface GigabitEthernet0/1
 description to LAN
 nameif CORPNET52
 security-level 100
 ip address 10.130.52.1 255.255.252.0
!
interface GigabitEthernet0/1.13
 description to VPN
 no vlan
 no nameif
 security-level 100
 ip address 10.130.13.1 255.255.255.0
!
interface GigabitEthernet0/1.62
 description to GUEST
 no vlan
 no nameif
 security-level 20
 ip address 10.130.62.1 255.255.255.0
!
interface GigabitEthernet0/2
 description to VOICE
 shutdown
 nameif VOICE42
 security-level 100
 ip address 10.130.42.1 255.255.255.0
!
interface GigabitEthernet0/3
 description to MGMT
 shutdown
 nameif MGMT10
 security-level 100
 ip address 10.130.10.1 255.255.255.0
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa983-8-smp-k8.bin
ftp mode passive
object network 10.130.52.0_22
 subnet 10.130.52.0 255.255.252.0
object network 10.120.52.0_22
 subnet 10.120.52.0 255.255.252.0
access-list 100 extended permit ip object 10.130.52.0_22 object 10.120.52.0_22
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu CORPNET52 1500
mtu VOICE42 1500
mtu MGMT10 1500
mtu management 1500
no failover
no monitor-interface outside
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any echo outside
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (CORPNET52,outside) source static 10.130.52.0_22 10.130.52.0_22 destination static 10.120.52.0_22 10.120.52.0_22 no-proxy-arp route-lookup
!
nat (CORPNET52,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 216.164.164.217 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.130.0.0 255.255.255.0 CORPNET52
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 20 match address 100
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 128.177.20.34
crypto map outside_map 20 set ikev1 transform-set myset
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh scopy enable
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
dhcpd dns 8.8.8.8 4.2.2.2
!
dhcpd address 10.130.52.5-10.130.52.254 CORPNET52
dhcpd enable CORPNET52
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username 
username 
 service-type admin
tunnel-group 128.177.20.34 type ipsec-l2l
tunnel-group 128.177.20.34 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d214ef7e0a9797c8904b211b378fc5a6
: end

 

Labels:
0 Helpful
8 Replies 8

Daniele Giordano
Level 8
Level 8

‎11-12-2018 07:37 AM

Is the issue related only to PING or you cannot surf in Internet at all?

Can you ping Internet from the firewall console?

What is your IP? And what is the PING destination?

 

Regards.

0 Helpful

shoong001
Level 1
Level 1
In response to Daniele Giordano

‎11-12-2018 07:39 AM

unable to ping the internet from the firewall console.

0 Helpful

Daniele Giordano
Level 8
Level 8

‎11-12-2018 07:50 AM

So, if the issue is only related to icmp, can you try to configure an acl to permit icmp from outside to inside?

Something like this:

 

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit icmp any any unreachable

 

and apply the acl using the command:

 

access-group outside_access_in in interface outside

 

Let me know the result.

 

Regards.

0 Helpful

shoong001
Level 1
Level 1
In response to Daniele Giordano

‎11-12-2018 09:12 AM

still unable to ping out of the cisco. can't even hit our ISP gateway. we are unable to route out.

0 Helpful

Daniele Giordano
Level 8
Level 8
In response to shoong001

‎11-12-2018 09:32 AM

To be honest I don't understand if the issue is related to all IP traffic or only to PING (icmp).
Is the outside interface up?
show int g0/0

 

Is the ARP table consistent?
show arp

 

What is connected to outside?
Can be the ISP CPE stuck?

 

Regards.

0 Helpful

shoong001
Level 1
Level 1
In response to Daniele Giordano

‎11-12-2018 01:18 PM

Interface is up

 

what do you mean by is the arp table consistent? what will i be looking for?

 

what is ISP CPE?

0 Helpful

Daniele Giordano
Level 8
Level 8
In response to shoong001

‎11-13-2018 07:59 AM

Please, from the firewall console test a ping to the default gateway and after that execute the 'show arp' command.

Post the output.

 

Regards.

0 Helpful

CSCO11304974
Level 1
Level 1

‎11-17-2018 09:34 AM

Try to ping WAN interface ip : # Ping 216.164.164.218

Try to ping LAN interface ip : # 10.130.52.1

Try to ping Voice interface ip : # 10.130.42.1

And ping Mgmt interface ip : # 10.130.10.1

 

Thanks,

Praveen.N

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents